Skip to content

S
system-charts
Unverified Commit 89c34b61 by Denise Committed by GitHub
Options

Merge pull request #68 from alena1108/jun19

[backport 2.3-preview2] Istio 1.2
parents 5f3cd2c3 9c5e36ae
Showing with 2980 additions and 2552 deletions
charts/rancher-istio/0.0.1/Chart.yaml
apiVersion: v1
name: rancher-istio
version: 0.0.1
appVersion: 1.1.5
appVersion: 1.2.0
tillerVersion: ">=2.7.2-0"
description: Helm chart for all istio components
home: https://istio.io/
......
charts/rancher-istio/0.0.1/README.md
......@@ -2,13 +2,17 @@
[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
The documentation here is for developers only, please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/install/helm/) for all other uses.
## Introduction
This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Chart Details
This chart can install multiple istio components as subcharts:
This chart can install multiple Istio components as subcharts:
- ingressgateway
- egressgateway
- sidecarInjectorWebhook
......@@ -18,7 +22,6 @@ This chart can install multiple istio components as subcharts:
- security(citadel)
- grafana
- prometheus
- servicegraph
- tracing(jaeger)
- kiali
......@@ -105,12 +108,6 @@ The chart deploys pods that consume minimum resources as specified in the resour
EOF
```
1. Add `istio.io` chart repository and point to the release:
```
$ helm repo add istio.io https://storage.googleapis.com/istio-prerelease/daily-build/release-1.1-latest-daily/charts
```
1. To install the chart with the release name `istio` in namespace $NAMESPACE you defined above:
- With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
......@@ -128,39 +125,7 @@ The chart deploys pods that consume minimum resources as specified in the resour
The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides.
To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation.
Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table:
| Parameter | Description | Values | Default |
| --- | --- | --- | --- |
| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` |
| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` |
| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` |
| `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` |
| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` |
| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` |
| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` |
| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` |
| `gateways.enabled` | Specifies whether gateway(both Ingres and Egress) should be installed | true/false | `true` |
| `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` |
| `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` |
| `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | true/false | `true` |
| `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` |
| `security.enabled` | Specifies whether Citadel should be installed | true/false | `true` |
| `mixer.policy.enabled` | Specifies whether Mixer Policy should be installed | true/false | `true` |
| `mixer.telemetry.enabled` | Specifies whether Mixer Telemetry should be installed | true/false | `true` |
| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` |
| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` |
| `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` |
| `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" |
| `grafana.accessMode` | If `grafana.persist` is true, specifies the [`Access Mode`](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use for the `PersistentVolumeClaim` | RWO/ROX/RWX | `ReadWriteMany` |
| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` |
| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` |
| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` |
| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` |
Helm charts expose configuration options which are currently in alpha. The currently exposed options can be found [here](https://istio.io/docs/reference/config/installation-options/).
## Uninstalling the Chart
......
charts/rancher-istio/0.0.1/app-readme.md
......@@ -4,7 +4,7 @@
## Introduction
This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Chart Details
......
charts/rancher-istio/0.0.1/charts/certmanager/templates/deployment.yaml
apiVersion: apps/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: certmanager
......@@ -9,7 +9,7 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
replicas: 1
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: certmanager
......@@ -19,7 +19,7 @@ spec:
app: certmanager
chart: {{ template "certmanager.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
......@@ -38,7 +38,7 @@ spec:
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
{{- else }}
image: {{ .Values.image.hub }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
......@@ -54,6 +54,7 @@ spec:
fieldPath: metadata.namespace
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.podDnsPolicy }}
dnsPolicy: {{ .Values.podDnsPolicy }}
{{- end }}
......@@ -63,4 +64,8 @@ spec:
{{- end }}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
\ No newline at end of file
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/certmanager/values.yaml
......@@ -4,12 +4,13 @@
# gateway must be updated by adding 'secretVolumes'. After the gateway
# restart, DestinationRules can be created using the ACME-signed certificates.
enabled: false
replicaCount: 1
image:
hub: quay.io
repository: rancher/jetstack-cert-manager-controller
tag: v0.6.2
resources: {}
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -29,5 +30,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/galley/templates/deployment.yaml
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-galley
......@@ -11,6 +11,9 @@ metadata:
istio: galley
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
istio: galley
strategy:
rollingUpdate:
maxSurge: 1
......@@ -46,6 +49,7 @@ spec:
- --livenessProbePath=/healthliveness
- --readinessProbePath=/healthready
- --readinessProbeInterval=1s
- --deployment-namespace={{ .Release.Namespace }}
{{- if $.Values.global.controlPlaneSecurityEnabled}}
- --insecure=false
{{- else }}
......@@ -107,3 +111,7 @@ spec:
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl
......@@ -3,7 +3,6 @@ apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-galley
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "galley.name" . }}
chart: {{ template "galley.chart" . }}
......@@ -65,6 +64,7 @@ webhooks:
- sidecars
- virtualservices
failurePolicy: Fail
sideEffects: None
- name: mixer.validation.istio.io
clientConfig:
service:
......@@ -109,6 +109,12 @@ webhooks:
- quotas
- reportnothings
- tracespans
- adapters
- handlers
- instances
- templates
- zipkins
failurePolicy: Fail
sideEffects: None
{{- end }}
{{- end }}
charts/rancher-istio/0.0.1/charts/galley/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Galley Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
asserts:
- equal:
path: spec.replicas
value: 1
- equal:
path: spec.template.spec.containers[0].ports
value:
- containerPort: 443
- containerPort: 15014
- containerPort: 9901
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/galley/tests/rbac_test.yaml deleted 100644 → 0
suite: Test Galley RBAC
templates:
- clusterrole.yaml
tests:
- it: should pass all kinds of assertion
set:
asserts:
- isNotNull:
path: rules
- isNotEmpty:
path: rules
- contains:
path: rules
content:
apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["*"]
- isKind:
of: ClusterRole
- isAPIVersion:
of: rbac.authorization.k8s.io/v1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/galley/values.yaml
......@@ -4,6 +4,7 @@
enabled: true
replicaCount: 1
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -23,5 +24,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/gateways/templates/_affinity.tpl
......@@ -11,10 +11,6 @@
{{- define "gatewayNodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/os
operator: In
values:
- linux
- key: beta.kubernetes.io/arch
operator: In
values:
......@@ -66,7 +62,7 @@
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.value }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
......
charts/rancher-istio/0.0.1/charts/gateways/templates/autoscale.yaml
......@@ -7,15 +7,17 @@ metadata:
name: {{ $key }}
namespace: {{ $spec.namespace | default $.Release.Namespace }}
labels:
app: {{ $spec.labels.istio }}
chart: {{ template "gateway.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
spec:
maxReplicas: {{ $spec.autoscaleMax }}
minReplicas: {{ $spec.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
apiVersion: apps/v1
kind: Deployment
name: {{ $key }}
metrics:
......
charts/rancher-istio/0.0.1/charts/gateways/templates/clusterrole.yaml deleted 100644 → 0
{{- range $key, $spec := .Values }}
{{- if ne $key "enabled" }}
{{- if $spec.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $key }}-{{ $.Release.Namespace }}
labels:
app: {{ $spec.labels.istio }}
chart: {{ template "gateway.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
rules:
- apiGroups: ["networking.istio.io"]
resources: ["virtualservices", "destinationrules", "gateways"]
verbs: ["get", "watch", "list", "update"]
---
{{- end }}
{{- end }}
{{- end }}
charts/rancher-istio/0.0.1/charts/gateways/templates/clusterrolebindings.yaml deleted 100644 → 0
{{- range $key, $spec := .Values }}
{{- if ne $key "enabled" }}
{{- if $spec.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $key }}-{{ $.Release.Namespace }}
labels:
app: {{ $spec.labels.istio }}
chart: {{ template "gateway.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $key }}-{{ $.Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ $key }}-service-account
namespace: {{ $.Release.Namespace }}
---
{{- end }}
{{- end }}
{{- end }}
charts/rancher-istio/0.0.1/charts/gateways/templates/deployment.yaml
{{- range $key, $spec := .Values }}
{{- if ne $key "enabled" }}
{{- if $spec.enabled }}
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $key }}
......@@ -21,6 +21,12 @@ spec:
replicas: 1
{{- end }}
{{- end }}
selector:
matchLabels:
release: {{ $.Release.Name }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
template:
metadata:
labels:
......@@ -44,7 +50,7 @@ spec:
initContainers:
- name: enable-core-dump
image: "{{ template "system_default_registry" $ }}{{ $.Values.global.proxy_init.repository }}:{{ $.Values.global.proxy_init.tag }}"
imagePullPolicy: IfNotPresent
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
command:
- /bin/sh
args:
......@@ -59,6 +65,12 @@ spec:
- name: ingress-sds
image: "{{ template "system_default_registry" $ }}{{ $.Values.global.nodeAgent.repository }}:{{ $.Values.global.nodeAgent.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
resources:
{{- if $spec.sds.resources }}
{{ toYaml $spec.sds.resources | indent 12 }}
{{- else }}
{{ toYaml $.Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: "ENABLE_WORKLOAD_SDS"
value: "false"
......@@ -92,6 +104,9 @@ spec:
{{- if $.Values.global.proxy.logLevel }}
- --proxyLogLevel={{ $.Values.global.proxy.logLevel }}
{{- end}}
{{- if $.Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }}
{{- end}}
......@@ -162,6 +177,11 @@ spec:
{{ toYaml $.Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
......@@ -206,7 +226,7 @@ spec:
volumeMounts:
{{- if $.Values.global.sds.enabled }}
- name: sdsudspath
mountPath: /var/run/sds/uds_path
mountPath: /var/run/sds
readOnly: true
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
......@@ -240,8 +260,7 @@ spec:
{{- if $.Values.global.sds.enabled }}
- name: sdsudspath
hostPath:
path: /var/run/sds/uds_path
type: Socket
path: /var/run/sds
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
......@@ -271,6 +290,10 @@ spec:
affinity:
{{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }}
{{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }}
{{- if $spec.tolerations }}
tolerations:
{{ toYaml $spec.tolerations | indent 6 }}
{{- end }}
---
{{- end }}
{{- end }}
......
charts/rancher-istio/0.0.1/charts/gateways/templates/preconfigured.yaml
......@@ -84,7 +84,15 @@ metadata:
release: {{ .Release.Name }}
spec:
selector:
istio: ingressgateway
{{- range $key, $spec := .Values }}
{{- if eq $key "istio-ingressgateway" }}
{{- if $spec.enabled }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
servers:
- port:
number: 15011
......@@ -123,7 +131,15 @@ metadata:
release: {{ .Release.Name }}
spec:
selector:
istio: egressgateway
{{- range $key, $spec := .Values }}
{{- if eq $key "istio-egressgateway" }}
{{- if $spec.enabled }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
servers:
- hosts:
- "*.global"
......@@ -146,7 +162,15 @@ metadata:
release: {{ .Release.Name }}
spec:
selector:
istio: ingressgateway
{{- range $key, $spec := .Values }}
{{- if eq $key "istio-ingressgateway" }}
{{- if $spec.enabled }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
servers:
- hosts:
- "*.global"
......@@ -168,20 +192,28 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
workloadLabels:
istio: ingressgateway
filters:
- listenerMatch:
portNumber: 15443
listenerType: GATEWAY
insertPosition:
index: AFTER
relativeTo: envoy.filters.network.sni_cluster
filterName: envoy.filters.network.tcp_cluster_rewrite
filterType: NETWORK
filterConfig:
cluster_pattern: "\\.global$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
workloadLabels:
{{- range $key, $spec := .Values }}
{{- if eq $key "istio-ingressgateway" }}
{{- if $spec.enabled }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
filters:
- listenerMatch:
portNumber: 15443
listenerType: GATEWAY
insertPosition:
index: AFTER
relativeTo: envoy.filters.network.sni_cluster
filterName: envoy.filters.network.tcp_cluster_rewrite
filterType: NETWORK
filterConfig:
cluster_pattern: "\\.global$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
## To ensure all traffic to *.global is using mTLS
apiVersion: networking.istio.io/v1alpha3
......
