Upgrade to Istio v1.3.0

charts/rancher-istio/0.0.2/Chart.yaml

 apiVersion: v1
 name: rancher-istio
 version: 0.0.2
-appVersion: 1.2.5
+appVersion: 1.3.0
 tillerVersion: ">=2.7.2-0"
 description: Helm chart for all istio components
 home: https://istio.io/

charts/rancher-istio/0.0.2/README.md

@@ -8,7 +8,7 @@ The documentation here is for developers only, please follow the installation in
 
 ## Introduction
 
-This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
 
 ## Chart Details
 
@@ -136,5 +136,5 @@ To uninstall/delete the `istio` release but continue to track the release:
 
 To uninstall/delete the `istio` release completely and make its name free for later use:
     ```
-    $ helm delete istio --purge
+    $ helm delete --purge istio
     ```

charts/rancher-istio/0.0.2/charts/certmanager/values.yaml

@@ -18,7 +18,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard” vs. "soft” requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -29,6 +29,6 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security” and value "S1”.
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []

charts/rancher-istio/0.0.2/charts/galley/templates/clusterrole.yaml

@@ -28,7 +28,7 @@ rules:
   resourceNames: ["istio-galley"]
   verbs: ["get"]
 - apiGroups: [""]
-  resources: ["pods", "nodes", "services", "endpoints"]
+  resources: ["pods", "nodes", "services", "endpoints", "namespaces"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["extensions", "networking.k8s.io"]
   resources: ["ingresses"]
@@ -37,3 +37,6 @@ rules:
   resources: ["deployments/finalizers"]
   resourceNames: ["istio-galley"]
   verbs: ["update"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list", "watch"]

charts/rancher-istio/0.0.2/charts/galley/templates/configmap.yaml

@@ -10,5 +10,7 @@ metadata:
     release: {{ .Release.Name }}
     istio: galley
 data:
+{{- if .Values.global.configValidation }}
   validatingwebhookconfiguration.yaml: |-
     {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}}
+{{- end}}

charts/rancher-istio/0.0.2/charts/galley/templates/deployment.yaml

@@ -16,8 +16,8 @@ spec:
       istio: galley
   strategy:
     rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
   template:
     metadata:
       labels:
@@ -58,6 +58,9 @@ spec:
 {{- if not $.Values.global.useMCP }}
           - --enable-server=false
 {{- end }}
+{{- if not $.Values.global.configValidation }}
+          - --enable-validation=false
+{{- end }}
           - --validation-webhook-config-file
           - /etc/config/validatingwebhookconfiguration.yaml
           - --monitoringPort={{ .Values.global.monitoringPort }}

charts/rancher-istio/0.0.2/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl

@@ -10,7 +10,6 @@ metadata:
     release: {{ .Release.Name }}
     istio: galley
 webhooks:
-{{- if .Values.global.configValidation }}
   - name: pilot.validation.istio.io
     clientConfig:
       service:
@@ -117,4 +116,3 @@ webhooks:
     failurePolicy: Fail
     sideEffects: None
 {{- end }}
-{{- end }}

charts/rancher-istio/0.0.2/charts/galley/values.yaml

@@ -3,6 +3,8 @@
 #
 enabled: true
 replicaCount: 1
+rollingMaxSurge: 100%
+rollingMaxUnavailable: 25%
 nodeSelector: {}
 tolerations: []
 
@@ -12,7 +14,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard” vs. "soft” requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -23,6 +25,6 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security” and value "S1”.
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []

charts/rancher-istio/0.0.2/charts/gateways/templates/_affinity.tpl

@@ -16,7 +16,7 @@
           values:
         {{- range $key, $val := .root.Values.global.arch }}
           {{- if gt ($val | int) 0 }}
-          - {{ $key }}
+          - {{ $key | quote }}
           {{- end }}
         {{- end }}
         {{- $nodeSelector := default .root.Values.global.defaultNodeSelector .nodeSelector -}}
@@ -24,7 +24,7 @@
         - key: {{ $key }}
           operator: In
           values:
-          - {{ $val }}
+          - {{ $val | quote }}
         {{- end }}
 {{- end }}
 
@@ -37,7 +37,7 @@
         - key: beta.kubernetes.io/arch
           operator: In
           values:
-          - {{ $key }}
+          - {{ $key | quote }}
     {{- end }}
   {{- end }}
 {{- end }}
@@ -66,7 +66,7 @@
           values:
           {{- $vals := split "," $item.values }}
           {{- range $i, $v := $vals }}
-          - {{ $v }}
+          - {{ $v | quote }}
           {{- end }}
           {{- end }}
       topologyKey: {{ $item.topologyKey }}
@@ -84,7 +84,7 @@
             values:
             {{- $vals := split "," $item.values }}
             {{- range $i, $v := $vals }}
-            - {{ $v }}
+            - {{ $v | quote }}
             {{- end }}
             {{- end }}
         topologyKey: {{ $item.topologyKey }}

charts/rancher-istio/0.0.2/charts/gateways/templates/deployment.yaml

@@ -27,6 +27,10 @@ spec:
       {{- range $key, $val := $spec.labels }}
       {{ $key }}: {{ $val }}
       {{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ $spec.rollingMaxSurge }}
+      maxUnavailable: {{ $spec.rollingMaxUnavailable }}
   template:
     metadata:
       labels:
@@ -134,6 +138,12 @@ spec:
           - --envoyMetricsServiceAddress
           - {{ $.Values.global.proxy.envoyMetricsService.host }}:{{ $.Values.global.proxy.envoyMetricsService.port }}
         {{- end }}
+        {{- if $.Values.global.proxy.envoyAccessLogService.enabled }}
+          - --envoyAccessLogService
+          {{- with  $.Values.global.proxy.envoyAccessLogService }}
+          - '{"address":"{{ .host }}:{{.port }}"{{ if .tlsSettings }},"tlsSettings":{{ .tlsSettings | toJson }}{{- end }}{{ if .tcpKeepalive }},"tcpKeepalive":{{ .tcpKeepalive | toJson }}{{- end }}}'
+          {{- end }}
+        {{- end }}
           - --proxyAdminPort
           - "15000"
           - --statusPort
@@ -206,6 +216,10 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: status.hostIP
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.serviceAccountName
           - name: ISTIO_META_POD_NAME
             valueFrom:
               fieldRef:
@@ -215,6 +229,12 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: SDS_ENABLED
+            value: "{{ $.Values.global.sds.enabled }}"
+          - name: ISTIO_META_WORKLOAD_NAME
+            value: {{ $key }}
+          - name: ISTIO_META_OWNER
+            value: kubernetes://api/apps/v1/namespaces/{{ $spec.namespace | default $.Release.Namespace }}/deployments/{{ $key }}
           {{- if $spec.sds }}
           {{- if $spec.sds.enabled }}
           - name: ISTIO_META_USER_SDS
@@ -232,11 +252,9 @@ spec:
           - name: sdsudspath
             mountPath: /var/run/sds
             readOnly: true
-          {{- if $.Values.global.sds.useTrustworthyJwt }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
           {{- end }}
-          {{- end }}
           {{- if $spec.sds }}
           {{- if $spec.sds.enabled }}
           - name: ingressgatewaysdsudspath
@@ -265,15 +283,13 @@ spec:
       - name: sdsudspath
         hostPath:
           path: /var/run/sds
-      {{- if $.Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
           - serviceAccountToken:
               path: istio-token
               expirationSeconds: 43200
-              audience: {{ $.Values.global.trustDomain }}
-      {{- end }}
+              audience: {{ $.Values.global.sds.token.aud }}
       {{- end }}
       - name: istio-certs
         secret:

charts/rancher-istio/0.0.2/charts/gateways/values.yaml

@@ -33,6 +33,8 @@ istio-ingressgateway:
   autoscaleMax: 5
   # specify replicaCount when autoscaleEnabled: false
   # replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
   resources:
     requests:
       cpu: 100m
@@ -135,7 +137,7 @@ istio-ingressgateway:
   # There are currently two types of anti-affinity:
   #    "requiredDuringSchedulingIgnoredDuringExecution"
   #    "preferredDuringSchedulingIgnoredDuringExecution"
-  # which denote “hard” vs. “soft” requirements, you can define your values
+  # which denote "hard" vs. "soft" requirements, you can define your values
   # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
   # correspondingly.
   # For example:
@@ -146,7 +148,7 @@ istio-ingressgateway:
   #   topologyKey: "kubernetes.io/hostname"
   # This pod anti-affinity rule says that the pod requires not to be scheduled
   # onto a node if that node is already running a pod with label having key
-  # “security” and value “S1”.
+  # "security" and value "S1".
   podAntiAffinityLabelSelector: []
   podAntiAffinityTermLabelSelector: []
 