charts/rancher-istio/0.0.1/charts/gateways/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Gateway Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
istio-ingressgateway.enabled: true
istio-ilbgateway.enabled: false
istio-egressgateway.enabled: false
istio-ingressgateway.autoscaleEnabled: true
asserts:
- isNull:
path: spec.replicas
- contains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 80
- contains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 443
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should deploy 3 gateways
set:
istio-ingressgateway.enabled: true
istio-ilbgateway.enabled: true
istio-egressgateway.enabled: true
asserts:
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 3
- it: should not deploy gateways
set:
istio-ingressgateway.enabled: false
istio-ilbgateway.enabled: false
istio-egressgateway.enabled: false
asserts:
- hasDocuments:
count: 0
charts/rancher-istio/0.0.1/charts/gateways/values.yaml
......@@ -17,6 +17,14 @@ istio-ingressgateway:
enabled: false
# SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
# This server runs in the same pod as ingress gateway.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
labels:
app: istio-ingressgateway
istio: ingressgateway
......@@ -31,7 +39,7 @@ istio-ingressgateway:
memory: 128Mi
limits:
cpu: 2000m
memory: 256Mi
memory: 1024Mi
cpu:
targetAverageUtilization: 80
loadBalancerIP: ""
......@@ -104,12 +112,22 @@ istio-ingressgateway:
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
### Advanced options ############
# Ports to explicitly check for readiness. If configured, the readiness check will expect a
# listener on these ports. A comma separated list is expected, such as "80,443".
#
# Warning: If you do not have a gateway configured for the ports provided, this check will always
# fail. This is intended for use cases where you always expect to have a listener on the port,
# such as 80 or 443 in typical setups.
applicationPorts: ""
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -129,8 +147,8 @@ istio-ingressgateway:
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
istio-egressgateway:
enabled: false
......@@ -185,6 +203,7 @@ istio-egressgateway:
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -204,8 +223,8 @@ istio-egressgateway:
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
# for mesh expansion. It exposes the mtls ports for Pilot,CA as well
......@@ -255,3 +274,4 @@ istio-ilbgateway:
secretName: istio-ilbgateway-ca-certs
mountPath: /etc/istio/ilbgateway-ca-certs
nodeSelector: {}
tolerations: []
charts/rancher-istio/0.0.1/charts/grafana/dashboards/galley-dashboard.json
......@@ -296,14 +296,14 @@
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))",
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "A"
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)",
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
......
charts/rancher-istio/0.0.1/charts/grafana/dashboards/istio-performance-dashboard.json
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "5.2.3"
},
{
"type": "panel",
"id": "graph",
"name": "Graph",
"version": "5.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "5.0.0"
},
{
"type": "panel",
"id": "text",
"name": "Text",
"version": "5.0.0"
}
],
"annotations": {
"list": [
{
......@@ -51,23 +15,66 @@
"editable": false,
"gnetId": null,
"graphTooltip": 0,
"id": null,
"id": 9,
"links": [],
"panels": [
{
"collapsed": true,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 21,
"panels": [
{
"content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.\n\n\n",
"gridPos": {
"h": 6,
"w": 24,
"x": 0,
"y": 1
},
"id": 19,
"links": [],
"mode": "markdown",
"timeFrom": null,
"timeShift": null,
"title": "Performance Dashboard README",
"transparent": true,
"type": "text"
}
],
"title": "Performance Dashboard Notes",
"type": "row"
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 1
},
"id": 6,
"panels": [],
"title": "vCPU Usage",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 9,
"h": 8,
"w": 12,
"x": 0,
"y": 0
"y": 2
},
"id": 2,
"id": 4,
"legend": {
"avg": false,
"current": false,
......@@ -82,7 +89,7 @@
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
......@@ -91,28 +98,30 @@
"steppedLine": false,
"targets": [
{
"expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
"legendFormat": "istio-telemetry",
"refId": "A"
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)",
"expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
"legendFormat": "istio-ingressgateway",
"refId": "B"
},
{
"expr": "(sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-proxy",
"refId": "C"
},
{
"expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-policy",
......@@ -121,6 +130,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "vCPU / 1k rps",
"tooltip": {
......@@ -164,15 +174,14 @@
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 9,
"h": 8,
"w": 12,
"x": 12,
"y": 0
"y": 2
},
"id": 6,
"id": 7,
"legend": {
"avg": false,
"current": false,
......@@ -187,7 +196,7 @@
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
......@@ -196,28 +205,28 @@
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))",
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-telemetry",
"refId": "A"
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))",
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-ingressgateway",
"refId": "B"
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))",
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-proxy",
"refId": "C"
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))",
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-policy",
......@@ -226,6 +235,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "vCPU",
"tooltip": {
......@@ -265,19 +275,31 @@
}
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 10
},
"id": 13,
"panels": [],
"title": "Memory and Data Rates",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 9,
"h": 8,
"w": 12,
"x": 0,
"y": 9
"y": 11
},
"id": 4,
"id": 902,
"legend": {
"avg": false,
"current": false,
......@@ -292,7 +314,7 @@
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
......@@ -312,14 +334,14 @@
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "per istio-ingressgateway",
"refId": "C"
"refId": "B"
},
{
"expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "per istio-proxy",
"refId": "B"
"legendFormat": "per istio proxy",
"refId": "C"
},
{
"expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
......@@ -331,8 +353,9 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Memory",
"title": "Memory Usage",
"tooltip": {
"shared": true,
"sort": 0,
......@@ -348,7 +371,7 @@
},
"yaxes": [
{
"format": "decbytes",
"format": "bytes",
"label": null,
"logBase": 1,
"max": null,
......@@ -374,15 +397,14 @@
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 9,
"h": 8,
"w": 12,
"x": 12,
"y": 9
"y": 11
},
"id": 5,
"id": 11,
"legend": {
"avg": false,
"current": false,
......@@ -397,7 +419,7 @@
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
......@@ -417,25 +439,26 @@
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-ingressgateway",
"refId": "C"
"refId": "B"
},
{
"expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-proxy",
"refId": "D"
"refId": "C"
},
{
"expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "istio-policy",
"refId": "E"
"legendFormat": "istio_policy",
"refId": "D"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Bytes transferred / sec",
"tooltip": {
......@@ -453,7 +476,7 @@
},
"yaxes": [
{
"format": "bytes",
"format": "Bps",
"label": null,
"logBase": 1,
"max": null,
......@@ -475,26 +498,36 @@
}
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 19
},
"id": 17,
"panels": [],
"title": "Istio Component Versions",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 9,
"h": 8,
"w": 24,
"x": 0,
"y": 18
"y": 20
},
"id": 8,
"id": 15,
"legend": {
"alignAsTable": false,
"avg": false,
"current": false,
"max": false,
"min": false,
"rightSide": false,
"show": true,
"total": false,
"values": false
......@@ -504,7 +537,7 @@
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
......@@ -522,6 +555,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Istio Components by Version",
"tooltip": {
......@@ -529,7 +563,6 @@
"sort": 0,
"value_type": "individual"
},
"transparent": false,
"type": "graph",
"xaxis": {
"buckets": null,
......@@ -553,7 +586,7 @@
"logBase": 1,
"max": null,
"min": null,
"show": false
"show": true
}
],
"yaxis": {
......@@ -562,21 +595,1192 @@
}
},
{
"content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only. \n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance. \n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.",
"collapsed": false,
"gridPos": {
"h": 4,
"h": 1,
"w": 24,
"x": 0,
"y": 18
"y": 31
},
"id": 11,
"id": 71,
"panels": [],
"title": "Proxy Resource Usage",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 0,
"y": 32
},
"id": 72,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(container_memory_usage_bytes{container_name=\"istio-proxy\"})",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Memory",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 6,
"y": 32
},
"id": 73,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=\"istio-proxy\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "A",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "vCPU",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 12,
"y": 32
},
"id": 702,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"mode": "markdown",
"title": "Istio Performance Dashboard Readme",
"type": "text"
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(container_fs_usage_bytes{container_name=\"istio-proxy\"})",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ container_name }}",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Disk",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"decimals": null,
"format": "none",
"label": "",
"logBase": 1024,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 39
},
"id": 69,
"panels": [],
"title": "Pilot Resource Usage",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 0,
"y": 40
},
"id": 5,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "process_virtual_memory_bytes{job=\"pilot\"}",
"format": "time_series",
"instant": false,
"intervalFactor": 2,
"legendFormat": "Virtual Memory",
"refId": "I",
"step": 2
},
{
"expr": "process_resident_memory_bytes{job=\"pilot\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Resident Memory",
"refId": "H",
"step": 2
},
{
"expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}",
"format": "time_series",
"hide": true,
"intervalFactor": 2,
"legendFormat": "heap sys",
"refId": "A"
},
{
"expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}",
"format": "time_series",
"hide": true,
"intervalFactor": 2,
"legendFormat": "heap alloc",
"refId": "D"
},
{
"expr": "go_memstats_alloc_bytes{job=\"pilot\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Alloc",
"refId": "F",
"step": 2
},
{
"expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Heap in-use",
"refId": "E",
"step": 2
},
{
"expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Stack in-use",
"refId": "G",
"step": 2
},
{
"expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "C",
"step": 2
},
{
"expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Memory",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 6,
"y": 40
},
"id": 602,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "A",
"step": 2
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
},
{
"expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "pilot (self-reported)",
"refId": "C",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "vCPU",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 12,
"y": 40
},
"id": 74,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "process_open_fds{job=\"pilot\"}",
"format": "time_series",
"hide": true,
"instant": false,
"interval": "",
"intervalFactor": 2,
"legendFormat": "Open FDs (pilot)",
"refId": "A"
},
{
"expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ container_name }}",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Disk",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"decimals": null,
"format": "none",
"label": "",
"logBase": 1024,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 18,
"y": 40
},
"id": 402,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "go_goroutines{job=\"pilot\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Number of Goroutines",
"refId": "A",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Goroutines",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 47
},
"id": 93,
"panels": [],
"title": "Mixer Resource Usage",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 0,
"y": 48
},
"id": 94,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"instant": false,
"intervalFactor": 2,
"legendFormat": "Virtual Memory",
"refId": "I",
"step": 2
},
{
"expr": "process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Resident Memory",
"refId": "H",
"step": 2
},
{
"expr": "go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"hide": true,
"intervalFactor": 2,
"legendFormat": "heap sys",
"refId": "A"
},
{
"expr": "go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"hide": true,
"intervalFactor": 2,
"legendFormat": "heap alloc",
"refId": "D"
},
{
"expr": "go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Alloc",
"refId": "F",
"step": 2
},
{
"expr": "go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Heap in-use",
"refId": "E",
"step": 2
},
{
"expr": "go_memstats_stack_inuse_bytes{job=~\"istio-policy|istio-telemetry\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Stack in-use",
"refId": "G",
"step": 2
},
{
"expr": "sum(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"})",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "C",
"step": 2
},
{
"expr": "container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Memory",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 6,
"y": 48
},
"id": 95,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "A",
"step": 2
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m])) by (container_name)",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
},
{
"expr": "irate(process_cpu_seconds_total{job=~\"istio-policy|istio-telemetry\"}[1m])",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "mixer (self-reported)",
"refId": "C",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "vCPU",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 12,
"y": 48
},
"id": 96,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "process_open_fds{job=~\"istio-policy|istio-telemetry\"}",
"format": "time_series",
"hide": true,
"instant": false,
"interval": "",
"intervalFactor": 2,
"legendFormat": "Open FDs (pilot)",
"refId": "A"
},
{
"expr": "container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ container_name }}",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Disk",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"decimals": null,
"format": "none",
"label": "",
"logBase": 1024,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 18,
"y": 48
},
"id": 97,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "go_goroutines{job=\"istio-telemetry\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Number of Goroutines",
"refId": "A",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Goroutines",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
}
],
"schemaVersion": 16,
"refresh": "10s",
"schemaVersion": 18,
"style": "dark",
"tags": [],
"templating": {
......@@ -613,5 +1817,6 @@
},
"timezone": "",
"title": "Istio Performance Dashboard",
"version": 4
"uid": "vu8e0VWZk",
"version": 22
}
charts/rancher-istio/0.0.1/charts/grafana/dashboards/istio-service-dashboard.json
......@@ -1742,7 +1742,7 @@
"steppedLine": false,
"targets": [
{
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)",
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
......@@ -1751,7 +1751,7 @@
"step": 2
},
{
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)",
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
......