@@ -160,13 +162,15 @@ istio-egressgateway:
   autoscaleMax: 5
   # specify replicaCount when autoscaleEnabled: false
   # replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
   resources:
     requests:
       cpu: 100m
       memory: 128Mi
     limits:
       cpu: 2000m
-      memory: 256Mi
+      memory: 1024Mi
   cpu:
     targetAverageUtilization: 80
   serviceAnnotations: {}
@@ -211,7 +215,7 @@ istio-egressgateway:
   # There are currently two types of anti-affinity:
   #    "requiredDuringSchedulingIgnoredDuringExecution"
   #    "preferredDuringSchedulingIgnoredDuringExecution"
-  # which denote “hard” vs. “soft” requirements, you can define your values
+  # which denote "hard" vs. "soft" requirements, you can define your values
   # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
   # correspondingly.
   # For example:
@@ -222,7 +226,7 @@ istio-egressgateway:
   #   topologyKey: "kubernetes.io/hostname"
   # This pod anti-affinity rule says that the pod requires not to be scheduled
   # onto a node if that node is already running a pod with label having key
-  # “security” and value “S1”.
+  # "security" and value "S1".
   podAntiAffinityLabelSelector: []
   podAntiAffinityTermLabelSelector: []
 
@@ -239,6 +243,8 @@ istio-ilbgateway:
   autoscaleMax: 5
   # specify replicaCount when autoscaleEnabled: false
   # replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
   cpu:
     targetAverageUtilization: 80
   resources:

charts/rancher-istio/0.0.2/charts/grafana/dashboards/galley-dashboard.json

@@ -211,7 +211,7 @@
           "refId": "H"
         },
         {
-          "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})",
+          "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "Total (kis)",
@@ -402,7 +402,7 @@
           "refId": "A"
         },
         {
-          "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}",
+          "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "{{ container_name }} ",
@@ -494,14 +494,14 @@
           "refId": "A"
         },
         {
-          "expr": "galley_mcp_source_clients_total",
+          "expr": "istio_mcp_clients_total{component=\"galley\"}",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "clients_total",
           "refId": "B"
         },
         {
-          "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total",
+          "expr": "go_goroutines{job=\"galley\"}/sum(istio_mcp_clients_total{component=\"galley\"}) without (component)",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "avg_goroutines_per_client",
@@ -1558,7 +1558,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum(galley_mcp_source_clients_total)",
+          "expr": "sum(istio_mcp_clients_total{component=\"galley\"})",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "Clients",
@@ -1643,7 +1643,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)",
+          "expr": "sum by(collection)(irate(istio_mcp_request_acks_total{component=\"galley\"}[1m]) * 60)",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "",
@@ -1728,7 +1728,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60",
+          "expr": "rate(istio_mcp_request_nacks_total{component=\"galley\"}[1m]) * 60",
           "format": "time_series",
           "intervalFactor": 1,
           "refId": "A"

charts/rancher-istio/0.0.2/charts/grafana/dashboards/istio-performance-dashboard.json

@@ -323,28 +323,28 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
+          "expr": "(sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "istio-telemetry / 1k rps",
           "refId": "A"
         },
         {
-          "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})",
+          "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "per istio-ingressgateway",
           "refId": "B"
         },
         {
-          "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})",
+          "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"})",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "per istio proxy",
           "refId": "C"
         },
         {
-          "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
+          "expr": "(sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "istio-policy / 1k rps",
@@ -644,7 +644,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum(container_memory_usage_bytes{container_name=\"istio-proxy\"})",
+          "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=\"istio-proxy\"})",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -818,7 +818,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum(container_fs_usage_bytes{container_name=\"istio-proxy\"})",
+          "expr": "sum(container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=\"istio-proxy\"})",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "{{ container_name }}",
@@ -976,7 +976,7 @@
           "step": 2
         },
         {
-          "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})",
+          "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -985,7 +985,7 @@
           "step": 2
         },
         {
-          "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
+          "expr": "container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -1187,7 +1187,7 @@
           "refId": "A"
         },
         {
-          "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
+          "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "{{ container_name }}",
@@ -1431,7 +1431,7 @@
           "step": 2
         },
         {
-          "expr": "sum(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"})",
+          "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"})",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -1440,7 +1440,7 @@
           "step": 2
         },
         {
-          "expr": "container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}",
+          "expr": "container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -1642,7 +1642,7 @@
           "refId": "A"
         },
         {
-          "expr": "container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}",
+          "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "{{ container_name }}",

charts/rancher-istio/0.0.2/charts/grafana/dashboards/mixer-dashboard.json

@@ -263,7 +263,7 @@
           "refId": "G"
         },
         {
-          "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)",
+          "expr": "sum(label_replace(container_memory_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -271,7 +271,7 @@
           "refId": "C"
         },
         {
-          "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
+          "expr": "sum(label_replace(container_memory_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -467,7 +467,7 @@
           "refId": "A"
         },
         {
-          "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
+          "expr": "sum(label_replace(container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "{{ service }} - {{ container_name }}",

charts/rancher-istio/0.0.2/charts/grafana/templates/deployment.yaml

@@ -44,7 +44,7 @@ spec:
           - containerPort: 3000
           readinessProbe:
             httpGet:
-              path: /login
+              path: /api/health
               port: 3000
           env:
           - name: GRAFANA_PORT
@@ -76,6 +76,17 @@ spec:
 {{- end }}
           - name: GF_PATHS_DATA
             value: /data/grafana
+          {{- range $key, $value := $.Values.env }}
+          - name: {{ $key }}
+            value: {{ $value | quote }}
+          {{- end }}
+          {{- range $key, $secret := $.Values.envSecrets }}
+          - name: {{ $key }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ $secret }}
+                key: {{ $key | quote }}
+          {{- end }}
           resources:
 {{- if .Values.resources }}
 {{ toYaml .Values.resources | indent 12 }}

charts/rancher-istio/0.0.2/charts/grafana/templates/tests/test-grafana-connection.yaml

@@ -19,7 +19,7 @@ spec:
 {{- end }}
   containers:
     - name: "{{ template "grafana.fullname" . }}-test"
-      image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
+      image: "{{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}"
       imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
       command: ['curl']
       args: ['http://grafana:{{ .Values.grafana.service.externalPort }}']

charts/rancher-istio/0.0.2/charts/grafana/values.yaml

@@ -30,13 +30,43 @@ security:
 nodeSelector: {}
 tolerations: []
 
+env: {}
+  # Define additional environment variables for configuring grafana.
+  # @see https://grafana.com/docs/installation/configuration/#using-environment-variables
+  # Format: env_variable_name: value
+  # For example:
+  # GF_SMTP_ENABLED: true
+  # GF_SMTP_HOST: email-smtp.eu-west-1.amazonaws.com:2587
+  # GF_SMTP_FROM_ADDRESS: alerts@mydomain.com
+  # GF_SMTP_FROM_NAME: Grafana
+
+envSecrets: {}
+  # The key name and ENV name must match in the secrets file.
+  # @see https://grafana.com/docs/installation/configuration/#using-environment-variables
+  # For example:
+  # ---
+  # apiVersion: v1
+  # kind: Secret
+  # metadata:
+  #   name: grafana-secrets
+  #   namespace: istio-system
+  # data:
+  #   GF_SMTP_USER: bXl1c2Vy
+  #   GF_SMTP_PASSWORD: bXlwYXNzd29yZA==
+  # type: Opaque
+  # ---
+  # env_variable_key_name: secretsName
+  # ---
+  # GF_SMTP_USER: grafana-secrets
+  # GF_SMTP_PASSWORD: grafana-secrets
+
 # Specify the pod anti-affinity that allows you to constrain which nodes
 # your pod is eligible to be scheduled based on labels on pods that are
 # already running on the node rather than based on labels on nodes.
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard" vs. "soft" requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -47,7 +77,7 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security" and value "S1".
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []
 

charts/rancher-istio/0.0.2/charts/istio-init/README.md

@@ -66,7 +66,7 @@ To uninstall/delete the `istio-init` release but continue to track the release:
 