charts/rancher-istio/0.0.1/charts/grafana/dashboards/istio-workload-dashboard.json
......@@ -654,7 +654,7 @@
"steppedLine": false,
"targets": [
{
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
......@@ -663,7 +663,7 @@
"step": 2
},
{
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
......
charts/rancher-istio/0.0.1/charts/grafana/dashboards/mixer-dashboard.json
......@@ -356,7 +356,7 @@
"steppedLine": false,
"targets": [
{
"expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
"expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
......@@ -364,7 +364,7 @@
"refId": "A"
},
{
"expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
"expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
......@@ -1599,7 +1599,7 @@
"steppedLine": false,
"targets": [
{
"expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ handler }} (error: {{ error }})",
......@@ -1683,21 +1683,21 @@
"steppedLine": false,
"targets": [
{
"expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "p50 - {{ handler_short }} (error: {{ error }})",
"refId": "A"
},
{
"expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "p90 - {{ handler_short }} (error: {{ error }})",
"refId": "D"
},
{
"expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "p99 - {{ handler_short }} (error: {{ error }})",
......
charts/rancher-istio/0.0.1/charts/grafana/dashboards/pilot-dashboard.json
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "5.2.3"
},
{
"type": "panel",
"id": "graph",
"name": "Graph",
"version": "5.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "5.0.0"
},
{
"type": "panel",
"id": "text",
"name": "Text",
"version": "5.0.0"
}
],
"annotations": {
"list": [
{
......@@ -51,24 +15,21 @@
"editable": false,
"gnetId": null,
"graphTooltip": 1,
"id": null,
"id": 6,
"links": [],
"panels": [
{
"content": "<center><h2>Deployed Versions</h2></center>",
"collapsed": false,
"gridPos": {
"h": 3,
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"height": "40",
"id": 58,
"links": [],
"mode": "html",
"title": "",
"transparent": true,
"type": "text"
"id": 60,
"panels": [],
"title": "Deployed Versions",
"type": "row"
},
{
"aliasColors": {},
......@@ -81,7 +42,7 @@
"h": 5,
"w": 24,
"x": 0,
"y": 3
"y": 1
},
"id": 56,
"legend": {
......@@ -116,6 +77,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Pilot Versions",
"tooltip": {
......@@ -155,20 +117,17 @@
}
},
{
"content": "<center><h2>Resource Usage</h2></center>",
"collapsed": false,
"gridPos": {
"h": 3,
"h": 1,
"w": 24,
"x": 0,
"y": 8
"y": 6
},
"height": "40",
"id": 29,
"links": [],
"mode": "html",
"title": "",
"transparent": true,
"type": "text"
"id": 62,
"panels": [],
"title": "Resource Usage",
"type": "row"
},
{
"aliasColors": {},
......@@ -181,7 +140,7 @@
"h": 7,
"w": 6,
"x": 0,
"y": 11
"y": 7
},
"id": 5,
"legend": {
......@@ -285,6 +244,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Memory",
"tooltip": {
......@@ -334,7 +294,7 @@
"h": 7,
"w": 6,
"x": 6,
"y": 11
"y": 7
},
"id": 6,
"legend": {
......@@ -360,7 +320,7 @@
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))",
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
......@@ -369,7 +329,7 @@
"step": 2
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)",
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
......@@ -389,6 +349,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "CPU",
"tooltip": {
......@@ -438,7 +399,7 @@
"h": 7,
"w": 6,
"x": 12,
"y": 11
"y": 7
},
"id": 7,
"legend": {
......@@ -484,6 +445,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Disk",
"tooltip": {
......@@ -534,7 +496,7 @@
"h": 7,
"w": 6,
"x": 18,
"y": 11
"y": 7
},
"id": 4,
"legend": {
......@@ -570,6 +532,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Goroutines",
"tooltip": {
......@@ -609,19 +572,238 @@
}
},
{
"content": "<center><h2>xDS</h2></center>",
"collapsed": false,
"gridPos": {
"h": 3,
"h": 1,
"w": 24,
"x": 0,
"y": 18
"y": 14
},
"id": 58,
"panels": [],
"title": "Pilot Push Information",
"type": "row"
},
{
"aliasColors": {},
"bars": true,
"dashLength": 10,
"dashes": false,
"description": "Shows pilot pushes",
"fill": 1,
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 15
},
"id": 622,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": false,
"linewidth": 1,
"links": [],
"nullPointMode": "null as zero",
"paceLength": 10,
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": true,
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(pilot_xds_pushes{type!~\".*_senderr\"}[1m])) by (type)",
"format": "time_series",
"instant": false,
"interval": "",
"intervalFactor": 1,
"legendFormat": "{{ type }}",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Pilot Pushes",
"tooltip": {
"shared": false,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": [
"total"
]
},
"yaxes": [
{
"format": "ops",
"label": null,
"logBase": 1,
"max": null,
"min": "0",
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"description": "Captures a variety of pilot errors",
"fill": 1,
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 15
},
"id": 67,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"id": 28,
"lines": true,
"linewidth": 1,
"links": [],
"mode": "html",
"title": "",
"transparent": true,
"type": "text"
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
"legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}",
"refId": "C"
},
{
"expr": "pilot_xds_eds_reject{job=\"pilot\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
"legendFormat": "Rejected EDS Configs",
"refId": "D"
},
{
"expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "Write Timeouts",
"refId": "F"
},
{
"expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "Push Timeouts",
"refId": "G"
},
{
"expr": "sum(rate(pilot_xds_push_errors{job=\"pilot\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
"legendFormat": "Push Errors ({{ type }})",
"refId": "I"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Pilot Errors",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 23
},
"id": 64,
"panels": [],
"title": "xDS",
"type": "row"
},
{
"aliasColors": {},
......@@ -634,7 +816,7 @@
"h": 6,
"w": 8,
"x": 0,
"y": 21
"y": 24
},
"id": 40,
"legend": {
......@@ -670,6 +852,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Updates",
"tooltip": {
......@@ -719,7 +902,7 @@
"h": 6,
"w": 8,
"x": 8,
"y": 21
"y": 24
},
"id": 42,
"legend": {
......@@ -755,6 +938,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Failures",
"tooltip": {
......@@ -804,7 +988,7 @@
"h": 6,
"w": 8,
"x": 16,
"y": 21
"y": 24
},
"id": 41,
"legend": {
......@@ -840,6 +1024,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Active Connections",
"tooltip": {
......@@ -889,7 +1074,7 @@
"h": 8,
"w": 8,
"x": 0,
"y": 27
"y": 30
},
"id": 45,
"legend": {
......@@ -945,6 +1130,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Conflicts",
"tooltip": {
......@@ -994,7 +1180,7 @@
"h": 8,
"w": 8,
"x": 8,
"y": 27
"y": 30
},
"id": 47,
"legend": {
......@@ -1087,6 +1273,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "ADS Monitoring",
"tooltip": {
......@@ -1136,7 +1323,7 @@
"h": 8,
"w": 8,
"x": 16,
"y": 27
"y": 30
},
"id": 49,
"legend": {
......@@ -1171,6 +1358,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Rejected CDS Configs",
"tooltip": {
......@@ -1220,7 +1408,7 @@
"h": 7,
"w": 8,
"x": 0,
"y": 35
"y": 38
},
"id": 52,
"legend": {
......@@ -1255,6 +1443,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Rejected EDS Configs",
"tooltip": {
......@@ -1304,7 +1493,7 @@
"h": 7,
"w": 8,
"x": 8,
"y": 35
"y": 38
},
"id": 54,
"legend": {
......@@ -1339,6 +1528,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Rejected LDS Configs",
"tooltip": {
......@@ -1388,7 +1578,7 @@
"h": 7,
"w": 8,
"x": 16,
"y": 35
"y": 38
},
"id": 53,
"legend": {
......@@ -1423,6 +1613,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Rejected RDS Configs",
"tooltip": {
......@@ -1474,7 +1665,7 @@
"h": 7,
"w": 8,
"x": 0,
"y": 42
"y": 45
},
"id": 51,
"legend": {
......@@ -1514,6 +1705,7 @@
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "EDS Instances",
"tooltip": {
......@@ -1554,7 +1746,7 @@
}
],
"refresh": "5s",
"schemaVersion": 16,
"schemaVersion": 18,
"style": "dark",
"tags": [],
"templating": {
......@@ -1591,5 +1783,6 @@
},
"timezone": "browser",
"title": "Istio Pilot Dashboard",
"version": 4
"uid": "3--MLVZZk",
"version": 1
}
charts/rancher-istio/0.0.1/charts/grafana/fix_datasources.sh 100644 → 100755
File mode changed from 100644 to 100755
charts/rancher-istio/0.0.1/charts/grafana/templates/create-custom-resources-job.yaml
......@@ -14,6 +14,12 @@ metadata:
chart: {{ template "grafana.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
......
charts/rancher-istio/0.0.1/charts/grafana/templates/deployment.yaml
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
......@@ -10,6 +10,9 @@ metadata:
release: {{ .Release.Name }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
......@@ -19,6 +22,7 @@ spec:
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
prometheus.io/scrape: "true"
spec:
securityContext:
fsGroup: 472
......@@ -115,6 +119,10 @@ spec:
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
volumes:
- name: config
configMap:
......
charts/rancher-istio/0.0.1/charts/grafana/templates/tests/test-grafana-connection.yaml
......@@ -26,4 +26,5 @@ spec:
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/grafana/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Grafana Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/grafana/values.yaml
......@@ -28,6 +28,7 @@ security:
usernameKey: username
passphraseKey: passphrase
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -47,8 +48,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
contextPath: /grafana
service:
......
charts/rancher-istio/0.0.1/charts/istiocoredns/templates/deployment.yaml
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiocoredns
......@@ -10,6 +10,9 @@ metadata:
release: {{ .Release.Name }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: istiocoredns
template:
metadata:
name: istiocoredns
......@@ -28,7 +31,7 @@ spec:
containers:
- name: coredns
image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: IfNotPresent
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
- name: config-volume
......@@ -62,7 +65,7 @@ spec:
command:
- /usr/local/bin/plugin
image: "{{ template "system_default_registry" . }}{{ .Values.pluginImage.repository }}:{{ .Values.pluginImage.tag }}"
imagePullPolicy: IfNotPresent
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 8053
name: dns-grpc
......@@ -84,3 +87,7 @@ spec:
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/istiocoredns/values.yaml
......@@ -7,6 +7,7 @@ replicaCount: 1
# https://github.com/istio-ecosystem/istio-coredns-plugin
# The plugin listens for DNS requests from coredns server at 127.0.0.1:8053
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -26,5 +27,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/kiali/Chart.yaml
......@@ -2,5 +2,5 @@ apiVersion: v1
description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details.
name: kiali
version: 1.1.0
appVersion: 0.17
appVersion: 0.20
tillerVersion: ">=2.7.2"
charts/rancher-istio/0.0.1/charts/kiali/templates/clusterrole.yaml
......@@ -15,8 +15,9 @@ rules:
- namespaces
- nodes
- pods
- services
- pods/log
- replicationcontrollers
- services
verbs:
- get
- list
......@@ -24,8 +25,8 @@ rules:
- apiGroups: ["extensions", "apps"]
resources:
- deployments
- statefulsets
- replicasets
- statefulsets
verbs:
- get
- list
......@@ -47,13 +48,19 @@ rules:
- watch
- apiGroups: ["config.istio.io"]
resources:
- adapters
- apikeys
- bypasses
- authorizations
- checknothings
- circonuses
- cloudwatches
- deniers
- dogstatsds
- edges
- fluentds
- handlers
- instances
- kubernetesenvs
- kuberneteses
- listcheckers
......@@ -61,18 +68,24 @@ rules:
- logentries
- memquotas
- metrics
- noops
- opas
- prometheuses
- quotas
- quotaspecbindings
- quotaspecs
- rbacs
- redisquotas
- reportnothings
- rules
- signalfxs
- solarwindses
- stackdrivers
- statsds
- stdios
- templates
- tracespans
- zipkins
verbs:
- create
- delete
......@@ -95,8 +108,8 @@ rules:
- watch
- apiGroups: ["authentication.istio.io"]
resources:
- policies
- meshpolicies
- policies
verbs:
- create
- delete
......@@ -108,8 +121,8 @@ rules:
resources:
- clusterrbacconfigs
- rbacconfigs
- serviceroles
- servicerolebindings
- serviceroles
verbs:
- create
- delete
......@@ -122,6 +135,7 @@ rules:
- monitoringdashboards
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
......@@ -140,8 +154,9 @@ rules:
- namespaces
- nodes
- pods
- services
- pods/log
- replicationcontrollers
- services
verbs:
- get
- list
......@@ -149,8 +164,8 @@ rules:
- apiGroups: ["extensions", "apps"]
resources:
- deployments
- statefulsets
- replicasets
- statefulsets
verbs:
- get
- list
......@@ -172,13 +187,19 @@ rules:
- watch
- apiGroups: ["config.istio.io"]
resources:
- adapters
- apikeys
- bypasses
- authorizations
- checknothings
- circonuses
- cloudwatches
- deniers
- dogstatsds
- edges
- fluentds
- handlers
- instances
- kubernetesenvs
- kuberneteses
- listcheckers
......@@ -186,20 +207,24 @@ rules:
- logentries
- memquotas
- metrics
- noops
- opas
- prometheuses
- quotas
- quotaspecbindings
- quotaspecs
- rbacs
- redisquotas
- reportnothings
- rules
- servicecontrolreports
- servicecontrols
- signalfxs
- solarwindses
- stackdrivers
- statsds
- stdios
- templates
- tracespans
- zipkins
verbs:
- get
- list
......@@ -216,8 +241,8 @@ rules:
- watch
- apiGroups: ["authentication.istio.io"]
resources:
- policies
- meshpolicies
- policies
verbs:
- get
- list
......@@ -226,8 +251,8 @@ rules:
resources:
- clusterrbacconfigs
- rbacconfigs
- serviceroles
- servicerolebindings
- serviceroles
verbs:
- get
- list
......@@ -237,3 +262,4 @@ rules:
- monitoringdashboards
verbs:
- get
- list
charts/rancher-istio/0.0.1/charts/kiali/templates/clusterrolebinding.yaml
......@@ -10,7 +10,7 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kiali
name: kiali{{- if .Values.dashboard.viewOnlyMode }}-viewer{{- end }}
subjects:
- kind: ServiceAccount
name: kiali-service-account
......
charts/rancher-istio/0.0.1/charts/kiali/templates/configmap.yaml
......@@ -14,12 +14,12 @@ data:
server:
port: 20001
external_services:
istio:
url_service_version: http://istio-pilot:8080/version
jaeger:
service: "jaeger-query"
{{- if .Values.dashboard.jaegerURL }}
url: {{ .Values.dashboard.jaegerURL }}
tracing:
service: "tracing/jaeger"
{{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }}
{{- if not .Values.dashboard.jaegerURL }}
url: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:tracing:80/proxy/jaeger'
{{- end }}
{{- end }}
grafana:
custom_metrics_url: "http://prometheus.{{ .Release.Namespace }}:9090"
......
charts/rancher-istio/0.0.1/charts/kiali/templates/deployment.yaml
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: kiali
......@@ -23,6 +23,9 @@ spec:
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/scrape: "true"
prometheus.io/port: "9090"
spec:
serviceAccountName: kiali-service-account
{{- if .Values.global.priorityClassName }}
......@@ -39,10 +42,6 @@ spec:
- "4"
env:
{{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }}
{{- if not .Values.dashboard.jaegerURL }}
- name: JAEGER_URL
value: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/tracing:80/proxy/jaeger'
{{- end }}
{{- if not .Values.dashboard.grafanaURL }}
- name: GRAFANA_URL
value: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:grafana:80/proxy/'
......@@ -75,6 +74,8 @@ spec:
volumeMounts:
- name: kiali-configuration
mountPath: "/kiali-configuration"
- name: kiali-secret
mountPath: "/kiali-secret"
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
......@@ -111,6 +112,10 @@ spec:
- key: nginx.conf
mode: 438
path: nginx.conf
- name: kiali-secret
secret:
secretName: {{ .Values.dashboard.secretName }}
optional: true
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
charts/rancher-istio/0.0.1/charts/kiali/templates/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: kiali
name: {{ .Values.dashboard.secretName }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
......
charts/rancher-istio/0.0.1/charts/kiali/templates/tests/test-kiali-connection.yaml
......@@ -26,4 +26,5 @@ spec:
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/kiali/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Kiali Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/kiali/values.yaml
#
# addon kiali
#
enabled: false
enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`.
replicaCount: 1
contextPath: /
nodeSelector: {}
......@@ -24,8 +24,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
ingress:
enabled: false
......@@ -44,15 +44,15 @@ ingress:
dashboard:
# login/anonymous
authStrategy: anonymous
secretName: kiali
username: admin
passphrase: admin
# Override the automatically detected Grafana URL, useful when Grafana service has no ExternalIPs
grafanaURL:
secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
viewOnlyMode: false # Bind the service account to a role with only read access
grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.
jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.
# Override the automatically detected Jaeger URL, useful when Jaeger service has no ExternalIPs
jaegerURL:
prometheusAddr: http://prometheus:9090
service:
......
charts/rancher-istio/0.0.1/charts/mixer/templates/autoscale.yaml
......@@ -15,7 +15,7 @@ spec:
maxReplicas: {{ $spec.autoscaleMax }}
minReplicas: {{ $spec.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
apiVersion: apps/v1
kind: Deployment
name: istio-{{ $key }}
metrics:
......
charts/rancher-istio/0.0.1/charts/mixer/templates/config.yaml
......@@ -222,7 +222,7 @@ spec:
outputAsJson: {{ .Values.adapters.stdio.outputAsJson }}
---
apiVersion: "config.istio.io/v1alpha2"
kind: logentry
kind: instance
metadata:
name: accesslog
namespace: {{ .Release.Namespace }}
......@@ -232,54 +232,56 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
severity: '"Info"'
timestamp: request.time
variables:
sourceIp: source.ip | ip("0.0.0.0")
sourceApp: source.labels["app"] | ""
sourcePrincipal: source.principal | ""
sourceName: source.name | ""
sourceWorkload: source.workload.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
apiClaims: request.auth.raw_claims | ""
apiKey: request.api_key | request.headers["x-api-key"] | ""
protocol: request.scheme | context.protocol | "http"
method: request.method | ""
url: request.path | ""
responseCode: response.code | 0
responseFlags: context.proxy_error_code | ""
responseSize: response.size | 0
permissiveResponseCode: rbac.permissive.response_code | "none"
permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none"
requestSize: request.size | 0
requestId: request.headers["x-request-id"] | ""
clientTraceId: request.headers["x-client-trace-id"] | ""
latency: response.duration | "0ms"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
requestedServerName: connection.requested_server_name | ""
userAgent: request.useragent | ""
responseTimestamp: response.time
receivedBytes: request.total_size | 0
sentBytes: response.total_size | 0
referer: request.referer | ""
httpAuthority: request.headers[":authority"] | request.host | ""
xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
grpcStatus: response.grpc_status | ""
grpcMessage: response.grpc_message | ""
monitored_resource_type: '"global"'
compiledTemplate: logentry
params:
severity: '"Info"'
timestamp: request.time
variables:
sourceIp: source.ip | ip("0.0.0.0")
sourceApp: source.labels["app"] | ""
sourcePrincipal: source.principal | ""
sourceName: source.name | ""
sourceWorkload: source.workload.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
apiClaims: request.auth.raw_claims | ""
apiKey: request.api_key | request.headers["x-api-key"] | ""
protocol: request.scheme | context.protocol | "http"
method: request.method | ""
url: request.path | ""
responseCode: response.code | 0
responseFlags: context.proxy_error_code | ""
responseSize: response.size | 0
permissiveResponseCode: rbac.permissive.response_code | "none"
permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none"
requestSize: request.size | 0
requestId: request.headers["x-request-id"] | ""
clientTraceId: request.headers["x-client-trace-id"] | ""
latency: response.duration | "0ms"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
requestedServerName: connection.requested_server_name | ""
userAgent: request.useragent | ""
responseTimestamp: response.time
receivedBytes: request.total_size | 0
sentBytes: response.total_size | 0
referer: request.referer | ""
httpAuthority: request.headers[":authority"] | request.host | ""
xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
grpcStatus: response.grpc_status | ""
grpcMessage: response.grpc_message | ""
monitored_resource_type: '"global"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: logentry
kind: instance
metadata:
name: tcpaccesslog
namespace: {{ .Release.Namespace }}
......@@ -289,36 +291,38 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
severity: '"Info"'
timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
variables:
connectionEvent: connection.event | ""
sourceIp: source.ip | ip("0.0.0.0")
sourceApp: source.labels["app"] | ""
sourcePrincipal: source.principal | ""
sourceName: source.name | ""
sourceWorkload: source.workload.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
protocol: context.protocol | "tcp"
connectionDuration: connection.duration | "0ms"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
requestedServerName: connection.requested_server_name | ""
receivedBytes: connection.received.bytes | 0
sentBytes: connection.sent.bytes | 0
totalReceivedBytes: connection.received.bytes_total | 0
totalSentBytes: connection.sent.bytes_total | 0
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
responseFlags: context.proxy_error_code | ""
monitored_resource_type: '"global"'
compiledTemplate: logentry
params:
severity: '"Info"'
timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
variables:
connectionEvent: connection.event | ""
sourceIp: source.ip | ip("0.0.0.0")
sourceApp: source.labels["app"] | ""
sourcePrincipal: source.principal | ""
sourceName: source.name | ""
sourceWorkload: source.workload.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
protocol: context.protocol | "tcp"
connectionDuration: connection.duration | "0ms"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
requestedServerName: connection.requested_server_name | ""
receivedBytes: connection.received.bytes | 0
sentBytes: connection.sent.bytes | 0
totalReceivedBytes: connection.received.bytes_total | 0
totalSentBytes: connection.sent.bytes_total | 0
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
responseFlags: context.proxy_error_code | ""
monitored_resource_type: '"global"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
......@@ -335,7 +339,7 @@ spec:
actions:
- handler: stdio
instances:
- accesslog.logentry
- accesslog
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
......@@ -352,12 +356,12 @@ spec:
actions:
- handler: stdio
instances:
- tcpaccesslog.logentry
- tcpaccesslog
{{- end }}
---
{{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }}
apiVersion: "config.istio.io/v1alpha2"
kind: metric
kind: instance
metadata:
name: requestcount
namespace: {{ .Release.Namespace }}
......@@ -367,32 +371,34 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
kind: instance
metadata:
name: requestduration
namespace: {{ .Release.Namespace }}
......@@ -402,32 +408,34 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
value: response.duration | "0ms"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
compiledTemplate: metric
params:
value: response.duration | "0ms"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
kind: instance
metadata:
name: requestsize
namespace: {{ .Release.Namespace }}
......@@ -437,32 +445,34 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
value: request.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
compiledTemplate: metric
params:
value: request.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
kind: instance
metadata:
name: responsesize
namespace: {{ .Release.Namespace }}
......@@ -472,32 +482,34 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
value: response.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
compiledTemplate: metric
params:
value: response.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
kind: instance
metadata:
name: tcpbytesent
namespace: {{ .Release.Namespace }}
......@@ -507,28 +519,30 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
value: connection.sent.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
compiledTemplate: metric
params:
value: connection.sent.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
kind: instance
metadata:
name: tcpbytereceived
namespace: {{ .Release.Namespace }}
......@@ -538,28 +552,30 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
value: connection.received.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
compiledTemplate: metric
params:
value: connection.received.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
kind: instance
metadata:
name: tcpconnectionsopened
namespace: {{ .Release.Namespace }}
......@@ -569,28 +585,30 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.name | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.name | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