 To uninstall/delete the `istio-init` release completely and make its name free for later use:
     ```
-    $ helm delete istio-init --purge
+    $ helm delete --purge istio-init
     ```
 
 > Warning: Deleting CRDs will delete any configuration that you have made to Istio.

charts/rancher-istio/0.0.2/charts/istio-init/files/crd-10.yaml

@@ -22,7 +22,10 @@ spec:
     - istio-io
     - networking-istio-io
   scope: Namespaced
-  version: v1alpha3
+  versions:
+    - name: v1alpha3
+      served: true
+      storage: true
   additionalPrinterColumns:
   - JSONPath: .spec.gateways
     description: The names of gateways and sidecars that should apply these routes
@@ -64,7 +67,10 @@ spec:
     - istio-io
     - networking-istio-io
   scope: Namespaced
-  version: v1alpha3
+  versions:
+    - name: v1alpha3
+      served: true
+      storage: true
   additionalPrinterColumns:
   - JSONPath: .spec.host
     description: The name of a service from the service registry
@@ -102,7 +108,10 @@ spec:
     - istio-io
     - networking-istio-io
   scope: Namespaced
-  version: v1alpha3
+  versions:
+    - name: v1alpha3
+      served: true
+      storage: true
   additionalPrinterColumns:
   - JSONPath: .spec.hosts
     description: The hosts associated with the ServiceEntry
@@ -147,7 +156,10 @@ spec:
     - istio-io
     - networking-istio-io
   scope: Namespaced
-  version: v1alpha3
+  versions:
+    - name: v1alpha3
+      served: true
+      storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -170,7 +182,10 @@ spec:
     - istio-io
     - networking-istio-io
   scope: Namespaced
-  version: v1alpha3
+  versions:
+    - name: v1alpha3
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -193,7 +208,10 @@ spec:
     - istio-io
     - rbac-istio-io
   scope: Cluster
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -216,7 +234,10 @@ spec:
     - istio-io
     - authentication-istio-io
   scope: Namespaced
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -240,7 +261,10 @@ spec:
     - istio-io
     - authentication-istio-io
   scope: Cluster
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -263,7 +287,10 @@ spec:
     - istio-io
     - apim-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -286,7 +313,10 @@ spec:
     - istio-io
     - apim-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -309,7 +339,10 @@ spec:
     - istio-io
     - apim-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -332,7 +365,10 @@ spec:
     - istio-io
     - apim-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -357,7 +393,10 @@ spec:
     - istio-io
     - policy-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -382,7 +421,10 @@ spec:
     - istio-io
     - policy-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -407,7 +449,10 @@ spec:
     - istio-io
     - rbac-istio-io
   scope: Namespaced
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -432,7 +477,10 @@ spec:
     - istio-io
     - rbac-istio-io
   scope: Namespaced
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -457,7 +505,10 @@ spec:
     - istio-io
     - rbac-istio-io
   scope: Namespaced
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
   additionalPrinterColumns:
   - JSONPath: .spec.roleRef.name
     description: The name of the ServiceRole object being referenced
@@ -494,7 +545,10 @@ spec:
     - istio-io
     - policy-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -519,7 +573,10 @@ spec:
     - istio-io
     - policy-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -544,7 +601,10 @@ spec:
     - istio-io
     - policy-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---
 kind: CustomResourceDefinition
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -569,5 +629,8 @@ spec:
     - istio-io
     - policy-istio-io
   scope: Namespaced
-  version: v1alpha2
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
 ---

charts/rancher-istio/0.0.2/charts/istio-init/files/crd-11.yaml

@@ -19,5 +19,8 @@ spec:
     - istio-io
     - networking-istio-io
   scope: Namespaced
-  version: v1alpha3
+  versions:
+    - name: v1alpha3
+      served: true
+      storage: true
 ---

charts/rancher-istio/0.0.2/charts/istio-init/files/crd-12.yaml

@@ -17,5 +17,8 @@ spec:
       - istio-io
       - rbac-istio-io
   scope: Namespaced
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
 ---

charts/rancher-istio/0.0.2/charts/istio-init/files/crd-certmanager-10.yaml

@@ -11,7 +11,10 @@ metadata:
     "helm.sh/resource-policy": keep
 spec:
   group: certmanager.k8s.io
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
   names:
     kind: ClusterIssuer
     plural: clusterissuers
@@ -30,7 +33,10 @@ metadata:
     "helm.sh/resource-policy": keep
 spec:
   group: certmanager.k8s.io
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
   names:
     kind: Issuer
     plural: issuers
@@ -71,7 +77,10 @@ spec:
       name: Age
       type: date
   group: certmanager.k8s.io
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
   scope: Namespaced
   names:
     kind: Certificate

charts/rancher-istio/0.0.2/charts/istio-init/files/crd-certmanager-11.yaml

@@ -30,7 +30,10 @@ spec:
       name: Age
       type: date
   group: certmanager.k8s.io
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
   names:
     kind: Order
     plural: orders
@@ -66,7 +69,10 @@ spec:
       name: Age
       type: date
   group: certmanager.k8s.io
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
   names:
     kind: Challenge
     plural: challenges

charts/rancher-istio/0.0.2/charts/istio-init/templates/serviceaccount.yaml

 apiVersion: v1
 kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
 metadata:
   name: istio-init-service-account
   namespace: {{ .Release.Namespace }}

charts/rancher-istio/0.0.2/charts/istiocoredns/templates/deployment.yaml

@@ -13,6 +13,10 @@ spec:
   selector:
     matchLabels:
       app: istiocoredns
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
   template:
     metadata:
       name: istiocoredns

charts/rancher-istio/0.0.2/charts/istiocoredns/values.yaml

@@ -3,6 +3,8 @@
 #
 enabled: false
 replicaCount: 1
+rollingMaxSurge: 100%
+rollingMaxUnavailable: 25%
 # Source code for the plugin can be found at
 # https://github.com/istio-ecosystem/istio-coredns-plugin
 # The plugin listens for DNS requests from coredns server at 127.0.0.1:8053
@@ -15,7 +17,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard" vs. "soft" requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -26,6 +28,6 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security" and value "S1".
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []

charts/rancher-istio/0.0.2/charts/kiali/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v1
 description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details.
 name: kiali
 version: 1.1.0
-appVersion: 0.20
+appVersion: 1.1.0
 tillerVersion: ">=2.7.2"

charts/rancher-istio/0.0.2/charts/kiali/templates/clusterrole.yaml

@@ -98,6 +98,7 @@ rules:
   - destinationrules
   - gateways
   - serviceentries
+  - sidecars
   - virtualservices
   verbs:
   - create
@@ -234,6 +235,7 @@ rules:
   - destinationrules
   - gateways
   - serviceentries
+  - sidecars
   - virtualservices
   verbs:
   - get

charts/rancher-istio/0.0.2/charts/kiali/templates/clusterrolebinding.yaml

+{{- if not .Values.dashboard.viewOnlyMode }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -10,8 +11,27 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: kiali{{- if .Values.dashboard.viewOnlyMode }}-viewer{{- end }}
+  name: kiali
 subjects:
 - kind: ServiceAccount
   name: kiali-service-account
   namespace: {{ .Release.Namespace }}
+{{- else }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-kiali-viewer-role-binding-{{ .Release.Namespace }}
+  labels:
+    app: {{ template "kiali.name" . }}
+    chart: {{ template "kiali.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kiali-viewer
+subjects:
+- kind: ServiceAccount
+  name: kiali-service-account
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/rancher-istio/0.0.2/charts/kiali/templates/configmap.yaml