kind: instance
metadata:
name: tcpconnectionsclosed
namespace: {{ .Release.Namespace }}
......@@ -600,25 +618,27 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.name | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.name | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: handler
......@@ -637,7 +657,7 @@ spec:
metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}"
metrics:
- name: requests_total
instance_name: requestcount.metric.{{ .Release.Namespace }}
instance_name: requestcount.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
......@@ -661,7 +681,7 @@ spec:
- permissive_response_policyid
- connection_security_policy
- name: request_duration_seconds
instance_name: requestduration.metric.{{ .Release.Namespace }}
instance_name: requestduration.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
......@@ -688,7 +708,7 @@ spec:
explicit_buckets:
bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
- name: request_bytes
instance_name: requestsize.metric.{{ .Release.Namespace }}
instance_name: requestsize.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
......@@ -717,7 +737,7 @@ spec:
scale: 1
growthFactor: 10
- name: response_bytes
instance_name: responsesize.metric.{{ .Release.Namespace }}
instance_name: responsesize.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
......@@ -746,7 +766,7 @@ spec:
scale: 1
growthFactor: 10
- name: tcp_sent_bytes_total
instance_name: tcpbytesent.metric.{{ .Release.Namespace }}
instance_name: tcpbytesent.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
......@@ -766,7 +786,7 @@ spec:
- connection_security_policy
- response_flags
- name: tcp_received_bytes_total
instance_name: tcpbytereceived.metric.{{ .Release.Namespace }}
instance_name: tcpbytereceived.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
......@@ -786,7 +806,7 @@ spec:
- connection_security_policy
- response_flags
- name: tcp_connections_opened_total
instance_name: tcpconnectionsopened.metric.{{ .Release.Namespace }}
instance_name: tcpconnectionsopened.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
......@@ -806,7 +826,7 @@ spec:
- connection_security_policy
- response_flags
- name: tcp_connections_closed_total
instance_name: tcpconnectionsclosed.metric.{{ .Release.Namespace }}
instance_name: tcpconnectionsclosed.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
......@@ -837,14 +857,14 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false)
match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false)
actions:
- handler: prometheus
instances:
- requestcount.metric
- requestduration.metric
- requestsize.metric
- responsesize.metric
- requestcount
- requestduration
- requestsize
- responsesize
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
......@@ -861,8 +881,8 @@ spec:
actions:
- handler: prometheus
instances:
- tcpbytesent.metric
- tcpbytereceived.metric
- tcpbytesent
- tcpbytereceived
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
......@@ -879,7 +899,7 @@ spec:
actions:
- handler: prometheus
instances:
- tcpconnectionsopened.metric
- tcpconnectionsopened
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
......@@ -896,7 +916,7 @@ spec:
actions:
- handler: prometheus
instances:
- tcpconnectionsclosed.metric
- tcpconnectionsclosed
{{- end }}
---
{{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }}
......@@ -935,7 +955,7 @@ spec:
actions:
- handler: kubernetesenv
instances:
- attributes.kubernetes
- attributes
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
......@@ -952,10 +972,10 @@ spec:
actions:
- handler: kubernetesenv
instances:
- attributes.kubernetes
- attributes
---
apiVersion: "config.istio.io/v1alpha2"
kind: kubernetes
kind: instance
metadata:
name: attributes
namespace: {{ .Release.Namespace }}
......@@ -965,12 +985,14 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
# Pass the required attribute data to the adapter
source_uid: source.uid | ""
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
destination_uid: destination.uid | ""
destination_port: destination.port | 0
attribute_bindings:
compiledTemplate: kubernetes
params:
# Pass the required attribute data to the adapter
source_uid: source.uid | ""
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
destination_uid: destination.uid | ""
destination_port: destination.port | 0
attributeBindings:
# Fill the new attributes from the adapter produced output.
# $out refers to an instance of OutputTemplate message
source.ip: $out.source_pod_ip | ip("0.0.0.0")
......
charts/rancher-istio/0.0.1/charts/mixer/templates/deployment.yaml
......@@ -9,6 +9,20 @@
secret:
secretName: istio.istio-mixer-service-account
optional: true
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.trustDomain }}
expirationSeconds: 43200
path: istio-token
{{- end }}
{{- end }}
- name: uds-socket
emptyDir: {}
- name: policy-adapter-secret
......@@ -18,6 +32,10 @@
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
containers:
- name: mixer
image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}"
......@@ -47,10 +65,15 @@
{{- else }}
- --useAdapterCRDs=false
{{- end }}
{{- if $.Values.templates.useTemplateCRDs }}
- --useTemplateCRDs=true
{{- else }}
- --useTemplateCRDs=false
{{- end }}
{{- if $.Values.global.tracer.zipkin.address }}
- --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
{{- else }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
- --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans
{{- end }}
{{- if .Values.env }}
env:
......@@ -134,6 +157,15 @@
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
- name: uds-socket
mountPath: /sock
- name: policy-adapter-secret
......@@ -149,6 +181,20 @@
secret:
secretName: istio.istio-mixer-service-account
optional: true
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.trustDomain }}
expirationSeconds: 43200
path: istio-token
{{- end }}
{{- end }}
- name: uds-socket
emptyDir: {}
- name: telemetry-adapter-secret
......@@ -158,6 +204,10 @@
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
containers:
- name: mixer
image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}"
......@@ -190,10 +240,15 @@
{{- else }}
- --useAdapterCRDs=false
{{- end }}
{{- if $.Values.templates.useTemplateCRDs }}
- --useTemplateCRDs=true
{{- else }}
- --useTemplateCRDs=false
{{- end }}
{{- if $.Values.global.tracer.zipkin.address }}
- --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
{{- else }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
- --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans
{{- end }}
- --averageLatencyThreshold
- {{ $.Values.telemetry.loadshedding.latencyThreshold }}
......@@ -281,6 +336,15 @@
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
- name: uds-socket
mountPath: /sock
{{- end }}
......@@ -289,7 +353,7 @@
{{- range $key, $spec := .Values }}
{{- if or (eq $key "policy") (eq $key "telemetry") }}
{{- if $spec.enabled }}
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-{{ $key }}
......
charts/rancher-istio/0.0.1/charts/mixer/templates/service.yaml
......@@ -36,3 +36,4 @@ spec:
{{- end }}
{{- end }}
{{- end }}
charts/rancher-istio/0.0.1/charts/mixer/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Mixer Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
policy.enabled: true
telemetry.enabled: false
asserts:
- isNull:
path: spec.replicas
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should pass all kinds of assertion
set:
policy.enabled: false
telemetry.enabled: true
asserts:
- isNull:
path: spec.replicas
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should pass all kinds of assertion
set:
policy.enabled: true
telemetry.enabled: true
asserts:
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 2
charts/rancher-istio/0.0.1/charts/mixer/values.yaml
#
# mixer configuration
#
enabled: true
env:
GODEBUG: gctrace=1
# max procs should be ceil(cpu limit + 1)
......@@ -47,6 +45,7 @@ telemetry:
podAnnotations: {}
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -66,8 +65,11 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
templates:
useTemplateCRDs: false
adapters:
kubernetesenv:
......@@ -81,4 +83,4 @@ adapters:
enabled: true
metricsExpiryDuration: 10m
# Setting this to false sets the useAdapterCRDs mixer startup argument to false
useAdapterCRDs: true
useAdapterCRDs: false
charts/rancher-istio/0.0.1/charts/nodeagent/templates/daemonset.yaml
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: istio-nodeagent
......@@ -10,6 +10,9 @@ metadata:
heritage: {{ .Release.Service }}
istio: nodeagent
spec:
selector:
matchLabels:
istio: nodeagent
template:
metadata:
labels:
......@@ -18,8 +21,13 @@ spec:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: nodeagent
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-nodeagent-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: nodeagent
image: "{{ template "system_default_registry" . }}{{ $.Values.global.nodeAgent.repository }}:{{ $.Values.global.nodeAgent.tag }}"
......@@ -43,3 +51,8 @@ spec:
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/nodeagent/values.yaml
......@@ -2,7 +2,6 @@
# nodeagent configuration
#
enabled: false
image: node-agent-k8s
env:
# name of authentication provider.
CA_PROVIDER: ""
......@@ -11,6 +10,7 @@ env:
# names of authentication provider's plugins.
Plugins: ""
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -30,5 +30,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/pilot/templates/_helpers.tpl
......@@ -30,4 +30,3 @@ Create chart name and version as used by the chart label.
{{- define "pilot.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
charts/rancher-istio/0.0.1/charts/pilot/templates/autoscale.yaml
......@@ -13,7 +13,7 @@ spec:
maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
apiVersion: apps/v1
kind: Deployment
name: istio-pilot
metrics:
......
charts/rancher-istio/0.0.1/charts/pilot/templates/deployment.yaml
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-pilot
......@@ -173,8 +173,31 @@ spec:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.trustDomain }}
expirationSeconds: 43200
path: istio-token
{{- end }}
{{- end }}
- name: config-volume
configMap:
name: istio
......@@ -185,3 +208,7 @@ spec:
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/pilot/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Pilot Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
service.internalPort: 8080
sidecar: true
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: istio/pilot:1.1.5
- notEqual:
path: spec.template.spec.containers[0].image
value: istio/pilot:1.1
- matchRegex:
path: metadata.name
pattern: .*istio-pilot.*
- contains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 8080
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
# sidecar tests
- equal:
path: spec.template.spec.containers[1].name
value: istio-proxy
- notContains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 15011
- it: should not set replicas
set:
autoscaleEnabled: true
asserts:
- equal:
path: spec.replicas
value: null
- it: should not add sidecar
set:
sidecar: false
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 15011
- contains:
path: spec.template.spec.containers[0].args
content:
--secureGrpcAddr
charts/rancher-istio/0.0.1/charts/pilot/values.yaml
......@@ -20,6 +20,7 @@ env:
cpu:
targetAverageUtilization: 80
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -39,8 +40,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# The following is used to limit how long a sidecar can be connected
# to a pilot. It balances out load across pilot instances at the cost of
......
charts/rancher-istio/0.0.1/charts/prometheus/Chart.yaml
......@@ -2,5 +2,5 @@ apiVersion: v1
description: A Helm chart for Kubernetes
name: prometheus
version: 1.1.0
appVersion: 2.3.1
appVersion: 2.8.0
tillerVersion: ">=2.7.2"
charts/rancher-istio/0.0.1/charts/prometheus/templates/configmap.yaml
......@@ -50,38 +50,6 @@ data:
action: replace
target_label: pod_name
metric_relabel_configs:
# Exclude some of the envoy metrics that have massive cardinality
# This list may need to be pruned further moving forward, as informed
# by performance and scalability testing.
- source_labels: [ cluster_name ]
regex: '(outbound|inbound|prometheus_stats).*'
action: drop
- source_labels: [ tcp_prefix ]
regex: '(outbound|inbound|prometheus_stats).*'
action: drop
- source_labels: [ listener_address ]
regex: '(.+)'
action: drop
- source_labels: [ http_conn_manager_listener_prefix ]
regex: '(.+)'
action: drop
- source_labels: [ http_conn_manager_prefix ]
regex: '(.+)'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_tls.*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_tcp_downstream.*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_http_(stats|admin).*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*'
action: drop
- job_name: 'istio-policy'
kubernetes_sd_configs:
- role: endpoints
......
charts/rancher-istio/0.0.1/charts/prometheus/templates/deployment.yaml
# TODO: the original template has service account, roles, etc
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus
......@@ -89,7 +89,9 @@ spec:
- name: istio-certs
secret:
defaultMode: 420
{{- if not .Values.security.enabled }}
optional: true
{{- end }}
secretName: istio.default
- name: prometheus-nginx
configMap:
......@@ -97,3 +99,7 @@ spec:
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/prometheus/templates/tests/test-prometheus-connection.yaml
......@@ -21,8 +21,9 @@ spec:
- name: "{{ template "prometheus.fullname" . }}-test"
image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && break || sleep 15; done']
command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1']
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/prometheus/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Prometheus Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/prometheus/values.yaml
......@@ -6,6 +6,7 @@ replicaCount: 1
retention: 6h
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -25,8 +26,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# Controls the frequency of prometheus scraping
scrapeInterval: 15s
......@@ -49,6 +50,9 @@ ingress:
service:
annotations: {}
nodePort:
enabled: false
port: 32090
security:
enabled: true
......
charts/rancher-istio/0.0.1/charts/security/templates/cleanup-secrets.yaml
......@@ -27,6 +27,12 @@ metadata:
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
......
charts/rancher-istio/0.0.1/charts/security/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-security-custom-resources
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
data:
custom-resources.yaml: |-
{{- if .Values.global.mtls.enabled }}
{{- include "security-default.yaml.tpl" . | indent 4}}
{{- else }}
{{- include "security-permissive.yaml.tpl" . | indent 4}}
{{- end }}
run.sh: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-security-custom-resources
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
data:
custom-resources.yaml: |-
{{- if .Values.global.mtls.enabled }}
{{- include "security-default.yaml.tpl" . | indent 4}}
{{- else }}
{{- include "security-permissive.yaml.tpl" . | indent 4}}
{{- end }}
run.sh: |-
{{- include "install-custom-resources.sh.tpl" . | indent 4}}
charts/rancher-istio/0.0.1/charts/security/templates/create-custom-resources-job.yaml
{{- if .Values.createMeshPolicy }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-security-post-install-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-security-post-install-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-security-post-install-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.istio.io"] # needed to create security destination rules
resources: ["*"]
verbs: ["*"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch"]
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-security-post-install-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.istio.io"] # needed to create security destination rules
resources: ["*"]
verbs: ["*"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-security-post-install-role-binding-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-security-post-install-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-security-post-install-account
namespace: {{ .Release.Namespace }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-security-post-install-role-binding-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-security-post-install-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-security-post-install-account
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
template:
metadata:
name: istio-security-post-install
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
serviceAccountName: istio-security-post-install-account
containers:
- name: kubectl
kind: Job
metadata:
name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
template:
metadata:
name: istio-security-post-install
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
serviceAccountName: istio-security-post-install-account
containers:
- name: kubectl
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
imagePullPolicy: IfNotPresent
command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
volumeMounts:
- mountPath: "/tmp/security"
name: tmp-configmap-security
volumes:
- name: tmp-configmap-security
configMap:
name: istio-security-custom-resources
restartPolicy: OnFailure
affinity:
imagePullPolicy: IfNotPresent
command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
volumeMounts:
- mountPath: "/tmp/security"
name: tmp-configmap-security
volumes:
- name: tmp-configmap-security
configMap:
name: istio-security-custom-resources
restartPolicy: OnFailure
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/security/templates/deployment.yaml
# istio CA watching all namespaces
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-citadel
......@@ -11,7 +11,10 @@ metadata:
release: {{ .Release.Name }}
istio: citadel
spec:
replicas: {{ .Values.replicaCount }}
replicas: 1
selector:
matchLabels:
istio: citadel
strategy:
rollingUpdate:
maxSurge: 1
......@@ -38,7 +41,6 @@ spec:
args:
- --append-dns-names=true
- --grpc-port=8060
- --grpc-hostname=citadel
- --citadel-storage-namespace={{ .Release.Namespace }}
- --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }}
- --monitoring-port={{ .Values.global.monitoringPort }}
......@@ -54,12 +56,22 @@ spec:
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
{{- if .Values.citadelHealthCheck }}
- --liveness-probe-path=/tmp/ca.liveness # path to the liveness health check status file
- --liveness-probe-interval=60s # interval for health check file update
- --probe-check-interval=15s # interval for health status check
{{- end }}
{{- if .Values.citadelHealthCheck }}
livenessProbe:
httpGet:
path: /version
port: {{ .Values.global.monitoringPort }}
initialDelaySeconds: 5
periodSeconds: 5
exec:
command:
- /usr/local/bin/istio_ca
- probe
- --probe-path=/tmp/ca.liveness # path to the liveness health check status file
- --interval=125s # the maximum time gap allowed between the file mtime and the current sys clock
initialDelaySeconds: 60
periodSeconds: 60
{{- end }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
......@@ -80,3 +92,7 @@ spec:
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/security/templates/enable-mesh-mtls.yaml
......@@ -40,7 +40,7 @@ spec:
mode: ISTIO_MUTUAL
---
# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar.
# Customer should add similar destination rules for other services that dont' have sidecar.
# Customer should add similar destination rules for other services that don't have sidecar.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
......
charts/rancher-istio/0.0.1/charts/security/templates/tests/test-citadel-connection.yaml
......@@ -21,8 +21,9 @@ spec:
- name: "{{ template "security.fullname" . }}-test"
image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && break || sleep 15; done']
command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && exit 0 || sleep 15; done; exit 1']
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/security/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Citadel Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/security/values.yaml
......@@ -2,10 +2,13 @@
# security configuration
#
enabled: true
replicaCount: 1
selfSigned: true # indicate if self-signed CA is used.
createMeshPolicy: true
nodeSelector: {}
tolerations: []
# Enable health checking on the Citadel CSR signing API.
# https://istio.io/docs/tasks/security/health-check/
citadelHealthCheck: false
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
......@@ -25,5 +28,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/templates/deployment.yaml
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-sidecar-injector
......@@ -11,6 +11,9 @@ metadata:
istio: sidecar-injector
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
istio: sidecar-injector
strategy:
rollingUpdate:
maxSurge: 1
......@@ -27,7 +30,7 @@ spec:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-sidecar-injector-service-account
{{- if .Values.global.priorityClassName }}
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
......@@ -89,6 +92,8 @@ spec:
items:
- key: config
path: config
- key: values
path: values
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
......@@ -2,7 +2,6 @@ apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }}
......@@ -25,6 +24,10 @@ webhooks:
namespaceSelector:
{{- if .Values.enableNamespacesByDefault }}
matchExpressions:
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
- key: istio-injection
operator: NotIn
values:
......
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml 0 → 100644
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
release: {{ .Release.Name }}
istio: sidecar-injector
spec:
{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
selector:
matchLabels:
app: {{ template "sidecar-injector.name" . }}
release: {{ .Release.Name }}
istio: sidecar-injector
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/tests/mutatingwebhook_test.yaml deleted 100644 → 0
suite: Test SidecarInjectorWebhook MutatingWebhook
templates:
- mutatingwebhook.yaml
tests:
- it: should pass all kinds of assertion
set:
enableNamespacesByDefault: false
asserts:
- isNull:
path: webhooks[0].namespaceSelector.matchExpressions
- isEmpty:
path: webhooks[0].namespaceSelector.matchExpressions
- isNotNull:
path: webhooks[0].namespaceSelector.matchLabels
- isNotEmpty:
path: webhooks[0].namespaceSelector.matchLabels
- contains:
path: webhooks[0].rules
content:
operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
- isKind:
of: MutatingWebhookConfiguration
- isAPIVersion:
of: admissionregistration.k8s.io/v1beta1
- hasDocuments:
count: 1
- it: should not set autoInjection selector
set:
enableNamespacesByDefault: true
asserts:
- isNotNull:
path: webhooks[0].namespaceSelector.matchExpressions
- isNotEmpty:
path: webhooks[0].namespaceSelector.matchExpressions
- isNull:
path: webhooks[0].namespaceSelector.matchLabels
- isEmpty:
path: webhooks[0].namespaceSelector.matchLabels
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/tests/rbac_test.yaml deleted 100644 → 0
suite: Test SidecarInjectorWebhook RBAC
templates:
- clusterrole.yaml
tests:
- it: should pass all kinds of assertion
set:
provider: jaeger
asserts:
- isNotNull:
path: rules
- isNotEmpty:
path: rules
- contains:
path: rules
content:
apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
- isKind:
of: ClusterRole
- isAPIVersion:
of: rbac.authorization.k8s.io/v1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/values.yaml
......@@ -24,10 +24,17 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# If true, webhook or istioctl injector will rewrite PodSpec for liveness
# health check to redirect request to sidecar. This makes liveness check work
# even when mTLS is enabled.
rewriteAppHTTPProbe: false
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
neverInjectSelector: []
alwaysInjectSelector: []
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/tracing/templates/deployment-jaeger.yaml
{{ if eq .Values.provider "jaeger" }}
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-tracing
......@@ -11,6 +11,9 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: jaeger
template:
metadata:
labels:
......
charts/rancher-istio/0.0.1/charts/tracing/templates/deployment-zipkin.yaml
{{ if eq .Values.provider "zipkin" }}
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-zipkin
name: istio-tracing
namespace: {{ .Release.Namespace }}
labels:
app: zipkin
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: zipkin
template:
metadata:
labels:
app: zipkin
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
- name: zipkin
image: "{{ template "system_default_registry" . }}{{ .Values.zipkin.repository }}:{{ .Values.zipkin.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.zipkin.queryPort }}
livenessProbe:
......
charts/rancher-istio/0.0.1/charts/tracing/templates/tests/test-tracing-connection.yaml
......@@ -29,4 +29,5 @@ spec:
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/tracing/tests/jaeger_test.yaml deleted 100644 → 0
suite: Test Jaeger Deployment
templates:
- deployment-jaeger.yaml
- deployment-zipkin.yaml
tests:
- it: should pass all kinds of assertion
set:
provider: jaeger
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: jaegertracing/all-in-one:1.9
- equal:
path: spec.template.metadata.labels.app
value: jaeger
- equal:
path: spec.template.spec.containers[0].name
value: jaeger
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should not deploy jaeger
set:
provider: zipkin
asserts:
- hasDocuments:
count: 0
charts/rancher-istio/0.0.1/charts/tracing/tests/zipkin_test.yaml deleted 100644 → 0
suite: Test Zipkinn Deployment
templates:
- deployment-zipkin.yaml
tests:
- it: should pass all kinds of assertion
set:
provider: zipkin
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: openzipkin/zipkin:2
- equal:
path: spec.template.metadata.labels.app
value: zipkin
- equal:
path: spec.template.spec.containers[0].name
value: tracing
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should not deploy zipkin
set:
provider: jaeger
asserts:
- hasDocuments:
count: 0
charts/rancher-istio/0.0.1/charts/tracing/values.yaml
#
# addon jeager tracing configuration
# addon jaeger tracing configuration
#
enabled: false
......@@ -24,8 +24,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
jaeger:
memory:
......