@@ -15,23 +15,21 @@ data:
       port: 20001
     external_services:
       tracing:
-        service: "tracing/jaeger"
-        {{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }}
-        {{- if not .Values.dashboard.jaegerURL }}
-        url: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:tracing:80/proxy/jaeger'
-        {{- end }}
+        {{- if .Values.dashboard.jaegerURL }}
+        url: {{ .Values.dashboard.jaegerURL }}
+        {{- else }}
+        url: http://tracing.istio-system:80
         {{- end }}
       grafana:
       {{- if eq .Values.global.monitoring.type "cluster-monitoring" }}
-        url: https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/cattle-prometheus/services/http:access-grafana:80/proxy/
-        service_namespace: cattle-prometheus
-        service: access-grafana
+        url: https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/cattle-prometheus/services/http:access-grafana:80/proxy//
+        in_cluster_url: http://access-grafana.cattle-prometheus:80
       {{- else if eq .Values.global.monitoring.type "built-in" }}
         {{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }}
-        url: https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:grafana:80/proxy/
+        url: https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:grafana:80/proxy//
+        in_cluster_url: http://access-grafana.cattle-prometheus:80
         {{- end }}
       {{- else }}
-        custom_metrics_url: "http://prometheus.{{ .Release.Namespace }}:9090"
         {{- if .Values.dashboard.grafanaURL }}
         url: {{ .Values.dashboard.grafanaURL }}
         {{- end }}
@@ -42,4 +40,8 @@ data:
       {{- else }}
         url: {{ .Values.prometheusAddr }}
       {{- end }}
-
+{{- if .Values.security.enabled }}
+    identity:
+      cert_file: {{ .Values.security.cert_file }}
+      private_key_file: {{ .Values.security.private_key_file }}
+{{- end}}

charts/rancher-istio/0.0.2/charts/kiali/templates/deployment.yaml

@@ -26,6 +26,7 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ""
         prometheus.io/scrape: "true"
         prometheus.io/port: "9090"
+        kiali.io/runtimes: go,kiali
     spec:
       serviceAccountName: kiali-service-account
 {{- if .Values.global.priorityClassName }}
@@ -39,8 +40,28 @@ spec:
         - "-config"
         - "/kiali-configuration/config.yaml"
         - "-v"
-        - "4"
+        - "3"
+        readinessProbe:
+          httpGet:
+            path: {{ .Values.contextPath }}/healthz
+            port: 20001
+            scheme:  {{ if .Values.security.enabled }} 'HTTPS' {{ else }} 'HTTP' {{ end }}
+          initialDelaySeconds: 5
+          periodSeconds: 30
+        livenessProbe:
+          httpGet:
+            path: {{ .Values.contextPath }}/healthz
+            port: 20001
+            scheme:  {{ if .Values.security.enabled }} 'HTTPS' {{ else }} 'HTTP' {{ end }}
+          initialDelaySeconds: 5
+          periodSeconds: 30
         env:
+        - name: TRACING_INSECURE_SKIP_VERIFY
+          value: "true"
+        - name: GRAFANA_INSECURE_SKIP_VERIFY
+          value: "true"
+        - name: TRACING_ENABLED
+          value: "false"
         - name: ACTIVE_NAMESPACE
           valueFrom:
             fieldRef:
@@ -66,6 +87,8 @@ spec:
         volumeMounts:
         - name: kiali-configuration
           mountPath: "/kiali-configuration"
+        - name: kiali-cert
+          mountPath: "/kiali-cert"
         - name: kiali-secret
           mountPath: "/kiali-secret"
         resources:
@@ -97,6 +120,12 @@ spec:
       - name: kiali-configuration
         configMap:
           name: kiali
+      - name: kiali-cert
+        secret:
+          secretName: istio.kiali-service-account
+{{- if not .Values.security.enabled }}
+          optional: true
+{{- end }}
       - name: kiali-nginx
         configMap:
           name: kiali-nginx

charts/rancher-istio/0.0.2/charts/kiali/templates/nginx-configmap.yaml

@@ -52,9 +52,9 @@ data:
           add_header          Cache-Control "public";
 
           proxy_pass     http://localhost:20001/;
-          sub_filter_types text/html;
+          sub_filter_types application/javascript;
           sub_filter_once on;
-          sub_filter </head> '<script>var path = window.location.pathname; var pathName = path.substring(0, path.lastIndexOf("/proxy") + 6); window.WEB_ROOT = window.WEB_ROOT ? pathName + window.WEB_ROOT:pathName</script></head>';
+          sub_filter "// This file is intentionally left bank." "window.WEB_ROOT='/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/istio-system/services/http:kiali-http:80/proxy';";
           if ($request_filename ~ .*\.(?:js|css|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$) {
             expires             90d;
           }

charts/rancher-istio/0.0.2/charts/kiali/templates/tests/test-kiali-connection.yaml

@@ -19,7 +19,7 @@ spec:
 {{- end }}
   containers:
     - name: "{{ template "kiali.fullname" . }}-test"
-      image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
+      image: "{{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}"
       imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
       command: ['curl']
       args: ['http://kiali:20001']

charts/rancher-istio/0.0.2/charts/kiali/values.yaml

@@ -13,7 +13,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard” vs. "soft” requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -24,7 +24,7 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security” and value "S1”.
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []
 
@@ -60,3 +60,8 @@ service:
   type: ClusterIP
 
 resources: {}
+
+security:
+  enabled: false
+  cert_file: /kiali-cert/cert-chain.pem
+  private_key_file: /kiali-cert/key.pem
\ No newline at end of file

charts/rancher-istio/0.0.2/charts/mixer/templates/config.yaml

@@ -138,6 +138,8 @@ spec:
       valueType: BOOL
     quota.cache_hit:
       valueType: BOOL
+    context.proxy_version:
+      valueType: STRING
 
 ---
 apiVersion: "config.istio.io/v1alpha2"

charts/rancher-istio/0.0.2/charts/mixer/templates/deployment.yaml

@@ -13,16 +13,14 @@
       - hostPath:
           path: /var/run/sds
         name: sds-uds-path
-      {{- if $.Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
           - serviceAccountToken:
-              audience: {{ $.Values.global.trustDomain }}
+              audience: {{ $.Values.global.sds.token.aud }}
               expirationSeconds: 43200
               path: istio-token
       {{- end }}
-      {{- end }}
       - name: uds-socket
         emptyDir: {}
       - name: policy-adapter-secret
@@ -68,11 +66,7 @@
           {{- else }}
           - --useAdapterCRDs=false
           {{- end }}
-          {{- if $.Values.templates.useTemplateCRDs }}
-          - --useTemplateCRDs=true
-          {{- else }}
           - --useTemplateCRDs=false
-          {{- end }}
           {{- if $.Values.global.tracer.zipkin.address }}
           - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
           {{- else }}
@@ -150,6 +144,8 @@
             fieldRef:
               apiVersion: v1
               fieldPath: status.podIP
+        - name: SDS_ENABLED
+          value: "{{ $.Values.global.sds.enabled }}"
         resources:
 {{- if $.Values.global.proxy.resources }}
 {{ toYaml $.Values.global.proxy.resources | indent 10 }}
@@ -164,11 +160,9 @@
         - name: sds-uds-path
           mountPath: /var/run/sds
           readOnly: true
-        {{- if $.Values.global.sds.useTrustworthyJwt }}
         - name: istio-token
           mountPath: /var/run/secrets/tokens
         {{- end }}
-        {{- end }}
         - name: uds-socket
           mountPath: /sock
         - name: policy-adapter-secret
@@ -188,16 +182,14 @@
       - hostPath:
           path: /var/run/sds
         name: sds-uds-path
-      {{- if $.Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
           - serviceAccountToken:
-              audience: {{ $.Values.global.trustDomain }}
+              audience: {{ $.Values.global.sds.token.aud }}
               expirationSeconds: 43200
               path: istio-token
       {{- end }}
-      {{- end }}
       - name: uds-socket
         emptyDir: {}
       - name: telemetry-adapter-secret
@@ -246,11 +238,6 @@
           {{- else }}
           - --useAdapterCRDs=false
           {{- end }}
-          {{- if $.Values.templates.useTemplateCRDs }}
-          - --useTemplateCRDs=true
-          {{- else }}
-          - --useTemplateCRDs=false
-          {{- end }}
           {{- if $.Values.global.tracer.zipkin.address }}
           - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
           {{- else }}
@@ -332,6 +319,8 @@
             fieldRef:
               apiVersion: v1
               fieldPath: status.podIP
+        - name: SDS_ENABLED
+          value: "{{ $.Values.global.sds.enabled }}"
         resources:
 {{- if $.Values.global.proxy.resources }}
 {{ toYaml $.Values.global.proxy.resources | indent 10 }}
@@ -346,11 +335,9 @@
         - name: sds-uds-path
           mountPath: /var/run/sds
           readOnly: true
-        {{- if $.Values.global.sds.useTrustworthyJwt }}
         - name: istio-token
           mountPath: /var/run/secrets/tokens
         {{- end }}
-        {{- end }}
         - name: uds-socket
           mountPath: /sock
 {{- end }}
@@ -380,8 +367,8 @@ spec:
 {{- end }}
   strategy:
     rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
+      maxSurge: {{ $spec.rollingMaxSurge }}
+      maxUnavailable: {{ $spec.rollingMaxUnavailable }}
   selector:
     matchLabels:
       istio: mixer

charts/rancher-istio/0.0.2/charts/mixer/values.yaml

@@ -15,6 +15,8 @@ policy:
   autoscaleMax: 5
   cpu:
     targetAverageUtilization: 80
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
 
 telemetry:
   enabled: true
@@ -24,6 +26,8 @@ telemetry:
   autoscaleMax: 5
   cpu:
     targetAverageUtilization: 80
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
   sessionAffinityEnabled: false
 
   # mixer load shedding configuration.
@@ -43,6 +47,16 @@ telemetry:
       cpu: 4800m
       memory: 4G
 
+  # Set reportBatchMaxEntries to 0 to use the default batching behavior (i.e., every 100 requests). 
+  # A positive value indicates the number of requests that are batched before telemetry data 
+  # is sent to the mixer server
+  reportBatchMaxEntries: 100
+
+  # Set reportBatchMaxTime to 0 to use the default batching behavior (i.e., every 1 second). 
+  # A positive time value indicates the maximum wait time since the last request will telemetry data 
+  # be batched before being sent to the mixer server
+  reportBatchMaxTime: 1s
+
 podAnnotations: {}
 nodeSelector: {}
 tolerations: []
@@ -53,7 +67,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard" vs. "soft" requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -64,13 +78,10 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security" and value "S1".
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []
 
-templates:
-  useTemplateCRDs: false
-
 adapters:
   kubernetesenv:
     enabled: true

charts/rancher-istio/0.0.2/charts/nodeagent/templates/daemonset.yaml

@@ -44,6 +44,10 @@ spec:
         {{- end }}
         - name: "Trust_Domain"
           value: "{{ .Values.global.trustDomain }}"
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
       volumes:
       - name: sdsudspath
         hostPath:

charts/rancher-istio/0.0.2/charts/nodeagent/values.yaml

@@ -18,7 +18,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard” vs. "soft” requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -29,6 +29,6 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security” and value "S1”.
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []

charts/rancher-istio/0.0.2/charts/pilot/templates/deployment.yaml

@@ -22,8 +22,8 @@ spec:
 {{- end }}
   strategy:
     rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
   selector:
     matchLabels:
       istio: pilot
@@ -58,11 +58,9 @@ spec:
           - "-a"
           - {{ .Release.Namespace }}
 {{- end }}
-{{- if $.Values.global.controlPlaneSecurityEnabled}}
-    {{- if not .Values.sidecar }}
+{{- if and $.Values.global.controlPlaneSecurityEnabled (not .Values.sidecar)}}
           - --secureGrpcAddr
           - ":15011"
-    {{- end }}
 {{- else }}
           - --secureGrpcAddr
           - ""
@@ -106,8 +104,10 @@ spec:
           - name: PILOT_TRACE_SAMPLING
             value: "{{ .Values.traceSampling }}"
 {{- end }}
-          - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY
-            value: "1"
+          - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
+            value: "{{ .Values.enableProtocolSniffingForOutbound }}"
+          - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
+            value: "{{ .Values.enableProtocolSniffingForInbound }}"
           resources:
 {{- if .Values.resources }}
 {{ toYaml .Values.resources | indent 12 }}
@@ -163,6 +163,8 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: status.podIP
+          - name: SDS_ENABLED
+            value: "{{ $.Values.global.sds.enabled }}"
           resources:
 {{- if .Values.global.proxy.resources }}
 {{ toYaml .Values.global.proxy.resources | indent 12 }}
@@ -177,27 +179,23 @@ spec:
           - name: sds-uds-path
             mountPath: /var/run/sds
             readOnly: true
-          {{- if $.Values.global.sds.useTrustworthyJwt }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
           {{- end }}
-          {{- end }}
 {{- end }}
       volumes:
       {{- if $.Values.global.sds.enabled }}
       - hostPath:
           path: /var/run/sds
         name: sds-uds-path
-      {{- if $.Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
           - serviceAccountToken:
-              audience: {{ $.Values.global.trustDomain }}
+              audience: {{ $.Values.global.sds.token.aud }}
               expirationSeconds: 43200
               path: istio-token
       {{- end }}
-      {{- end }}
       - name: config-volume
         configMap:
           name: istio

charts/rancher-istio/0.0.2/charts/pilot/values.yaml

@@ -7,8 +7,14 @@ autoscaleMin: 1
 autoscaleMax: 5
 # specify replicaCount when autoscaleEnabled: false
 # replicaCount: 1
+rollingMaxSurge: 100%
+rollingMaxUnavailable: 25%
 sidecar: true
 traceSampling: 1.0
+# if protocol sniffing is enabled for outbound
+enableProtocolSniffingForOutbound: true
+# if protocol sniffing is enabled for inbound
+enableProtocolSniffingForInbound: false
 # Resources for a small pilot install
 resources:
   requests:
@@ -28,7 +34,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard" vs. "soft" requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -39,7 +45,7 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security" and value "S1".
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []
 

charts/rancher-istio/0.0.2/charts/prometheus/templates/tests/test-prometheus-connection.yaml

@@ -19,7 +19,7 @@ spec:
 {{- end }}
   containers:
     - name: "{{ template "prometheus.fullname" . }}-test"
-      image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}
+      image: {{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}
       imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
       command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1']
   restartPolicy: Never

charts/rancher-istio/0.0.2/charts/prometheus/values.yaml

@@ -14,7 +14,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard” vs. "soft” requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -25,7 +25,7 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security” and value "S1”.
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []
 

charts/rancher-istio/0.0.2/charts/security/templates/clusterrole.yaml

@@ -15,7 +15,7 @@ rules:
   resources: ["secrets"]
   verbs: ["create", "get", "watch", "list", "update", "delete"]
 - apiGroups: [""]
-  resources: ["serviceaccounts", "services"]
+  resources: ["serviceaccounts", "services", "namespaces"]
   verbs: ["get", "watch", "list"]
 - apiGroups: ["authentication.k8s.io"]
   resources: ["tokenreviews"]

charts/rancher-istio/0.0.2/charts/security/templates/create-custom-resources-job.yaml

 {{- if .Values.createMeshPolicy }}
 apiVersion: v1
 kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
 metadata:
   name: istio-security-post-install-account
   namespace: {{ .Release.Namespace }}

charts/rancher-istio/0.0.2/charts/security/templates/deployment.yaml

@@ -17,8 +17,8 @@ spec:
       istio: citadel
   strategy:
     rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
   template:
     metadata:
       labels:
@@ -67,6 +67,9 @@ spec:
             - --liveness-probe-interval=60s # interval for health check file update
             - --probe-check-interval=15s    # interval for health status check
           {{- end }}
+          env:
+            - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT
+              value: "{{ .Values.enableNamespacesByDefault }}"
           {{- if .Values.citadelHealthCheck }}
           livenessProbe:
             exec:

charts/rancher-istio/0.0.2/charts/security/templates/tests/test-citadel-connection.yaml

@@ -19,7 +19,7 @@ spec:
 {{- end }}
   containers:
     - name: "{{ template "security.fullname" . }}-test"
-      image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
+      image: "{{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}"
       imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
       command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:{{ .Values.global.monitoringPort }}/version && exit 0 || sleep 15; done; exit 1']
   restartPolicy: Never

charts/rancher-istio/0.0.2/charts/security/values.yaml

@@ -3,6 +3,8 @@
 #
 enabled: true
 replicaCount: 1
+rollingMaxSurge: 100%
+rollingMaxUnavailable: 25%
 selfSigned: true # indicate if self-signed CA is used.
 createMeshPolicy: true
 nodeSelector: {}
@@ -13,13 +15,23 @@ citadelHealthCheck: false
 # 90*24hour = 2160h
 workloadCertTtl: 2160h
 
+# Determines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override
+# labels are not found on a given namespace.
+#
+# For example: consider a namespace called "target", which has neither the "ca.istio.io/env"
+# nor the "ca.istio.io/override" namespace labels. To decide whether or not to generate secrets
+# for service accounts created in this "target" namespace, Citadel will defer to this option. If the value
+# of this option is "true" in this case, secrets will be generated for the "target" namespace.
+# If the value of this option is "false" Citadel will not generate secrets upon service account creation.
+enableNamespacesByDefault: true
+
 # Specify the pod anti-affinity that allows you to constrain which nodes
 # your pod is eligible to be scheduled based on labels on pods that are
 # already running on the node rather than based on labels on nodes.
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard" vs. "soft" requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -30,6 +42,6 @@ workloadCertTtl: 2160h
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security" and value "S1".
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []

charts/rancher-istio/0.0.2/charts/sidecarInjectorWebhook/OWNERS

-approvers:
-  - ostromart

charts/rancher-istio/0.0.2/charts/sidecarInjectorWebhook/templates/deployment.yaml

@@ -16,8 +16,8 @@ spec:
       istio: sidecar-injector
   strategy:
     rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
   template:
     metadata:
       labels:

charts/rancher-istio/0.0.2/charts/sidecarInjectorWebhook/templates/service.yaml

@@ -12,5 +12,8 @@ metadata:
 spec:
   ports:
   - port: 443
+    name: https-inject
+  - port: {{ .Values.global.monitoringPort }}
+    name: http-monitoring
   selector:
     istio: sidecar-injector

charts/rancher-istio/0.0.2/charts/sidecarInjectorWebhook/values.yaml

@@ -3,6 +3,8 @@
 #
 enabled: true
 replicaCount: 1
+rollingMaxSurge: 100%
+rollingMaxUnavailable: 25%
 enableNamespacesByDefault: false
 nodeSelector: {}
 tolerations: []
@@ -13,7 +15,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard" vs. "soft" requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -24,7 +26,7 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security" and value "S1".
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []
 

charts/rancher-istio/0.0.2/charts/tracing/templates/deployment-jaeger.yaml

@@ -59,6 +59,16 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: metadata.namespace
+          {{- if eq .Values.jaeger.spanStorageType "badger" }}
+          - name: BADGER_EPHEMERAL
+            value: "false"
+          - name: SPAN_STORAGE_TYPE
+            value: "badger"
+          - name: BADGER_DIRECTORY_VALUE
+            value: "/badger/data"
+          - name: BADGER_DIRECTORY_KEY
+            value: "/badger/key"
+          {{- end }}
           - name: COLLECTOR_ZIPKIN_HTTP_PORT
             value: "9411"
           - name: MEMORY_MAX_TRACES
@@ -73,6 +83,11 @@ spec:
             httpGet:
               path: /
               port: 16686
+{{- if eq .Values.jaeger.spanStorageType "badger" }}
+          volumeMounts:
+          - name: data
+            mountPath: /badger
+{{- end }}
           resources:
 {{- if .Values.jaeger.resources }}
 {{ toYaml .Values.jaeger.resources | indent 12 }}
@@ -98,14 +113,6 @@ spec:
           resources:
   {{ toYaml .Values.jaeger.proxy.resources | indent 12 }}
           {{- end }}
-      volumes:
-      - name: tracing-nginx
-        configMap:
-          name: tracing-nginx
-          items:
-          - key: nginx.conf
-            mode: 438
-            path: nginx.conf
       affinity:
       {{- include "nodeaffinity" . | indent 6 }}
       {{- include "podAntiAffinity" . | indent 6 }}
@@ -116,4 +123,21 @@ spec:
       tolerations:
 {{ toYaml .Values.global.defaultTolerations | indent 6 }}
       {{- end }}
+      volumes:
+      - name: tracing-nginx
+        configMap:
+          name: tracing-nginx
+          items:
+          - key: nginx.conf
+            mode: 438
+            path: nginx.conf
+{{- if eq .Values.jaeger.spanStorageType "badger" }}
+      - name: data
+{{- if .Values.jaeger.persist }}
+        persistentVolumeClaim:
+          claimName: istio-jaeger-pvc
+{{- else }}
+        emptyDir: {}
+{{- end }}
+{{- end }}
 {{ end }}

charts/rancher-istio/0.0.2/charts/tracing/templates/pvc.yaml

+{{- if eq .Values.provider "jaeger" }}
+{{- if .Values.jaeger.persist }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: istio-jaeger-pvc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: jaeger
+    chart: {{ template "tracing.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  storageClassName: {{ .Values.jaeger.storageClassName }}
+  accessModes:
+    - {{ .Values.jaeger.accessMode }}
+  resources:
+    requests:
+      storage: 5Gi
+{{- end }}
+{{- end }}

charts/rancher-istio/0.0.2/charts/tracing/templates/tests/test-tracing-connection.yaml

@@ -18,7 +18,7 @@ spec:
 {{- end }}
   containers:
     - name: "{{ .Values.provider }}-test"
-      image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
+      image: "{{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}"
       imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
       command: ['curl']
       {{- if eq .Values.provider "jaeger" }}

charts/rancher-istio/0.0.2/charts/tracing/values.yaml

@@ -13,7 +13,7 @@ tolerations: []
 # There are currently two types of anti-affinity:
 #    "requiredDuringSchedulingIgnoredDuringExecution"
 #    "preferredDuringSchedulingIgnoredDuringExecution"
-# which denote “hard” vs. “soft” requirements, you can define your values
+# which denote "hard" vs. "soft" requirements, you can define your values
 # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
 # correspondingly.
 # For example:
@@ -24,7 +24,7 @@ tolerations: []
 #   topologyKey: "kubernetes.io/hostname"
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
-# “security” and value “S1”.
+# "security" and value "S1".
 podAntiAffinityLabelSelector: []
 podAntiAffinityTermLabelSelector: []
 
@@ -33,6 +33,11 @@ jaeger:
     max_traces: 50000
   proxy:
     resources: {}
+  # spanStorageType value can be "memory" and "badger" for all-in-one image
+  spanStorageType: badger
+  persist: false
+  storageClassName: ""
+  accessMode: ReadWriteMany
 
 zipkin:
   probeStartupDelay: 200

charts/rancher-istio/0.0.2/files/injection-template.yaml

@@ -8,10 +8,12 @@ initContainers:
   image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
   {{- else }}
   image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
-  {{- end }}
+{{- end }}
   args:
   - "-p"
   - "15001"
+  - "-z"
+  - "15006"
   - "-u"
   - 1337
   - "-m"
@@ -21,7 +23,7 @@ initContainers:
   - "-x"
   - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
   - "-b"
-  - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
+  - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
   - "-d"
   - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
   {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}}
@@ -33,13 +35,12 @@ initContainers:
   - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
   {{ end -}}
   imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+{{- if .Values.global.proxy.init.resources }}
   resources:
-    requests:
-      cpu: 10m
-      memory: 10Mi
-    limits:
-      cpu: 100m
-      memory: 50Mi
+    {{ toYaml .Values.global.proxy.init.resources | indent 4 }}
+{{- else }}
+  resources: {}
+{{- end }}
   securityContext:
     runAsUser: 0
     runAsNonRoot: false
@@ -50,11 +51,6 @@ initContainers:
     privileged: true
     {{- end }}
   restartPolicy: Always
-  env:
-  {{- if contains "*" (annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` "") }}
-  - name: INBOUND_CAPTURE_PORT
-    value: 15006
-  {{- end }}
 {{- end }}
 {{  end -}}
 {{- if eq .Values.global.proxy.enableCoreDump true }}
@@ -65,9 +61,9 @@ initContainers:
   command:
     - /bin/sh
   {{- if .Values.global.systemDefaultRegistry }}
-  image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
+  image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.enableCoreDumpImage }}"
   {{- else }}
-  image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
+  image: "{{ .Values.global.proxy.enableCoreDumpImage }}"
   {{- end }}  
   imagePullPolicy: IfNotPresent
   resources: {}
@@ -83,7 +79,7 @@ containers:
   image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
   {{- else }}
   image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.repository}}:{{ .Values.global.proxy.tag }}"
-  {{- end }}
+{{- end }}
   ports:
   - containerPort: 15090
     protocol: TCP
@@ -140,7 +136,11 @@ containers:
 {{- end }}
 {{- if .Values.global.proxy.envoyMetricsService.enabled }}
   - --envoyMetricsServiceAddress
-  - "{{ .ProxyConfig.EnvoyMetricsServiceAddress }}"
+  - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}"
+{{- end }}
+{{- if .Values.global.proxy.envoyAccessLogService.enabled }}
+  - --envoyAccessLogService
+  - '{{ structToJSON .ProxyConfig.EnvoyAccessLogService }}'
 {{- end }}
   - --proxyAdminPort
   - "{{ .ProxyConfig.ProxyAdminPort }}"
@@ -164,6 +164,17 @@ containers:
     valueFrom:
       fieldRef:
         fieldPath: metadata.name
+  - name: ISTIO_META_POD_PORTS
+    value: |-
+      [
+      {{- range $index1, $c := .Spec.Containers }}
+        {{- range $index2, $p := $c.Ports }}
+          {{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }}
+        {{- end}}
+      {{- end}}
+      ]
+  - name: ISTIO_META_CLUSTER_ID
+    value: "{{ valueOrDefault .Values.global.multicluster.clusterName `Kubernetes` }}"
   - name: POD_NAMESPACE
     valueFrom:
       fieldRef:
@@ -172,6 +183,10 @@ containers:
     valueFrom:
       fieldRef:
         fieldPath: status.podIP
+  - name: SERVICE_ACCOUNT
+    valueFrom:
+      fieldRef:
+        fieldPath: spec.serviceAccountName
 {{ if eq .Values.global.proxy.tracer "datadog" }}
   - name: HOST_IP
     valueFrom:
@@ -186,6 +201,8 @@ containers:
     valueFrom:
       fieldRef:
         fieldPath: metadata.namespace
+  - name: SDS_ENABLED
+    value: {{ $.Values.global.sds.enabled }}
   - name: ISTIO_META_INTERCEPTION_MODE
     value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
   - name: ISTIO_META_INCLUDE_INBOUND_PORTS
@@ -204,6 +221,14 @@ containers:
     value: |
            {{ toJSON .ObjectMeta.Labels }}
   {{ end }}
+  {{- if .DeploymentMeta.Name }}
+  - name: ISTIO_META_WORKLOAD_NAME
+    value: {{ .DeploymentMeta.Name }}
+  {{ end }}
+  {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+  - name: ISTIO_META_OWNER
+    value: kubernetes://api/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+   {{- end}}
   {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
   - name: ISTIO_BOOTSTRAP_OVERRIDE
     value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
@@ -212,6 +237,13 @@ containers:
   - name: ISTIO_META_SDS_TOKEN_PATH
     value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken"
   {{- end }}
+  {{- if .Values.global.meshID }}
+  - name: ISTIO_META_MESH_ID
+    value: "{{ .Values.global.meshID }}"
+  {{- else if .Values.global.trustDomain }}
+  - name: ISTIO_META_MESH_ID
+    value: "{{ .Values.global.trustDomain }}"
+  {{- end }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy }}
   {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
   readinessProbe:
@@ -235,7 +267,7 @@ containers:
       - NET_ADMIN
     runAsGroup: 1337
     {{ else -}}
-    {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
+    {{ if .Values.global.sds.enabled }}
     runAsGroup: 1337
     {{- end }}
     runAsUser: 1337
@@ -265,10 +297,8 @@ containers:
   - mountPath: /var/run/sds
     name: sds-uds-path
     readOnly: true
-  {{- if .Values.global.sds.useTrustworthyJwt }}
   - mountPath: /var/run/secrets/tokens
     name: istio-token
-  {{- end }}
   {{- if .Values.global.sds.customTokenDirectory }}
   - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}"
     name: custom-sds-token
@@ -303,19 +333,17 @@ volumes:
 - name: sds-uds-path
   hostPath:
     path: /var/run/sds
-{{- if .Values.global.sds.customTokenDirectory }}
-- name: custom-sds-token
-  secret:
-    secretName: sdstokensecret
-{{- end }}
-{{- if .Values.global.sds.useTrustworthyJwt }}
 - name: istio-token
   projected:
     sources:
       - serviceAccountToken:
           path: istio-token
           expirationSeconds: 43200
-        audience: {{ .Values.global.trustDomain }}
+          audience: {{ .Values.global.sds.token.aud }}
+{{- if .Values.global.sds.customTokenDirectory }}
+- name: custom-sds-token
+  secret:
+    secretName: sdstokensecret
 {{- end }}
 {{- else }}
 - name: istio-certs
@@ -346,3 +374,13 @@ dnsConfig:
     - {{ render . }}
     {{- end }}
 {{- end }}
+podRedirectAnnot:
+   sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+   traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+   traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+   traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
+   traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+   traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+{{- end }}
+   traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"

charts/rancher-istio/0.0.2/questions.yml

 labels:
-  rancher.istio.v0.0.2: 1.2.5
+  rancher.istio.v0.0.2: 1.3.0
 rancher_min_version: 2.3.0-rc1
 

charts/rancher-istio/0.0.2/templates/NOTES.txt

-Thank you for installing {{ .Chart.Name }}.
+Thank you for installing {{ .Chart.Name | title }}.
 
-Your release is named {{ .Release.Name }}.
+Your release is named {{ .Release.Name | title }}.
 
 To get started running application with Istio, execute the following steps:
 

charts/rancher-istio/0.0.2/templates/_affinity.tpl

@@ -20,7 +20,7 @@
           values:
         {{- range $key, $val := .Values.global.arch }}
           {{- if gt ($val | int) 0 }}
-          - {{ $key }}
+          - {{ $key | quote }}
           {{- end }}
         {{- end }}
         {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}}
@@ -28,7 +28,7 @@
         - key: {{ $key }}
           operator: In
           values:
-          - {{ $val }}
+          - {{ $val | quote }}
         {{- end }}
 {{- end }}
 
@@ -41,7 +41,7 @@
         - key: beta.kubernetes.io/arch
           operator: In
           values:
-          - {{ $key }}
+          - {{ $key | quote }}
     {{- end }}
   {{- end }}
 {{- end }}
@@ -70,7 +70,7 @@
           values:
           {{- $vals := split "," $item.values }}
           {{- range $i, $v := $vals }}
-          - {{ $v }}
+          - {{ $v | quote }}
           {{- end }}
           {{- end }}
       topologyKey: {{ $item.topologyKey }}
@@ -88,7 +88,7 @@
             values:
             {{- $vals := split "," $item.values }}
             {{- range $i, $v := $vals }}
-            - {{ $v }}
+            - {{ $v | quote }}
             {{- end }}
             {{- end }}
         topologyKey: {{ $item.topologyKey }}

charts/rancher-istio/0.0.2/templates/configmap.yaml

@@ -19,6 +19,21 @@ data:
     disablePolicyChecks: true
     {{- end }}
 
+    {{- if .Values.mixer.telemetry.reportBatchMaxEntries }}
+    # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server
+    reportBatchMaxEntries: {{ .Values.mixer.telemetry.reportBatchMaxEntries }}
+    {{- end }}
+
+    {{- if .Values.mixer.telemetry.reportBatchMaxTime }}
+    # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server
+    reportBatchMaxTime: {{ .Values.mixer.telemetry.reportBatchMaxTime }}
+    {{- end }}
+
+    {{- if .Values.mixer.telemetry.sessionAffinityEnabled }}
+    # sidecarToTelemetrySessionAffinity will create a STRICT_DNS type cluster for istio-telemetry.
+    sidecarToTelemetrySessionAffinity: {{ .Values.mixer.telemetry.sessionAffinityEnabled }}
+    {{- end }}
+
     # Set enableTracing to false to disable request tracing.
     enableTracing: {{ .Values.global.enableTracing }}
 
@@ -35,6 +50,8 @@ data:
     # Set accessLogEncoding to JSON or TEXT to configure sidecar access log
     accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}'
 
+    enableEnvoyAccessLogService: {{ .Values.global.proxy.envoyAccessLogService.enabled }}
+
     {{- if .Values.global.istioRemote }}
     
     {{- if .Values.global.remotePolicyAddress }}
@@ -85,30 +102,27 @@ data:
     # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS
     connectTimeout: 10s
 
+    # Automatic protocol detection uses a set of heuristics to
+    # determine whether the connection is using TLS or not (on the
+    # server side), as well as the application protocol being used
+    # (e.g., http vs tcp). These heuristics rely on the client sending
+    # the first bits of data. For server first protocols like MySQL,
+    # MongoDB, etc., Envoy will timeout on the protocol detection after
+    # the specified period, defaulting to non mTLS plain TCP
+    # traffic. Set this field to tweak the period that Envoy will wait
+    # for the client to send the first bits of data. (MUST BE >=1ms)
+    protocolDetectionTimeout: {{ .Values.global.proxy.protocolDetectionTimeout }}
+
     # DNS refresh rate for Envoy clusters of type STRICT_DNS
     dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }}
 
     # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
     # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
-    sdsUdsPath: {{ .Values.global.sds.udsPath }}
-
-    # This flag is used by secret discovery service(SDS). 
-    # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount 
-    # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which 
-    # will be used to generate key/cert eventually. This isn't supported for non-k8s case.
-    enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }}
-
-    # This flag is used by secret discovery service(SDS). 
-    # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' 
-    # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) 
-    # and pass to sds server, which will be used to request key/cert eventually. 
-    # this flag is ignored if enableSdsTokenMount is set.
-    # This isn't supported for non-k8s case.
-    sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }}
+    sdsUdsPath: {{ .Values.global.sds.udsPath | quote }}
 
     # The trust domain corresponds to the trust root of a system.
     # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
-    trustDomain: {{ .Values.global.trustDomain }}
+    trustDomain: {{ .Values.global.trustDomain | quote }}
 
     # Set the default behavior of the sidecar for handling outbound traffic from the application:
     # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
@@ -118,16 +132,17 @@ data:
     outboundTrafficPolicy:
       mode: {{ .Values.global.outboundTrafficPolicy.mode }}
 
+    {{- if  .Values.global.localityLbSetting.enabled }}
     localityLbSetting:
-{{ toYaml .Values.global.localityLbSetting | indent 6 }}
-
+{{ toYaml .Values.global.localityLbSetting | trim | indent 6 }}
+    {{- end }}
     # The namespace to treat as the administrative root namespace for istio
     # configuration.
-    {{- if .Values.global.configRootNamespace }}
+{{- if .Values.global.configRootNamespace }}
     rootNamespace: {{ .Values.global.configRootNamespace }}
-    {{- else }}    
+{{- else }}
     rootNamespace: {{ .Release.Namespace }}
-    {{- end }}
+{{- end }}
 
     {{- if .Values.global.defaultConfigVisibilitySettings }}
     defaultServiceExportTo:
@@ -222,6 +237,9 @@ data:
         datadog:
           # Address of the Datadog Agent
           address: {{ .Values.global.tracer.datadog.address }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+      tracing:
+        stackdriver: {}
       {{- end }}
 
     {{- if .Values.global.proxy.envoyStatsd.enabled }}
@@ -233,7 +251,23 @@ data:
     {{- if .Values.global.proxy.envoyMetricsService.enabled }}
       #
       # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API.
-      envoyMetricsServiceAddress: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }}
+      envoyMetricsService:
+        address: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }}
+    {{- end}}
+
+    {{- if .Values.global.proxy.envoyAccessLogService.enabled }}
+      #
+      # Envoy's AccessLog Service pushes access logs to a remote collector via the Access Log Service gRPC API.
+      envoyAccessLogService:
+        address: {{ .Values.global.proxy.envoyAccessLogService.host }}:{{ .Values.global.proxy.envoyAccessLogService.port }}
+    {{- if .Values.global.proxy.envoyAccessLogService.tlsSettings }}
+        tlsSettings:  
+{{ toYaml .Values.global.proxy.envoyAccessLogService.tlsSettings | indent 10 }}
+    {{- end}}
+    {{- if .Values.global.proxy.envoyAccessLogService.tcpKeepalive }}
+        tcpKeepalive:
+{{ toYaml .Values.global.proxy.envoyAccessLogService.tcpKeepalive | indent 10 }}
+    {{- end}}
     {{- end}}
 
     {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }}

charts/rancher-istio/0.0.2/templates/sidecar-injector-configmap.yaml

@@ -17,9 +17,9 @@ data:
   config: |-
     policy: {{ .Values.global.proxy.autoInject }}
     alwaysInjectSelector:
-{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | indent 6 }}
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
     neverInjectSelector:
-{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | indent 6 }}
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
     template: |-
-{{ .Files.Get "files/injection-template.yaml" | indent 6 }}
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 6 }}
 {{- end }}

charts/rancher-monitoring/v0.0.4/charts/grafana/dashboards/istio/c_istio_galley-dashboard.json

@@ -12,7 +12,7 @@
       }
     ]
   },
-  "editable": false,
+  "editable": true,
   "gnetId": null,
   "graphTooltip": 0,
   "links": [],
@@ -201,7 +201,7 @@
           "refId": "H"
         },
         {
-          "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})",
+          "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "Total (kis)",
@@ -286,14 +286,14 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[4m]))",
+          "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[4m]))",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "Total (k8s)",
           "refId": "A"
         },
         {
-          "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[4m])) by (container_name)",
+          "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[4m])) by (container_name)",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "{{ container_name }} (k8s)",
@@ -392,7 +392,7 @@
           "refId": "A"
         },
         {
-          "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}",
+          "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "{{ container_name }} ",
@@ -484,14 +484,14 @@
           "refId": "A"
         },
         {
-          "expr": "galley_mcp_source_clients_total",
+          "expr": "istio_mcp_clients_total{component=\"galley\"}",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "clients_total",
           "refId": "B"
         },
         {
-          "expr": "go_goroutines{job=\"istio/galley\"}/galley_mcp_source_clients_total",
+          "expr": "go_goroutines{job=\"istio/galley\"}/sum(istio_mcp_clients_total{component=\"galley\"}) without (component)",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "avg_goroutines_per_client",
@@ -1548,7 +1548,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum(galley_mcp_source_clients_total)",
+          "expr": "sum(istio_mcp_clients_total{component=\"galley\"})",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "Clients",
@@ -1633,7 +1633,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[4m]) * 60)",
+          "expr": "sum by(collection)(irate(istio_mcp_request_acks_total{component=\"galley\"}[4m]) * 60)",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "",
@@ -1718,7 +1718,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "rate(galley_mcp_source_request_nacks_total[4m]) * 60",
+          "expr": "rate(istio_mcp_request_nacks_total{component=\"galley\"}[4m]) * 60",
           "format": "time_series",
           "intervalFactor": 1,
           "refId": "A"

charts/rancher-monitoring/v0.0.4/charts/grafana/dashboards/istio/c_istio_mixer-dashboard.json

@@ -50,7 +50,7 @@
       }
     ]
   },
-  "editable": false,
+  "editable": true,
   "gnetId": null,
   "graphTooltip": 1,
   "id": null,
@@ -263,7 +263,7 @@
           "refId": "G"
         },
         {
-          "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)",
+          "expr": "sum(label_replace(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -271,7 +271,7 @@
           "refId": "C"
         },
         {
-          "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
+          "expr": "sum(label_replace(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -356,7 +356,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[4m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
+          "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[4m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -364,7 +364,7 @@
           "refId": "A"
         },
         {
-          "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[4m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
+          "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[4m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 2,
@@ -467,7 +467,7 @@
           "refId": "A"
         },
         {
-          "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
+          "expr": "sum(label_replace(container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
           "format": "time_series",
           "intervalFactor": 2,
           "legendFormat": "{{ service }} - {{ container_name }}",