charts/rancher-istio/0.0.1/files/injection-template.yaml 0 → 100644
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{- if not .Values.istio_cni.enabled }}
- name: istio-init
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- else }}
image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- end }}
args:
- "-p"
- "15001"
- "-u"
- 1337
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
- "-d"
- "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
requests:
cpu: 10m
memory: 10Mi
limits:
cpu: 100m
memory: 50Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- NET_ADMIN
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
restartPolicy: Always
env:
{{- if contains "*" (annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` "") }}
- name: INBOUND_CAPTURE_PORT
value: 15006
{{- end }}
{{- end }}
{{ end -}}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- else }}
image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- end }}
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
runAsUser: 0
runAsNonRoot: false
privileged: true
{{ end }}
{{- end }}
containers:
- name: istio-proxy
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
{{- else }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.repository}}:{{ .Values.global.proxy.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --configPath
- "{{ .ProxyConfig.ConfigPath }}"
- --binaryPath
- "{{ .ProxyConfig.BinaryPath }}"
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --drainDuration
- "{{ formatDuration .ProxyConfig.DrainDuration }}"
- --parentShutdownDuration
- "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}"
- --discoveryAddress
- "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}"
{{- if eq .Values.global.proxy.tracer "lightstep" }}
- --lightstepAddress
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}"
- --lightstepAccessToken
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}"
- --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }}
- --lightstepCacertPath
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}"
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
- --zipkinAddress
- "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}"
{{- else if eq .Values.global.proxy.tracer "datadog" }}
- --datadogAgentAddress
- "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}"
{{- end }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
- --dnsRefreshRate
- {{ .Values.global.proxy.dnsRefreshRate }}
- --connectTimeout
- "{{ formatDuration .ProxyConfig.ConnectTimeout }}"
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- "{{ .ProxyConfig.StatsdUdpAddress }}"
{{- end }}
{{- if .Values.global.proxy.envoyMetricsService.enabled }}
- --envoyMetricsServiceAddress
- "{{ .ProxyConfig.EnvoyMetricsServiceAddress }}"
{{- end }}
- --proxyAdminPort
- "{{ .ProxyConfig.ProxyAdminPort }}"
{{ if gt .ProxyConfig.Concurrency 0 -}}
- --concurrency
- "{{ .ProxyConfig.Concurrency }}"
{{ end -}}
- --controlPlaneAuthPolicy
- "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}"
{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }}
- --statusPort
- "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}"
- --applicationPorts
- "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}"
{{- end }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{ if eq .Values.global.proxy.tracer "datadog" }}
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{ end }}
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{ if .ObjectMeta.Labels }}
- name: ISTIO_METAJSON_LABELS
value: |
{{ toJSON .ObjectMeta.Labels }}
{{ end }}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.sds.customTokenDirectory }}
- name: ISTIO_META_SDS_TOKEN_PATH
value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
{{- if ne .Values.global.proxy.enableCoreDump true }}
readOnlyRootFilesystem: true
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
capabilities:
add:
- NET_ADMIN
runAsGroup: 1337
{{ else -}}
{{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
runAsGroup: 1337
{{- end }}
runAsUser: 1337
{{- end }}
resources:
{{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end}}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{ else -}}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 4 }}
{{- end }}
{{ end -}}
volumeMounts:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- mountPath: /var/run/sds
name: sds-uds-path
readOnly: true
{{- if .Values.global.sds.useTrustworthyJwt }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.sds.customTokenDirectory }}
- mountPath: "{{ .Values.global.sds.customTokenDirectory -}}"
name: custom-sds-token
readOnly: true
{{- end }}
{{- else }}
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{- end }}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
- emptyDir:
medium: Memory
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- name: sds-uds-path
hostPath:
path: /var/run/sds
{{- if .Values.global.sds.customTokenDirectory }}
- name: custom-sds-token
secret:
secretName: sdstokensecret
{{- end }}
{{- if .Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.trustDomain }}
{{- end }}
{{- else }}
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 2 }}
{{ end }}
{{ end }}
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.podDNSSearchNamespaces }}
dnsConfig:
searches:
{{- range .Values.global.podDNSSearchNamespaces }}
- {{ render . }}
{{- end }}
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/templates/_affinity.tpl
......@@ -66,7 +66,7 @@
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.value }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
......
charts/rancher-istio/0.0.1/templates/crds.yaml
......@@ -37,7 +37,6 @@ spec:
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
......@@ -76,7 +75,6 @@ spec:
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
......@@ -123,7 +121,6 @@ spec:
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
......@@ -157,720 +154,30 @@ spec:
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: envoyfilters.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: networking.istio.io
names:
kind: EnvoyFilter
plural: envoyfilters
singular: envoyfilter
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: clusterrbacconfigs.rbac.istio.io
labels:
app: istio-pilot
istio: rbac
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: rbac.istio.io
names:
kind: ClusterRbacConfig
plural: clusterrbacconfigs
singular: clusterrbacconfig
categories:
- istio-io
- rbac-istio-io
scope: Cluster
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: policies.authentication.istio.io
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: authentication.istio.io
names:
kind: Policy
plural: policies
singular: policy
categories:
- istio-io
- authentication-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: meshpolicies.authentication.istio.io
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: authentication.istio.io
names:
kind: MeshPolicy
listKind: MeshPolicyList
plural: meshpolicies
singular: meshpolicy
categories:
- istio-io
- authentication-istio-io
scope: Cluster
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: httpapispecbindings.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: httpapispecs.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotaspecbindings.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotaspecs.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rules.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: core
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: rule
plural: rules
singular: rule
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: attributemanifests.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: core
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: bypasses.config.istio.io
labels:
app: mixer
package: bypass
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: bypass
plural: bypasses
singular: bypass
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: circonuses.config.istio.io
labels:
app: mixer
package: circonus
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: circonus
plural: circonuses
singular: circonus
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: deniers.config.istio.io
labels:
app: mixer
package: denier
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: denier
plural: deniers
singular: denier
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: fluentds.config.istio.io
labels:
app: mixer
package: fluentd
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: fluentd
plural: fluentds
singular: fluentd
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kubernetesenvs.config.istio.io
labels:
app: mixer
package: kubernetesenv
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: kubernetesenv
plural: kubernetesenvs
singular: kubernetesenv
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listcheckers.config.istio.io
labels:
app: mixer
package: listchecker
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: listchecker
plural: listcheckers
singular: listchecker
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: memquotas.config.istio.io
labels:
app: mixer
package: memquota
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: memquota
plural: memquotas
singular: memquota
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: noops.config.istio.io
labels:
app: mixer
package: noop
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: noop
plural: noops
singular: noop
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: opas.config.istio.io
labels:
app: mixer
package: opa
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: opa
plural: opas
singular: opa
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: prometheuses.config.istio.io
labels:
app: mixer
package: prometheus
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: prometheus
plural: prometheuses
singular: prometheus
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rbacs.config.istio.io
labels:
app: mixer
package: rbac
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: rbac
plural: rbacs
singular: rbac
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: redisquotas.config.istio.io
labels:
app: mixer
package: redisquota
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: redisquota
plural: redisquotas
singular: redisquota
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: signalfxs.config.istio.io
labels:
app: mixer
package: signalfx
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: signalfx
plural: signalfxs
singular: signalfx
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: solarwindses.config.istio.io
labels:
app: mixer
package: solarwinds
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: solarwinds
plural: solarwindses
singular: solarwinds
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stackdrivers.config.istio.io
labels:
app: mixer
package: stackdriver
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
spec:
group: config.istio.io
names:
kind: stackdriver
plural: stackdrivers
singular: stackdriver
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: statsds.config.istio.io
labels:
app: mixer
package: statsd
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: statsd
plural: statsds
singular: statsd
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stdios.config.istio.io
name: sidecars.networking.istio.io
labels:
app: mixer
package: stdio
istio: mixer-adapter
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
group: networking.istio.io
names:
kind: stdio
plural: stdios
singular: stdio
kind: Sidecar
plural: sidecars
singular: sidecar
categories:
- istio-io
- policy-istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha2
version: v1alpha3
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: apikeys.config.istio.io
labels:
app: mixer
package: apikey
istio: mixer-instance
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: apikey
plural: apikeys
singular: apikey
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: authorizations.config.istio.io
name: envoyfilters.networking.istio.io
labels:
app: mixer
package: authorization
istio: mixer-instance
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
......@@ -878,51 +185,47 @@ metadata:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
group: networking.istio.io
names:
kind: authorization
plural: authorizations
singular: authorization
kind: EnvoyFilter
plural: envoyfilters
singular: envoyfilter
categories:
- istio-io
- policy-istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha2
version: v1alpha3
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: checknothings.config.istio.io
name: clusterrbacconfigs.rbac.istio.io
labels:
app: mixer
package: checknothing
istio: mixer-instance
chart: istio
app: istio-pilot
istio: rbac
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
group: rbac.istio.io
names:
kind: checknothing
plural: checknothings
singular: checknothing
kind: ClusterRbacConfig
plural: clusterrbacconfigs
singular: clusterrbacconfig
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
- rbac-istio-io
scope: Cluster
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kuberneteses.config.istio.io
name: policies.authentication.istio.io
labels:
app: mixer
package: adapter.template.kubernetes
istio: mixer-instance
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
......@@ -930,25 +233,23 @@ metadata:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
group: authentication.istio.io
names:
kind: kubernetes
plural: kuberneteses
singular: kubernetes
kind: Policy
plural: policies
singular: policy
categories:
- istio-io
- policy-istio-io
- authentication-istio-io
scope: Namespaced
version: v1alpha2
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listentries.config.istio.io
name: meshpolicies.authentication.istio.io
labels:
app: mixer
package: listentry
istio: mixer-instance
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
......@@ -956,25 +257,24 @@ metadata:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
group: authentication.istio.io
names:
kind: listentry
plural: listentries
singular: listentry
kind: MeshPolicy
listKind: MeshPolicyList
plural: meshpolicies
singular: meshpolicy
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
- authentication-istio-io
scope: Cluster
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: logentries.config.istio.io
name: httpapispecbindings.config.istio.io
labels:
app: mixer
package: logentry
istio: mixer-instance
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
......@@ -984,43 +284,21 @@ metadata:
spec:
group: config.istio.io
names:
kind: logentry
plural: logentries
singular: logentry
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
categories:
- istio-io
- policy-istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
additionalPrinterColumns:
- JSONPath: .spec.severity
description: The importance of the log entry
name: Severity
type: string
- JSONPath: .spec.timestamp
description: The time value for the log entry
name: Timestamp
type: string
- JSONPath: .spec.monitored_resource_type
description: Optional expression to compute the type of the monitored resource this log entry is being recorded on
name: Res Type
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: edges.config.istio.io
name: httpapispecs.config.istio.io
labels:
app: mixer
package: edge
istio: mixer-instance
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
......@@ -1030,23 +308,21 @@ metadata:
spec:
group: config.istio.io
names:
kind: edge
plural: edges
singular: edge
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
categories:
- istio-io
- policy-istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: metrics.config.istio.io
name: quotaspecbindings.config.istio.io
labels:
app: mixer
package: metric
istio: mixer-instance
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
......@@ -1056,23 +332,21 @@ metadata:
spec:
group: config.istio.io
names:
kind: metric
plural: metrics
singular: metric
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
categories:
- istio-io
- policy-istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotas.config.istio.io
name: quotaspecs.config.istio.io
labels:
app: mixer
package: quota
istio: mixer-instance
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
......@@ -1082,23 +356,23 @@ metadata:
spec:
group: config.istio.io
names:
kind: quota
plural: quotas
singular: quota
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
categories:
- istio-io
- policy-istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: reportnothings.config.istio.io
name: rules.config.istio.io
labels:
app: mixer
package: reportnothing
istio: mixer-instance
package: istio.io.mixer
istio: core
chart: istio
heritage: Tiller
release: istio
......@@ -1108,9 +382,9 @@ metadata:
spec:
group: config.istio.io
names:
kind: reportnothing
plural: reportnothings
singular: reportnothing
kind: rule
plural: rules
singular: rule
categories:
- istio-io
- policy-istio-io
......@@ -1120,11 +394,11 @@ spec:
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: tracespans.config.istio.io
name: attributemanifests.config.istio.io
labels:
app: mixer
package: tracespan
istio: mixer-instance
package: istio.io.mixer
istio: core
chart: istio
heritage: Tiller
release: istio
......@@ -1134,9 +408,9 @@ metadata:
spec:
group: config.istio.io
names:
kind: tracespan
plural: tracespans
singular: tracespan
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
categories:
- istio-io
- policy-istio-io
......@@ -1228,7 +502,6 @@ spec:
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
......@@ -1337,52 +610,6 @@ spec:
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: cloudwatches.config.istio.io
labels:
app: mixer
package: cloudwatch
istio: mixer-adapter
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: cloudwatch
plural: cloudwatches
singular: cloudwatch
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: dogstatsds.config.istio.io
labels:
app: mixer
package: dogstatsd
istio: mixer-adapter
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: dogstatsd
plural: dogstatsds
singular: dogstatsd
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
......@@ -1410,23 +637,22 @@ spec:
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: zipkins.config.istio.io
name: authorizationpolicies.rbac.istio.io
labels:
app: mixer
package: zipkin
istio: mixer-adapter
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
app: istio-pilot
istio: rbac
heritage: Tiller
release: istio
spec:
group: config.istio.io
group: rbac.istio.io
names:
kind: zipkin
plural: zipkins
singular: zipkin
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
categories:
- istio-io
- policy-istio-io
- istio-io
- rbac-istio-io
scope: Namespaced
version: v1alpha2
{{- end }}
version: v1alpha1
---
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/templates/endpoints.yaml
......@@ -47,7 +47,7 @@ apiVersion: v1
kind: Endpoints
metadata:
name: istio-telemetry
namespace: istio-system
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remoteTelemetryAddress }}
......
charts/rancher-istio/0.0.1/templates/sidecar-injector-configmap.yaml
......@@ -11,311 +11,15 @@ metadata:
release: {{ .Release.Name }}
istio: sidecar-injector
data:
values: |-
{{ .Values | toJson }}
config: |-
policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | indent 6 }}
template: |-
rewriteAppHTTPProbe: {{ .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe }}
{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
initContainers:
{{ "[[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"NONE\" ]]" }}
{{- if not .Values.istio_cni.enabled }}
- name: istio-init
image: "{{ template "system_default_registry" . }}{{ $.Values.global.proxy_init.repository }}:{{ $.Values.global.proxy_init.tag }}"
args:
- "-p"
- {{ "[[ .MeshConfig.ProxyListenPort ]]" }}
- "-u"
- 1337
- "-m"
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }}
- "-i"
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }}
- "-x"
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }}
- "-b"
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }}
- "-d"
- {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }}
{{ "[[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]" }}
- "-k"
{{ "- \"[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]\"" }}
{{ "[[ end -]]" }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
resources:
requests:
cpu: 10m
memory: 10Mi
limits:
cpu: 100m
memory: 50Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- NET_ADMIN
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
restartPolicy: Always
{{- end }}
{{ "[[ end -]]" }}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
command:
- /bin/sh
image: "{{ template "system_default_registry" . }}{{ $.Values.global.proxy_init.repository }}:{{ $.Values.global.proxy_init.tag }}"
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
runAsUser: 0
runAsNonRoot: false
privileged: true
{{ end }}
{{- end }}
containers:
- name: istio-proxy
image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ template "system_default_registry" . }}{{ $.Values.global.proxy.repository }}:{{ $.Values.global.proxy.tag }}" {{ " ]]" }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --configPath
- {{ "[[ .ProxyConfig.ConfigPath ]]" }}
- --binaryPath
- {{ "[[ .ProxyConfig.BinaryPath ]]" }}
- --serviceCluster
{{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }}
- {{ "[[ index .ObjectMeta.Labels \"app\" ]]." }}$(POD_NAMESPACE)
{{ "[[ else -]]" }}
- {{ "[[ valueOrDefault .DeploymentMeta.Name \"istio-proxy\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]" }}
{{ "[[ end -]]" }}
- --drainDuration
- {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }}
- --parentShutdownDuration
- {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }}
- --discoveryAddress
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]" }}
{{- if eq .Values.global.proxy.tracer "lightstep" }}
- --lightstepAddress
- {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAddress ]]" }}
- --lightstepAccessToken
- {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken ]]" }}
- --lightstepSecure={{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetSecure ]]" }}
- --lightstepCacertPath
- {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
- --zipkinAddress
- {{ "[[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]" }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
- --datadogAgentAddress
- {{ "[[ .ProxyConfig.GetTracing.GetDatadog.GetAddress ]]" }}
{{- end }}
- --connectTimeout
- {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }}
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }}
{{- end }}
{{- if .Values.global.proxy.envoyMetricsService.enabled }}
- --envoyMetricsServiceAddress
- {{ "[[ .ProxyConfig.EnvoyMetricsServiceAddress ]]" }}
{{- end }}
- --proxyAdminPort
- {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }}
{{ "[[ if gt .ProxyConfig.Concurrency 0 -]]" }}
- --concurrency
- {{ "[[ .ProxyConfig.Concurrency ]]" }}
{{ "[[ end -]]" }}
- --controlPlaneAuthPolicy
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }}
{{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }}
- --statusPort
- {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }}
- --applicationPorts
- {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }}
{{ "[[- end ]]" }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{ if eq .Values.global.proxy.tracer "datadog" }}
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{ end }}
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_META_INTERCEPTION_MODE
value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }}
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ "[[ if .ObjectMeta.Annotations ]]" }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ "[[ toJSON .ObjectMeta.Annotations ]]" }}
{{ "[[ end ]]" }}
{{ "[[ if .ObjectMeta.Labels ]]" }}
- name: ISTIO_METAJSON_LABELS
value: |
{{ "[[ toJSON .ObjectMeta.Labels ]]" }}
{{ "[[ end ]]" }}
{{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{ "[[- end ]]" }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }}
initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }}
periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }}
failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }}
{{ "[[ end -]]" -}}
securityContext:
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
{{- if ne .Values.global.proxy.enableCoreDump true }}
readOnlyRootFilesystem: true
{{- end }}
{{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }}
capabilities:
add:
- NET_ADMIN
runAsGroup: 1337
{{ "[[ else -]]" }}
{{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
runAsGroup: 1337
{{- end }}
runAsUser: 1337
{{ "[[- end ]]" }}
resources:
{{ "[[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }}
requests:
{{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }}
cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }}
{{ "[[ end ]]" }}
{{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }}
memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }}
{{ "[[ end ]]" }}
{{ "[[ else -]]" }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 10 }}
{{- end }}
{{ "[[ end -]]" }}
volumeMounts:
{{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{ "[[- end ]]" }}
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- mountPath: /var/run/sds/uds_path
name: sds-uds-path
readOnly: true
{{- if .Values.global.sds.useTrustworthyJwt }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- else }}
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- mountPath: {{ "[[ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }}
name: lightstep-certs
readOnly: true
{{- end }}
{{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]]" }}
{{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]]" }}
- name: {{ "\"[[ $index ]]\"" }}
{{ "[[ toYaml $value | indent 4 ]]" }}
{{ "[[ end ]]" }}
{{ "[[- end ]]" }}
volumes:
{{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
- name: custom-bootstrap-volume
configMap:
name: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]]" }}
{{ "[[- end ]]" }}
- emptyDir:
medium: Memory
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- name: sds-uds-path
hostPath:
path: /var/run/sds/uds_path
type: Socket
{{- if .Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.trustDomain }}
{{- end }}
{{- else }}
- name: istio-certs
secret:
optional: true
{{ "[[ if eq .Spec.ServiceAccountName \"\" -]]" }}
secretName: istio.default
{{ "[[ else -]]" }}
secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }}
{{ "[[ end -]]" }}
{{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]]" }}
{{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]]" }}
- name: {{ "\"[[ $index ]]\"" }}
{{ "[[ toYaml $value | indent 2 ]]" }}
{{ "[[ end ]]" }}
{{ "[[ end ]]" }}
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- end }}
{{- if .Values.global.podDNSSearchNamespaces }}
dnsConfig:
searches:
{{- range .Values.global.podDNSSearchNamespaces }}
- {{ . }}
{{- end }}
{{ .Files.Get "files/injection-template.yaml" | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/tests/crd_certmanager_test.yaml deleted 100644 → 0
suite: Test Certmanager CRDs
templates:
- crd-certmanager.yaml
tests:
- it: should create certmanager CRDs
set:
enableCRDs: true
certmanager.enabled: true
asserts:
- hasDocuments:
count: 5
- isKind:
of: CustomResourceDefinition
- it: should not render certmanager CRDs
set:
enableCRDs: true
certmanager.enabled: false
asserts:
- hasDocuments:
count: 0
- it: should set helm crd hook annotations
set:
enableCRDs: true
certmanager.enabled: true
asserts:
- equal:
path: metadata.annotations
value:
helm.sh/resource-policy: keep
helm.sh/hook: "crd-install"
charts/rancher-istio/0.0.1/tests/crd_test.yaml deleted 100644 → 0
suite: Test Istio CRDs
templates:
- crds.yaml
tests:
- it: should create custom resource definition
set:
enableCRDs: true
asserts:
- hasDocuments:
count: 53 #istio v1.1.5 contains total 53 CRDs
- isKind:
of: CustomResourceDefinition
- it: should not render custom resource definition
set:
enableCRDs: false
asserts:
- hasDocuments:
count: 0
- it: should set helm crd hook annotations
set:
enableCRDs: true
asserts:
- equal:
path: metadata.annotations
value:
helm.sh/resource-policy: keep
helm.sh/hook: "crd-install"
charts/rancher-istio/0.0.1/values.yaml
......@@ -23,7 +23,7 @@ gateways:
#
sidecarInjectorWebhook:
repository: rancher/istio-sidecar_injector
tag: "1.1.5"
tag: "1.2.0"
enabled: true
#
......@@ -32,7 +32,7 @@ sidecarInjectorWebhook:
#
galley:
repository: rancher/istio-galley
tag: 1.1.5
tag: 1.2.0
enabled: true
#
......@@ -41,7 +41,7 @@ galley:
# @see charts/mixer/values.yaml, it takes precedence
mixer:
repository: rancher/istio-mixer
tag: "1.1.5"
tag: "1.2.0"
enabled: true
policy:
# if policy is enabled the global.disablePolicyChecks has affect.
......@@ -55,7 +55,7 @@ mixer:
# @see charts/pilot/values.yaml
pilot:
repository: rancher/istio-pilot
tag: "1.1.5"
tag: "1.2.0"
enabled: true
#
......@@ -63,7 +63,7 @@ pilot:
#
security:
repository: rancher/istio-citadel
tag: "1.1.5"
tag: "1.2.0"
enabled: true
#
......@@ -77,7 +77,7 @@ nodeagent:
#
grafana:
repository: rancher/grafana-grafana
tag: 5.4.0
tag: 6.1.6
enabled: false
#
......@@ -85,7 +85,7 @@ grafana:
#
prometheus:
repository: rancher/prom-prometheus
tag: v2.3.1
tag: v2.8.0
enabled: true
#
......@@ -105,10 +105,16 @@ tracing:
#
kiali:
repository: rancher/kiali-kiali
tag: v0.17
tag: v0.20
enabled: true
#
# addon certmanager configuration
#
certmanager:
enabled: false
#
# Istio CNI plugin enabled
# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately.
# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect
......@@ -128,9 +134,6 @@ istiocoredns:
tag: 0.2-istio-1.1
enabled: false
certmanager:
enabled: false
# Common settings used among istio subcharts.
global:
# Specify rancher domain and clusterId of external tracing config
......@@ -148,7 +151,7 @@ global:
# Default tag for Istio images.
# tag: release-1.1-latest-daily
tag: 1.1.5
tag: 1.2.0
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
......@@ -158,7 +161,7 @@ global:
kubectl:
repository: rancher/istio-kubectl
tag: 1.1.5
tag: 1.2.0
# monitoring port used by mixer, pilot, galley
monitoringPort: 15014
......@@ -182,7 +185,7 @@ global:
proxy:
repository: rancher/istio-proxyv2
tag: 1.1.5
tag: 1.2.0
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
......@@ -194,7 +197,7 @@ global:
memory: 128Mi
limits:
cpu: 2000m
memory: 128Mi
memory: 1024Mi
# Controls number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core.
......@@ -217,9 +220,13 @@ global:
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: ""
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
componentLogLevel: ""
# Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS
# 5 seconds is the default refresh rate used by Envoy
dnsRefreshRate: 5s
# This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.
dnsRefreshRate: 300s
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
......@@ -246,6 +253,7 @@ global:
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
excludeOutboundPorts: ""
# pod internal interfaces
kubevirtInterfaces: ""
......@@ -291,14 +299,14 @@ global:
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
repository: rancher/istio-proxy_init
tag: "1.1.5"
tag: "1.2.0"
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
# TODO: Switch to Always as default, and override in the local tests.
imagePullPolicy: IfNotPresent
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
......@@ -348,7 +356,7 @@ global:
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any clustser configured with private docker registry.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets:
# - private-registry-key
......@@ -466,7 +474,7 @@ global:
nodeAgent:
repository: rancher/istio-node-agent-k8s
tag: "1.1.5"
tag: "1.2.0"
sds:
# SDS enabled. IF set to true, mTLS certificates for the sidecars will be
# distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
......@@ -484,8 +492,9 @@ global:
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (not
# supported yet).
# cluster. The public IP for the gateway will be determined from that remote service (only
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
#
# meshNetworks:
# network1:
......@@ -498,7 +507,7 @@ global:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443
#
meshNetworks: {}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment