Skip to content

S
system-charts
Unverified Commit 89c34b61 by Denise Committed by GitHub
Options

Merge pull request #68 from alena1108/jun19

[backport 2.3-preview2] Istio 1.2
parents 5f3cd2c3 9c5e36ae
Showing with 2611 additions and 2182 deletions
charts/rancher-istio/0.0.1/Chart.yaml
apiVersion: v1 apiVersion: v1
name: rancher-istio name: rancher-istio
version: 0.0.1 version: 0.0.1
appVersion: 1.1.5 appVersion: 1.2.0
tillerVersion: ">=2.7.2-0" tillerVersion: ">=2.7.2-0"
description: Helm chart for all istio components description: Helm chart for all istio components
home: https://istio.io/ home: https://istio.io/
......
charts/rancher-istio/0.0.1/README.md
...@@ -2,13 +2,17 @@ ...@@ -2,13 +2,17 @@
[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. [Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
The documentation here is for developers only, please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/install/helm/) for all other uses.
## Introduction ## Introduction
This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Chart Details ## Chart Details
This chart can install multiple istio components as subcharts: This chart can install multiple Istio components as subcharts:
- ingressgateway - ingressgateway
- egressgateway - egressgateway
- sidecarInjectorWebhook - sidecarInjectorWebhook
...@@ -18,7 +22,6 @@ This chart can install multiple istio components as subcharts: ...@@ -18,7 +22,6 @@ This chart can install multiple istio components as subcharts:
- security(citadel) - security(citadel)
- grafana - grafana
- prometheus - prometheus
- servicegraph
- tracing(jaeger) - tracing(jaeger)
- kiali - kiali
...@@ -105,12 +108,6 @@ The chart deploys pods that consume minimum resources as specified in the resour ...@@ -105,12 +108,6 @@ The chart deploys pods that consume minimum resources as specified in the resour
EOF EOF
``` ```
1. Add `istio.io` chart repository and point to the release:
```
$ helm repo add istio.io https://storage.googleapis.com/istio-prerelease/daily-build/release-1.1-latest-daily/charts
```
1. To install the chart with the release name `istio` in namespace $NAMESPACE you defined above: 1. To install the chart with the release name `istio` in namespace $NAMESPACE you defined above:
- With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0): - With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
...@@ -128,39 +125,7 @@ The chart deploys pods that consume minimum resources as specified in the resour ...@@ -128,39 +125,7 @@ The chart deploys pods that consume minimum resources as specified in the resour
The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides.
To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation.
Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: Helm charts expose configuration options which are currently in alpha. The currently exposed options can be found [here](https://istio.io/docs/reference/config/installation-options/).
| Parameter | Description | Values | Default |
| --- | --- | --- | --- |
| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` |
| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` |
| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` |
| `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` |
| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` |
| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` |
| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` |
| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` |
| `gateways.enabled` | Specifies whether gateway(both Ingres and Egress) should be installed | true/false | `true` |
| `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` |
| `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` |
| `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | true/false | `true` |
| `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` |
| `security.enabled` | Specifies whether Citadel should be installed | true/false | `true` |
| `mixer.policy.enabled` | Specifies whether Mixer Policy should be installed | true/false | `true` |
| `mixer.telemetry.enabled` | Specifies whether Mixer Telemetry should be installed | true/false | `true` |
| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` |
| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` |
| `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` |
| `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" |
| `grafana.accessMode` | If `grafana.persist` is true, specifies the [`Access Mode`](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use for the `PersistentVolumeClaim` | RWO/ROX/RWX | `ReadWriteMany` |
| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` |
| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` |
| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` |
| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` |
## Uninstalling the Chart ## Uninstalling the Chart
......
charts/rancher-istio/0.0.1/app-readme.md
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
## Introduction ## Introduction
This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Chart Details ## Chart Details
......
charts/rancher-istio/0.0.1/charts/certmanager/templates/deployment.yaml
apiVersion: apps/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: certmanager name: certmanager
...@@ -9,7 +9,7 @@ metadata: ...@@ -9,7 +9,7 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
replicas: 1 replicas: {{ .Values.replicaCount }}
selector: selector:
matchLabels: matchLabels:
app: certmanager app: certmanager
...@@ -38,7 +38,7 @@ spec: ...@@ -38,7 +38,7 @@ spec:
{{- if .Values.global.systemDefaultRegistry }} {{- if .Values.global.systemDefaultRegistry }}
image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
{{- else }} {{- else }}
image: {{ .Values.image.hub }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }} imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args: args:
...@@ -54,6 +54,7 @@ spec: ...@@ -54,6 +54,7 @@ spec:
fieldPath: metadata.namespace fieldPath: metadata.namespace
resources: resources:
{{ toYaml .Values.resources | indent 10 }} {{ toYaml .Values.resources | indent 10 }}
{{- if .Values.podDnsPolicy }} {{- if .Values.podDnsPolicy }}
dnsPolicy: {{ .Values.podDnsPolicy }} dnsPolicy: {{ .Values.podDnsPolicy }}
{{- end }} {{- end }}
...@@ -64,3 +65,7 @@ spec: ...@@ -64,3 +65,7 @@ spec:
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/certmanager/values.yaml
...@@ -4,12 +4,13 @@ ...@@ -4,12 +4,13 @@
# gateway must be updated by adding 'secretVolumes'. After the gateway # gateway must be updated by adding 'secretVolumes'. After the gateway
# restart, DestinationRules can be created using the ACME-signed certificates. # restart, DestinationRules can be created using the ACME-signed certificates.
enabled: false enabled: false
replicaCount: 1
image: image:
hub: quay.io
repository: rancher/jetstack-cert-manager-controller repository: rancher/jetstack-cert-manager-controller
tag: v0.6.2 tag: v0.6.2
resources: {} resources: {}
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -29,5 +30,5 @@ nodeSelector: {} ...@@ -29,5 +30,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/galley/templates/deployment.yaml
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: istio-galley name: istio-galley
...@@ -11,6 +11,9 @@ metadata: ...@@ -11,6 +11,9 @@ metadata:
istio: galley istio: galley
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
istio: galley
strategy: strategy:
rollingUpdate: rollingUpdate:
maxSurge: 1 maxSurge: 1
...@@ -46,6 +49,7 @@ spec: ...@@ -46,6 +49,7 @@ spec:
- --livenessProbePath=/healthliveness - --livenessProbePath=/healthliveness
- --readinessProbePath=/healthready - --readinessProbePath=/healthready
- --readinessProbeInterval=1s - --readinessProbeInterval=1s
- --deployment-namespace={{ .Release.Namespace }}
{{- if $.Values.global.controlPlaneSecurityEnabled}} {{- if $.Values.global.controlPlaneSecurityEnabled}}
- --insecure=false - --insecure=false
{{- else }} {{- else }}
...@@ -107,3 +111,7 @@ spec: ...@@ -107,3 +111,7 @@ spec:
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl
...@@ -3,7 +3,6 @@ apiVersion: admissionregistration.k8s.io/v1beta1 ...@@ -3,7 +3,6 @@ apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration
metadata: metadata:
name: istio-galley name: istio-galley
namespace: {{ .Release.Namespace }}
labels: labels:
app: {{ template "galley.name" . }} app: {{ template "galley.name" . }}
chart: {{ template "galley.chart" . }} chart: {{ template "galley.chart" . }}
...@@ -65,6 +64,7 @@ webhooks: ...@@ -65,6 +64,7 @@ webhooks:
- sidecars - sidecars
- virtualservices - virtualservices
failurePolicy: Fail failurePolicy: Fail
sideEffects: None
- name: mixer.validation.istio.io - name: mixer.validation.istio.io
clientConfig: clientConfig:
service: service:
...@@ -109,6 +109,12 @@ webhooks: ...@@ -109,6 +109,12 @@ webhooks:
- quotas - quotas
- reportnothings - reportnothings
- tracespans - tracespans
- adapters
- handlers
- instances
- templates
- zipkins
failurePolicy: Fail failurePolicy: Fail
sideEffects: None
{{- end }} {{- end }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/charts/galley/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Galley Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
asserts:
- equal:
path: spec.replicas
value: 1
- equal:
path: spec.template.spec.containers[0].ports
value:
- containerPort: 443
- containerPort: 15014
- containerPort: 9901
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/galley/tests/rbac_test.yaml deleted 100644 → 0
suite: Test Galley RBAC
templates:
- clusterrole.yaml
tests:
- it: should pass all kinds of assertion
set:
asserts:
- isNotNull:
path: rules
- isNotEmpty:
path: rules
- contains:
path: rules
content:
apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["*"]
- isKind:
of: ClusterRole
- isAPIVersion:
of: rbac.authorization.k8s.io/v1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/galley/values.yaml
...@@ -4,6 +4,7 @@ ...@@ -4,6 +4,7 @@
enabled: true enabled: true
replicaCount: 1 replicaCount: 1
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -23,5 +24,5 @@ nodeSelector: {} ...@@ -23,5 +24,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/gateways/templates/_affinity.tpl
...@@ -11,10 +11,6 @@ ...@@ -11,10 +11,6 @@
{{- define "gatewayNodeAffinityRequiredDuringScheduling" }} {{- define "gatewayNodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms: nodeSelectorTerms:
- matchExpressions: - matchExpressions:
- key: beta.kubernetes.io/os
operator: In
values:
- linux
- key: beta.kubernetes.io/arch - key: beta.kubernetes.io/arch
operator: In operator: In
values: values:
...@@ -66,7 +62,7 @@ ...@@ -66,7 +62,7 @@
matchExpressions: matchExpressions:
- key: {{ $item.key }} - key: {{ $item.key }}
operator: {{ $item.operator }} operator: {{ $item.operator }}
{{- if $item.value }} {{- if $item.values }}
values: values:
{{- $vals := split "," $item.values }} {{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }} {{- range $i, $v := $vals }}
......
charts/rancher-istio/0.0.1/charts/gateways/templates/autoscale.yaml
...@@ -7,15 +7,17 @@ metadata: ...@@ -7,15 +7,17 @@ metadata:
name: {{ $key }} name: {{ $key }}
namespace: {{ $spec.namespace | default $.Release.Namespace }} namespace: {{ $spec.namespace | default $.Release.Namespace }}
labels: labels:
app: {{ $spec.labels.istio }}
chart: {{ template "gateway.chart" $ }} chart: {{ template "gateway.chart" $ }}
heritage: {{ $.Release.Service }} heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }} release: {{ $.Release.Name }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
spec: spec:
maxReplicas: {{ $spec.autoscaleMax }} maxReplicas: {{ $spec.autoscaleMax }}
minReplicas: {{ $spec.autoscaleMin }} minReplicas: {{ $spec.autoscaleMin }}
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
name: {{ $key }} name: {{ $key }}
metrics: metrics:
......
charts/rancher-istio/0.0.1/charts/gateways/templates/clusterrole.yaml deleted 100644 → 0
{{- range $key, $spec := .Values }}
{{- if ne $key "enabled" }}
{{- if $spec.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $key }}-{{ $.Release.Namespace }}
labels:
app: {{ $spec.labels.istio }}
chart: {{ template "gateway.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
rules:
- apiGroups: ["networking.istio.io"]
resources: ["virtualservices", "destinationrules", "gateways"]
verbs: ["get", "watch", "list", "update"]
---
{{- end }}
{{- end }}
{{- end }}
charts/rancher-istio/0.0.1/charts/gateways/templates/clusterrolebindings.yaml deleted 100644 → 0
{{- range $key, $spec := .Values }}
{{- if ne $key "enabled" }}
{{- if $spec.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $key }}-{{ $.Release.Namespace }}
labels:
app: {{ $spec.labels.istio }}
chart: {{ template "gateway.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $key }}-{{ $.Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ $key }}-service-account
namespace: {{ $.Release.Namespace }}
---
{{- end }}
{{- end }}
{{- end }}
charts/rancher-istio/0.0.1/charts/gateways/templates/deployment.yaml
{{- range $key, $spec := .Values }} {{- range $key, $spec := .Values }}
{{- if ne $key "enabled" }} {{- if ne $key "enabled" }}
{{- if $spec.enabled }} {{- if $spec.enabled }}
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ $key }} name: {{ $key }}
...@@ -21,6 +21,12 @@ spec: ...@@ -21,6 +21,12 @@ spec:
replicas: 1 replicas: 1
{{- end }} {{- end }}
{{- end }} {{- end }}
selector:
matchLabels:
release: {{ $.Release.Name }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
template: template:
metadata: metadata:
labels: labels:
...@@ -44,7 +50,7 @@ spec: ...@@ -44,7 +50,7 @@ spec:
initContainers: initContainers:
- name: enable-core-dump - name: enable-core-dump
image: "{{ template "system_default_registry" $ }}{{ $.Values.global.proxy_init.repository }}:{{ $.Values.global.proxy_init.tag }}" image: "{{ template "system_default_registry" $ }}{{ $.Values.global.proxy_init.repository }}:{{ $.Values.global.proxy_init.tag }}"
imagePullPolicy: IfNotPresent imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
command: command:
- /bin/sh - /bin/sh
args: args:
...@@ -59,6 +65,12 @@ spec: ...@@ -59,6 +65,12 @@ spec:
- name: ingress-sds - name: ingress-sds
image: "{{ template "system_default_registry" $ }}{{ $.Values.global.nodeAgent.repository }}:{{ $.Values.global.nodeAgent.tag }}" image: "{{ template "system_default_registry" $ }}{{ $.Values.global.nodeAgent.repository }}:{{ $.Values.global.nodeAgent.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
resources:
{{- if $spec.sds.resources }}
{{ toYaml $spec.sds.resources | indent 12 }}
{{- else }}
{{ toYaml $.Values.global.defaultResources | indent 12 }}
{{- end }}
env: env:
- name: "ENABLE_WORKLOAD_SDS" - name: "ENABLE_WORKLOAD_SDS"
value: "false" value: "false"
...@@ -92,6 +104,9 @@ spec: ...@@ -92,6 +104,9 @@ spec:
{{- if $.Values.global.proxy.logLevel }} {{- if $.Values.global.proxy.logLevel }}
- --proxyLogLevel={{ $.Values.global.proxy.logLevel }} - --proxyLogLevel={{ $.Values.global.proxy.logLevel }}
{{- end}} {{- end}}
{{- if $.Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if $.Values.global.logging.level }} {{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }} - --log_output_level={{ $.Values.global.logging.level }}
{{- end}} {{- end}}
...@@ -162,6 +177,11 @@ spec: ...@@ -162,6 +177,11 @@ spec:
{{ toYaml $.Values.global.defaultResources | indent 12 }} {{ toYaml $.Values.global.defaultResources | indent 12 }}
{{- end }} {{- end }}
env: env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
...@@ -206,7 +226,7 @@ spec: ...@@ -206,7 +226,7 @@ spec:
volumeMounts: volumeMounts:
{{- if $.Values.global.sds.enabled }} {{- if $.Values.global.sds.enabled }}
- name: sdsudspath - name: sdsudspath
mountPath: /var/run/sds/uds_path mountPath: /var/run/sds
readOnly: true readOnly: true
{{- if $.Values.global.sds.useTrustworthyJwt }} {{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token - name: istio-token
...@@ -240,8 +260,7 @@ spec: ...@@ -240,8 +260,7 @@ spec:
{{- if $.Values.global.sds.enabled }} {{- if $.Values.global.sds.enabled }}
- name: sdsudspath - name: sdsudspath
hostPath: hostPath:
path: /var/run/sds/uds_path path: /var/run/sds
type: Socket
{{- if $.Values.global.sds.useTrustworthyJwt }} {{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token - name: istio-token
projected: projected:
...@@ -271,6 +290,10 @@ spec: ...@@ -271,6 +290,10 @@ spec:
affinity: affinity:
{{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }} {{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }}
{{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }} {{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }}
{{- if $spec.tolerations }}
tolerations:
{{ toYaml $spec.tolerations | indent 6 }}
{{- end }}
--- ---
{{- end }} {{- end }}
{{- end }} {{- end }}
......
charts/rancher-istio/0.0.1/charts/gateways/templates/preconfigured.yaml
...@@ -84,7 +84,15 @@ metadata: ...@@ -84,7 +84,15 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
selector: selector:
istio: ingressgateway {{- range $key, $spec := .Values }}
{{- if eq $key "istio-ingressgateway" }}
{{- if $spec.enabled }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
servers: servers:
- port: - port:
number: 15011 number: 15011
...@@ -123,7 +131,15 @@ metadata: ...@@ -123,7 +131,15 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
selector: selector:
istio: egressgateway {{- range $key, $spec := .Values }}
{{- if eq $key "istio-egressgateway" }}
{{- if $spec.enabled }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
servers: servers:
- hosts: - hosts:
- "*.global" - "*.global"
...@@ -146,7 +162,15 @@ metadata: ...@@ -146,7 +162,15 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
selector: selector:
istio: ingressgateway {{- range $key, $spec := .Values }}
{{- if eq $key "istio-ingressgateway" }}
{{- if $spec.enabled }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
servers: servers:
- hosts: - hosts:
- "*.global" - "*.global"
...@@ -169,7 +193,15 @@ metadata: ...@@ -169,7 +193,15 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
workloadLabels: workloadLabels:
istio: ingressgateway {{- range $key, $spec := .Values }}
{{- if eq $key "istio-ingressgateway" }}
{{- if $spec.enabled }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
filters: filters:
- listenerMatch: - listenerMatch:
portNumber: 15443 portNumber: 15443
......
charts/rancher-istio/0.0.1/charts/gateways/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Gateway Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
istio-ingressgateway.enabled: true
istio-ilbgateway.enabled: false
istio-egressgateway.enabled: false
istio-ingressgateway.autoscaleEnabled: true
asserts:
- isNull:
path: spec.replicas
- contains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 80
- contains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 443
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should deploy 3 gateways
set:
istio-ingressgateway.enabled: true
istio-ilbgateway.enabled: true
istio-egressgateway.enabled: true
asserts:
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 3
- it: should not deploy gateways
set:
istio-ingressgateway.enabled: false
istio-ilbgateway.enabled: false
istio-egressgateway.enabled: false
asserts:
- hasDocuments:
count: 0
charts/rancher-istio/0.0.1/charts/gateways/values.yaml
...@@ -17,6 +17,14 @@ istio-ingressgateway: ...@@ -17,6 +17,14 @@ istio-ingressgateway:
enabled: false enabled: false
# SDS server that watches kubernetes secrets and provisions credentials to ingress gateway. # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
# This server runs in the same pod as ingress gateway. # This server runs in the same pod as ingress gateway.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
labels: labels:
app: istio-ingressgateway app: istio-ingressgateway
istio: ingressgateway istio: ingressgateway
...@@ -31,7 +39,7 @@ istio-ingressgateway: ...@@ -31,7 +39,7 @@ istio-ingressgateway:
memory: 128Mi memory: 128Mi
limits: limits:
cpu: 2000m cpu: 2000m
memory: 256Mi memory: 1024Mi
cpu: cpu:
targetAverageUtilization: 80 targetAverageUtilization: 80
loadBalancerIP: "" loadBalancerIP: ""
...@@ -104,12 +112,22 @@ istio-ingressgateway: ...@@ -104,12 +112,22 @@ istio-ingressgateway:
secretName: istio-ingressgateway-ca-certs secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs mountPath: /etc/istio/ingressgateway-ca-certs
### Advanced options ############ ### Advanced options ############
# Ports to explicitly check for readiness. If configured, the readiness check will expect a
# listener on these ports. A comma separated list is expected, such as "80,443".
#
# Warning: If you do not have a gateway configured for the ports provided, this check will always
# fail. This is intended for use cases where you always expect to have a listener on the port,
# such as 80 or 443 in typical setups.
applicationPorts: ""
env: env:
# A gateway with this mode ensures that pilot generates an additional # A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to # set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing. # enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat" ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -129,8 +147,8 @@ istio-ingressgateway: ...@@ -129,8 +147,8 @@ istio-ingressgateway:
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
istio-egressgateway: istio-egressgateway:
enabled: false enabled: false
...@@ -185,6 +203,7 @@ istio-egressgateway: ...@@ -185,6 +203,7 @@ istio-egressgateway:
# enable cross cluster routing. # enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat" ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -204,8 +223,8 @@ istio-egressgateway: ...@@ -204,8 +223,8 @@ istio-egressgateway:
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
# Mesh ILB gateway creates a gateway of type InternalLoadBalancer, # Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
# for mesh expansion. It exposes the mtls ports for Pilot,CA as well # for mesh expansion. It exposes the mtls ports for Pilot,CA as well
...@@ -255,3 +274,4 @@ istio-ilbgateway: ...@@ -255,3 +274,4 @@ istio-ilbgateway:
secretName: istio-ilbgateway-ca-certs secretName: istio-ilbgateway-ca-certs
mountPath: /etc/istio/ilbgateway-ca-certs mountPath: /etc/istio/ilbgateway-ca-certs
nodeSelector: {} nodeSelector: {}
tolerations: []
charts/rancher-istio/0.0.1/charts/grafana/dashboards/galley-dashboard.json
...@@ -296,14 +296,14 @@ ...@@ -296,14 +296,14 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))",
"format": "time_series", "format": "time_series",
"intervalFactor": 2, "intervalFactor": 2,
"legendFormat": "Total (k8s)", "legendFormat": "Total (k8s)",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)",
"format": "time_series", "format": "time_series",
"intervalFactor": 2, "intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)", "legendFormat": "{{ container_name }} (k8s)",
......
charts/rancher-istio/0.0.1/charts/grafana/dashboards/istio-performance-dashboard.json
{ {
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "5.2.3"
},
{
"type": "panel",
"id": "graph",
"name": "Graph",
"version": "5.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "5.0.0"
},
{
"type": "panel",
"id": "text",
"name": "Text",
"version": "5.0.0"
}
],
"annotations": { "annotations": {
"list": [ "list": [
{ {
...@@ -51,23 +15,66 @@ ...@@ -51,23 +15,66 @@
"editable": false, "editable": false,
"gnetId": null, "gnetId": null,
"graphTooltip": 0, "graphTooltip": 0,
"id": null, "id": 9,
"links": [], "links": [],
"panels": [ "panels": [
{ {
"collapsed": true,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 21,
"panels": [
{
"content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.\n\n\n",
"gridPos": {
"h": 6,
"w": 24,
"x": 0,
"y": 1
},
"id": 19,
"links": [],
"mode": "markdown",
"timeFrom": null,
"timeShift": null,
"title": "Performance Dashboard README",
"transparent": true,
"type": "text"
}
],
"title": "Performance Dashboard Notes",
"type": "row"
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 1
},
"id": 6,
"panels": [],
"title": "vCPU Usage",
"type": "row"
},
{
"aliasColors": {}, "aliasColors": {},
"bars": false, "bars": false,
"dashLength": 10, "dashLength": 10,
"dashes": false, "dashes": false,
"datasource": "Prometheus",
"fill": 1, "fill": 1,
"gridPos": { "gridPos": {
"h": 9, "h": 8,
"w": 12, "w": 12,
"x": 0, "x": 0,
"y": 0 "y": 2
}, },
"id": 2, "id": 4,
"legend": { "legend": {
"avg": false, "avg": false,
"current": false, "current": false,
...@@ -82,7 +89,7 @@ ...@@ -82,7 +89,7 @@
"links": [], "links": [],
"nullPointMode": "null", "nullPointMode": "null",
"percentage": false, "percentage": false,
"pointradius": 5, "pointradius": 2,
"points": false, "points": false,
"renderer": "flot", "renderer": "flot",
"seriesOverrides": [], "seriesOverrides": [],
...@@ -91,28 +98,30 @@ ...@@ -91,28 +98,30 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"format": "time_series", "format": "time_series",
"hide": false,
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-telemetry", "legendFormat": "istio-telemetry",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))",
"format": "time_series", "format": "time_series",
"hide": false,
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-ingressgateway", "legendFormat": "istio-ingressgateway",
"refId": "B" "refId": "B"
}, },
{ {
"expr": "(sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-proxy", "legendFormat": "istio-proxy",
"refId": "C" "refId": "C"
}, },
{ {
"expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-policy", "legendFormat": "istio-policy",
...@@ -121,6 +130,7 @@ ...@@ -121,6 +130,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "vCPU / 1k rps", "title": "vCPU / 1k rps",
"tooltip": { "tooltip": {
...@@ -164,15 +174,14 @@ ...@@ -164,15 +174,14 @@
"bars": false, "bars": false,
"dashLength": 10, "dashLength": 10,
"dashes": false, "dashes": false,
"datasource": "Prometheus",
"fill": 1, "fill": 1,
"gridPos": { "gridPos": {
"h": 9, "h": 8,
"w": 12, "w": 12,
"x": 12, "x": 12,
"y": 0 "y": 2
}, },
"id": 6, "id": 7,
"legend": { "legend": {
"avg": false, "avg": false,
"current": false, "current": false,
...@@ -187,7 +196,7 @@ ...@@ -187,7 +196,7 @@
"links": [], "links": [],
"nullPointMode": "null", "nullPointMode": "null",
"percentage": false, "percentage": false,
"pointradius": 5, "pointradius": 2,
"points": false, "points": false,
"renderer": "flot", "renderer": "flot",
"seriesOverrides": [], "seriesOverrides": [],
...@@ -196,28 +205,28 @@ ...@@ -196,28 +205,28 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-telemetry", "legendFormat": "istio-telemetry",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-ingressgateway", "legendFormat": "istio-ingressgateway",
"refId": "B" "refId": "B"
}, },
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-proxy", "legendFormat": "istio-proxy",
"refId": "C" "refId": "C"
}, },
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-policy", "legendFormat": "istio-policy",
...@@ -226,6 +235,7 @@ ...@@ -226,6 +235,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "vCPU", "title": "vCPU",
"tooltip": { "tooltip": {
...@@ -265,19 +275,31 @@ ...@@ -265,19 +275,31 @@
} }
}, },
{ {
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 10
},
"id": 13,
"panels": [],
"title": "Memory and Data Rates",
"type": "row"
},
{
"aliasColors": {}, "aliasColors": {},
"bars": false, "bars": false,
"dashLength": 10, "dashLength": 10,
"dashes": false, "dashes": false,
"datasource": "Prometheus",
"fill": 1, "fill": 1,
"gridPos": { "gridPos": {
"h": 9, "h": 8,
"w": 12, "w": 12,
"x": 0, "x": 0,
"y": 9 "y": 11
}, },
"id": 4, "id": 902,
"legend": { "legend": {
"avg": false, "avg": false,
"current": false, "current": false,
...@@ -292,7 +314,7 @@ ...@@ -292,7 +314,7 @@
"links": [], "links": [],
"nullPointMode": "null", "nullPointMode": "null",
"percentage": false, "percentage": false,
"pointradius": 5, "pointradius": 2,
"points": false, "points": false,
"renderer": "flot", "renderer": "flot",
"seriesOverrides": [], "seriesOverrides": [],
...@@ -312,14 +334,14 @@ ...@@ -312,14 +334,14 @@
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "per istio-ingressgateway", "legendFormat": "per istio-ingressgateway",
"refId": "C" "refId": "B"
}, },
{ {
"expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})", "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "per istio-proxy", "legendFormat": "per istio proxy",
"refId": "B" "refId": "C"
}, },
{ {
"expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
...@@ -331,8 +353,9 @@ ...@@ -331,8 +353,9 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Memory", "title": "Memory Usage",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
...@@ -348,7 +371,7 @@ ...@@ -348,7 +371,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "decbytes", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
...@@ -374,15 +397,14 @@ ...@@ -374,15 +397,14 @@
"bars": false, "bars": false,
"dashLength": 10, "dashLength": 10,
"dashes": false, "dashes": false,
"datasource": "Prometheus",
"fill": 1, "fill": 1,
"gridPos": { "gridPos": {
"h": 9, "h": 8,
"w": 12, "w": 12,
"x": 12, "x": 12,
"y": 9 "y": 11
}, },
"id": 5, "id": 11,
"legend": { "legend": {
"avg": false, "avg": false,
"current": false, "current": false,
...@@ -397,7 +419,7 @@ ...@@ -397,7 +419,7 @@
"links": [], "links": [],
"nullPointMode": "null", "nullPointMode": "null",
"percentage": false, "percentage": false,
"pointradius": 5, "pointradius": 2,
"points": false, "points": false,
"renderer": "flot", "renderer": "flot",
"seriesOverrides": [], "seriesOverrides": [],
...@@ -417,25 +439,26 @@ ...@@ -417,25 +439,26 @@
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-ingressgateway", "legendFormat": "istio-ingressgateway",
"refId": "C" "refId": "B"
}, },
{ {
"expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-proxy", "legendFormat": "istio-proxy",
"refId": "D" "refId": "C"
}, },
{ {
"expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "istio-policy", "legendFormat": "istio_policy",
"refId": "E" "refId": "D"
} }
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Bytes transferred / sec", "title": "Bytes transferred / sec",
"tooltip": { "tooltip": {
...@@ -453,7 +476,7 @@ ...@@ -453,7 +476,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "bytes", "format": "Bps",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
...@@ -475,26 +498,36 @@ ...@@ -475,26 +498,36 @@
} }
}, },
{ {
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 19
},
"id": 17,
"panels": [],
"title": "Istio Component Versions",
"type": "row"
},
{
"aliasColors": {}, "aliasColors": {},
"bars": false, "bars": false,
"dashLength": 10, "dashLength": 10,
"dashes": false, "dashes": false,
"datasource": "Prometheus",
"fill": 1, "fill": 1,
"gridPos": { "gridPos": {
"h": 9, "h": 8,
"w": 24, "w": 24,
"x": 0, "x": 0,
"y": 18 "y": 20
}, },
"id": 8, "id": 15,
"legend": { "legend": {
"alignAsTable": false,
"avg": false, "avg": false,
"current": false, "current": false,
"max": false, "max": false,
"min": false, "min": false,
"rightSide": false,
"show": true, "show": true,
"total": false, "total": false,
"values": false "values": false
...@@ -504,7 +537,7 @@ ...@@ -504,7 +537,7 @@
"links": [], "links": [],
"nullPointMode": "null", "nullPointMode": "null",
"percentage": false, "percentage": false,
"pointradius": 5, "pointradius": 2,
"points": false, "points": false,
"renderer": "flot", "renderer": "flot",
"seriesOverrides": [], "seriesOverrides": [],
...@@ -522,6 +555,7 @@ ...@@ -522,6 +555,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Istio Components by Version", "title": "Istio Components by Version",
"tooltip": { "tooltip": {
...@@ -529,7 +563,6 @@ ...@@ -529,7 +563,6 @@
"sort": 0, "sort": 0,
"value_type": "individual" "value_type": "individual"
}, },
"transparent": false,
"type": "graph", "type": "graph",
"xaxis": { "xaxis": {
"buckets": null, "buckets": null,
...@@ -553,7 +586,7 @@ ...@@ -553,7 +586,7 @@
"logBase": 1, "logBase": 1,
"max": null, "max": null,
"min": null, "min": null,
"show": false "show": true
} }
], ],
"yaxis": { "yaxis": {
...@@ -562,21 +595,1192 @@ ...@@ -562,21 +595,1192 @@
} }
}, },
{ {
"content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only. \n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance. \n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.", "collapsed": false,
"gridPos": { "gridPos": {
"h": 4, "h": 1,
"w": 24, "w": 24,
"x": 0, "x": 0,
"y": 18 "y": 31
}, },
"id": 11, "id": 71,
"panels": [],
"title": "Proxy Resource Usage",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 0,
"y": 32
},
"id": 72,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [], "links": [],
"mode": "markdown", "nullPointMode": "null",
"title": "Istio Performance Dashboard Readme", "percentage": false,
"type": "text" "pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(container_memory_usage_bytes{container_name=\"istio-proxy\"})",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Memory",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 6,
"y": 32
},
"id": 73,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=\"istio-proxy\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "A",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "vCPU",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 12,
"y": 32
},
"id": 702,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(container_fs_usage_bytes{container_name=\"istio-proxy\"})",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ container_name }}",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Disk",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"decimals": null,
"format": "none",
"label": "",
"logBase": 1024,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 39
},
"id": 69,
"panels": [],
"title": "Pilot Resource Usage",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 0,
"y": 40
},
"id": 5,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "process_virtual_memory_bytes{job=\"pilot\"}",
"format": "time_series",
"instant": false,
"intervalFactor": 2,
"legendFormat": "Virtual Memory",
"refId": "I",
"step": 2
},
{
"expr": "process_resident_memory_bytes{job=\"pilot\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Resident Memory",
"refId": "H",
"step": 2
},
{
"expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}",
"format": "time_series",
"hide": true,
"intervalFactor": 2,
"legendFormat": "heap sys",
"refId": "A"
},
{
"expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}",
"format": "time_series",
"hide": true,
"intervalFactor": 2,
"legendFormat": "heap alloc",
"refId": "D"
},
{
"expr": "go_memstats_alloc_bytes{job=\"pilot\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Alloc",
"refId": "F",
"step": 2
},
{
"expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Heap in-use",
"refId": "E",
"step": 2
},
{
"expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Stack in-use",
"refId": "G",
"step": 2
},
{
"expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "C",
"step": 2
},
{
"expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Memory",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 6,
"y": 40
},
"id": 602,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "A",
"step": 2
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
},
{
"expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "pilot (self-reported)",
"refId": "C",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "vCPU",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 12,
"y": 40
},
"id": 74,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "process_open_fds{job=\"pilot\"}",
"format": "time_series",
"hide": true,
"instant": false,
"interval": "",
"intervalFactor": 2,
"legendFormat": "Open FDs (pilot)",
"refId": "A"
},
{
"expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ container_name }}",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Disk",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"decimals": null,
"format": "none",
"label": "",
"logBase": 1024,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 18,
"y": 40
},
"id": 402,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "go_goroutines{job=\"pilot\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Number of Goroutines",
"refId": "A",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Goroutines",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 47
},
"id": 93,
"panels": [],
"title": "Mixer Resource Usage",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 0,
"y": 48
},
"id": 94,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"instant": false,
"intervalFactor": 2,
"legendFormat": "Virtual Memory",
"refId": "I",
"step": 2
},
{
"expr": "process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Resident Memory",
"refId": "H",
"step": 2
},
{
"expr": "go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"hide": true,
"intervalFactor": 2,
"legendFormat": "heap sys",
"refId": "A"
},
{
"expr": "go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"hide": true,
"intervalFactor": 2,
"legendFormat": "heap alloc",
"refId": "D"
},
{
"expr": "go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Alloc",
"refId": "F",
"step": 2
},
{
"expr": "go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Heap in-use",
"refId": "E",
"step": 2
},
{
"expr": "go_memstats_stack_inuse_bytes{job=~\"istio-policy|istio-telemetry\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Stack in-use",
"refId": "G",
"step": 2
},
{
"expr": "sum(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"})",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "C",
"step": 2
},
{
"expr": "container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Memory",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 6,
"y": 48
},
"id": 95,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "Total (k8s)",
"refId": "A",
"step": 2
},
{
"expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m])) by (container_name)",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "{{ container_name }} (k8s)",
"refId": "B",
"step": 2
},
{
"expr": "irate(process_cpu_seconds_total{job=~\"istio-policy|istio-telemetry\"}[1m])",
"format": "time_series",
"hide": false,
"intervalFactor": 2,
"legendFormat": "mixer (self-reported)",
"refId": "C",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "vCPU",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 12,
"y": 48
},
"id": 96,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "process_open_fds{job=~\"istio-policy|istio-telemetry\"}",
"format": "time_series",
"hide": true,
"instant": false,
"interval": "",
"intervalFactor": 2,
"legendFormat": "Open FDs (pilot)",
"refId": "A"
},
{
"expr": "container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ container_name }}",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Disk",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"decimals": null,
"format": "none",
"label": "",
"logBase": 1024,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 7,
"w": 6,
"x": 18,
"y": 48
},
"id": 97,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "go_goroutines{job=\"istio-telemetry\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Number of Goroutines",
"refId": "A",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Goroutines",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
} }
], ],
"schemaVersion": 16, "refresh": "10s",
"schemaVersion": 18,
"style": "dark", "style": "dark",
"tags": [], "tags": [],
"templating": { "templating": {
...@@ -613,5 +1817,6 @@ ...@@ -613,5 +1817,6 @@
}, },
"timezone": "", "timezone": "",
"title": "Istio Performance Dashboard", "title": "Istio Performance Dashboard",
"version": 4 "uid": "vu8e0VWZk",
"version": 22
} }
charts/rancher-istio/0.0.1/charts/grafana/dashboards/istio-service-dashboard.json
...@@ -1742,7 +1742,7 @@ ...@@ -1742,7 +1742,7 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)",
"format": "time_series", "format": "time_series",
"hide": false, "hide": false,
"intervalFactor": 1, "intervalFactor": 1,
...@@ -1751,7 +1751,7 @@ ...@@ -1751,7 +1751,7 @@
"step": 2 "step": 2
}, },
{ {
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)",
"format": "time_series", "format": "time_series",
"hide": false, "hide": false,
"intervalFactor": 1, "intervalFactor": 1,
......
charts/rancher-istio/0.0.1/charts/grafana/dashboards/istio-workload-dashboard.json
...@@ -654,7 +654,7 @@ ...@@ -654,7 +654,7 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
"format": "time_series", "format": "time_series",
"hide": false, "hide": false,
"intervalFactor": 1, "intervalFactor": 1,
...@@ -663,7 +663,7 @@ ...@@ -663,7 +663,7 @@
"step": 2 "step": 2
}, },
{ {
"expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
"format": "time_series", "format": "time_series",
"hide": false, "hide": false,
"intervalFactor": 1, "intervalFactor": 1,
......
charts/rancher-istio/0.0.1/charts/grafana/dashboards/mixer-dashboard.json
...@@ -356,7 +356,7 @@ ...@@ -356,7 +356,7 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
"format": "time_series", "format": "time_series",
"hide": false, "hide": false,
"intervalFactor": 2, "intervalFactor": 2,
...@@ -364,7 +364,7 @@ ...@@ -364,7 +364,7 @@
"refId": "A" "refId": "A"
}, },
{ {
"expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
"format": "time_series", "format": "time_series",
"hide": false, "hide": false,
"intervalFactor": 2, "intervalFactor": 2,
...@@ -1599,7 +1599,7 @@ ...@@ -1599,7 +1599,7 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"format": "time_series", "format": "time_series",
"intervalFactor": 2, "intervalFactor": 2,
"legendFormat": "{{ handler }} (error: {{ error }})", "legendFormat": "{{ handler }} (error: {{ error }})",
...@@ -1683,21 +1683,21 @@ ...@@ -1683,21 +1683,21 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"format": "time_series", "format": "time_series",
"intervalFactor": 2, "intervalFactor": 2,
"legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"format": "time_series", "format": "time_series",
"intervalFactor": 2, "intervalFactor": 2,
"legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})",
"refId": "D" "refId": "D"
}, },
{ {
"expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
"format": "time_series", "format": "time_series",
"intervalFactor": 2, "intervalFactor": 2,
"legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})",
......
charts/rancher-istio/0.0.1/charts/grafana/dashboards/pilot-dashboard.json
{ {
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "5.2.3"
},
{
"type": "panel",
"id": "graph",
"name": "Graph",
"version": "5.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "5.0.0"
},
{
"type": "panel",
"id": "text",
"name": "Text",
"version": "5.0.0"
}
],
"annotations": { "annotations": {
"list": [ "list": [
{ {
...@@ -51,24 +15,21 @@ ...@@ -51,24 +15,21 @@
"editable": false, "editable": false,
"gnetId": null, "gnetId": null,
"graphTooltip": 1, "graphTooltip": 1,
"id": null, "id": 6,
"links": [], "links": [],
"panels": [ "panels": [
{ {
"content": "<center><h2>Deployed Versions</h2></center>", "collapsed": false,
"gridPos": { "gridPos": {
"h": 3, "h": 1,
"w": 24, "w": 24,
"x": 0, "x": 0,
"y": 0 "y": 0
}, },
"height": "40", "id": 60,
"id": 58, "panels": [],
"links": [], "title": "Deployed Versions",
"mode": "html", "type": "row"
"title": "",
"transparent": true,
"type": "text"
}, },
{ {
"aliasColors": {}, "aliasColors": {},
...@@ -81,7 +42,7 @@ ...@@ -81,7 +42,7 @@
"h": 5, "h": 5,
"w": 24, "w": 24,
"x": 0, "x": 0,
"y": 3 "y": 1
}, },
"id": 56, "id": 56,
"legend": { "legend": {
...@@ -116,6 +77,7 @@ ...@@ -116,6 +77,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Pilot Versions", "title": "Pilot Versions",
"tooltip": { "tooltip": {
...@@ -155,20 +117,17 @@ ...@@ -155,20 +117,17 @@
} }
}, },
{ {
"content": "<center><h2>Resource Usage</h2></center>", "collapsed": false,
"gridPos": { "gridPos": {
"h": 3, "h": 1,
"w": 24, "w": 24,
"x": 0, "x": 0,
"y": 8 "y": 6
}, },
"height": "40", "id": 62,
"id": 29, "panels": [],
"links": [], "title": "Resource Usage",
"mode": "html", "type": "row"
"title": "",
"transparent": true,
"type": "text"
}, },
{ {
"aliasColors": {}, "aliasColors": {},
...@@ -181,7 +140,7 @@ ...@@ -181,7 +140,7 @@
"h": 7, "h": 7,
"w": 6, "w": 6,
"x": 0, "x": 0,
"y": 11 "y": 7
}, },
"id": 5, "id": 5,
"legend": { "legend": {
...@@ -285,6 +244,7 @@ ...@@ -285,6 +244,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Memory", "title": "Memory",
"tooltip": { "tooltip": {
...@@ -334,7 +294,7 @@ ...@@ -334,7 +294,7 @@
"h": 7, "h": 7,
"w": 6, "w": 6,
"x": 6, "x": 6,
"y": 11 "y": 7
}, },
"id": 6, "id": 6,
"legend": { "legend": {
...@@ -360,7 +320,7 @@ ...@@ -360,7 +320,7 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))",
"format": "time_series", "format": "time_series",
"hide": false, "hide": false,
"intervalFactor": 2, "intervalFactor": 2,
...@@ -369,7 +329,7 @@ ...@@ -369,7 +329,7 @@
"step": 2 "step": 2
}, },
{ {
"expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)",
"format": "time_series", "format": "time_series",
"hide": false, "hide": false,
"intervalFactor": 2, "intervalFactor": 2,
...@@ -389,6 +349,7 @@ ...@@ -389,6 +349,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "CPU", "title": "CPU",
"tooltip": { "tooltip": {
...@@ -438,7 +399,7 @@ ...@@ -438,7 +399,7 @@
"h": 7, "h": 7,
"w": 6, "w": 6,
"x": 12, "x": 12,
"y": 11 "y": 7
}, },
"id": 7, "id": 7,
"legend": { "legend": {
...@@ -484,6 +445,7 @@ ...@@ -484,6 +445,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Disk", "title": "Disk",
"tooltip": { "tooltip": {
...@@ -534,7 +496,7 @@ ...@@ -534,7 +496,7 @@
"h": 7, "h": 7,
"w": 6, "w": 6,
"x": 18, "x": 18,
"y": 11 "y": 7
}, },
"id": 4, "id": 4,
"legend": { "legend": {
...@@ -570,6 +532,7 @@ ...@@ -570,6 +532,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Goroutines", "title": "Goroutines",
"tooltip": { "tooltip": {
...@@ -609,19 +572,238 @@ ...@@ -609,19 +572,238 @@
} }
}, },
{ {
"content": "<center><h2>xDS</h2></center>", "collapsed": false,
"gridPos": { "gridPos": {
"h": 3, "h": 1,
"w": 24, "w": 24,
"x": 0, "x": 0,
"y": 18 "y": 14
},
"id": 58,
"panels": [],
"title": "Pilot Push Information",
"type": "row"
},
{
"aliasColors": {},
"bars": true,
"dashLength": 10,
"dashes": false,
"description": "Shows pilot pushes",
"fill": 1,
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 15
}, },
"id": 28, "id": 622,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": false,
"linewidth": 1,
"links": [], "links": [],
"mode": "html", "nullPointMode": "null as zero",
"title": "", "paceLength": 10,
"transparent": true, "percentage": false,
"type": "text" "pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": true,
"steppedLine": false,
"targets": [
{
"expr": "sum(rate(pilot_xds_pushes{type!~\".*_senderr\"}[1m])) by (type)",
"format": "time_series",
"instant": false,
"interval": "",
"intervalFactor": 1,
"legendFormat": "{{ type }}",
"refId": "B",
"step": 2
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Pilot Pushes",
"tooltip": {
"shared": false,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": [
"total"
]
},
"yaxes": [
{
"format": "ops",
"label": null,
"logBase": 1,
"max": null,
"min": "0",
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"description": "Captures a variety of pilot errors",
"fill": 1,
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 15
},
"id": 67,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
"legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}",
"refId": "C"
},
{
"expr": "pilot_xds_eds_reject{job=\"pilot\"}",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
"legendFormat": "Rejected EDS Configs",
"refId": "D"
},
{
"expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "Write Timeouts",
"refId": "F"
},
{
"expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "Push Timeouts",
"refId": "G"
},
{
"expr": "sum(rate(pilot_xds_push_errors{job=\"pilot\"}[1m]))",
"format": "time_series",
"hide": false,
"intervalFactor": 1,
"legendFormat": "Push Errors ({{ type }})",
"refId": "I"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Pilot Errors",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 23
},
"id": 64,
"panels": [],
"title": "xDS",
"type": "row"
}, },
{ {
"aliasColors": {}, "aliasColors": {},
...@@ -634,7 +816,7 @@ ...@@ -634,7 +816,7 @@
"h": 6, "h": 6,
"w": 8, "w": 8,
"x": 0, "x": 0,
"y": 21 "y": 24
}, },
"id": 40, "id": 40,
"legend": { "legend": {
...@@ -670,6 +852,7 @@ ...@@ -670,6 +852,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Updates", "title": "Updates",
"tooltip": { "tooltip": {
...@@ -719,7 +902,7 @@ ...@@ -719,7 +902,7 @@
"h": 6, "h": 6,
"w": 8, "w": 8,
"x": 8, "x": 8,
"y": 21 "y": 24
}, },
"id": 42, "id": 42,
"legend": { "legend": {
...@@ -755,6 +938,7 @@ ...@@ -755,6 +938,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Failures", "title": "Failures",
"tooltip": { "tooltip": {
...@@ -804,7 +988,7 @@ ...@@ -804,7 +988,7 @@
"h": 6, "h": 6,
"w": 8, "w": 8,
"x": 16, "x": 16,
"y": 21 "y": 24
}, },
"id": 41, "id": 41,
"legend": { "legend": {
...@@ -840,6 +1024,7 @@ ...@@ -840,6 +1024,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Active Connections", "title": "Active Connections",
"tooltip": { "tooltip": {
...@@ -889,7 +1074,7 @@ ...@@ -889,7 +1074,7 @@
"h": 8, "h": 8,
"w": 8, "w": 8,
"x": 0, "x": 0,
"y": 27 "y": 30
}, },
"id": 45, "id": 45,
"legend": { "legend": {
...@@ -945,6 +1130,7 @@ ...@@ -945,6 +1130,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Conflicts", "title": "Conflicts",
"tooltip": { "tooltip": {
...@@ -994,7 +1180,7 @@ ...@@ -994,7 +1180,7 @@
"h": 8, "h": 8,
"w": 8, "w": 8,
"x": 8, "x": 8,
"y": 27 "y": 30
}, },
"id": 47, "id": 47,
"legend": { "legend": {
...@@ -1087,6 +1273,7 @@ ...@@ -1087,6 +1273,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "ADS Monitoring", "title": "ADS Monitoring",
"tooltip": { "tooltip": {
...@@ -1136,7 +1323,7 @@ ...@@ -1136,7 +1323,7 @@
"h": 8, "h": 8,
"w": 8, "w": 8,
"x": 16, "x": 16,
"y": 27 "y": 30
}, },
"id": 49, "id": 49,
"legend": { "legend": {
...@@ -1171,6 +1358,7 @@ ...@@ -1171,6 +1358,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Rejected CDS Configs", "title": "Rejected CDS Configs",
"tooltip": { "tooltip": {
...@@ -1220,7 +1408,7 @@ ...@@ -1220,7 +1408,7 @@
"h": 7, "h": 7,
"w": 8, "w": 8,
"x": 0, "x": 0,
"y": 35 "y": 38
}, },
"id": 52, "id": 52,
"legend": { "legend": {
...@@ -1255,6 +1443,7 @@ ...@@ -1255,6 +1443,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Rejected EDS Configs", "title": "Rejected EDS Configs",
"tooltip": { "tooltip": {
...@@ -1304,7 +1493,7 @@ ...@@ -1304,7 +1493,7 @@
"h": 7, "h": 7,
"w": 8, "w": 8,
"x": 8, "x": 8,
"y": 35 "y": 38
}, },
"id": 54, "id": 54,
"legend": { "legend": {
...@@ -1339,6 +1528,7 @@ ...@@ -1339,6 +1528,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Rejected LDS Configs", "title": "Rejected LDS Configs",
"tooltip": { "tooltip": {
...@@ -1388,7 +1578,7 @@ ...@@ -1388,7 +1578,7 @@
"h": 7, "h": 7,
"w": 8, "w": 8,
"x": 16, "x": 16,
"y": 35 "y": 38
}, },
"id": 53, "id": 53,
"legend": { "legend": {
...@@ -1423,6 +1613,7 @@ ...@@ -1423,6 +1613,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Rejected RDS Configs", "title": "Rejected RDS Configs",
"tooltip": { "tooltip": {
...@@ -1474,7 +1665,7 @@ ...@@ -1474,7 +1665,7 @@
"h": 7, "h": 7,
"w": 8, "w": 8,
"x": 0, "x": 0,
"y": 42 "y": 45
}, },
"id": 51, "id": 51,
"legend": { "legend": {
...@@ -1514,6 +1705,7 @@ ...@@ -1514,6 +1705,7 @@
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null, "timeFrom": null,
"timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "EDS Instances", "title": "EDS Instances",
"tooltip": { "tooltip": {
...@@ -1554,7 +1746,7 @@ ...@@ -1554,7 +1746,7 @@
} }
], ],
"refresh": "5s", "refresh": "5s",
"schemaVersion": 16, "schemaVersion": 18,
"style": "dark", "style": "dark",
"tags": [], "tags": [],
"templating": { "templating": {
...@@ -1591,5 +1783,6 @@ ...@@ -1591,5 +1783,6 @@
}, },
"timezone": "browser", "timezone": "browser",
"title": "Istio Pilot Dashboard", "title": "Istio Pilot Dashboard",
"version": 4 "uid": "3--MLVZZk",
"version": 1
} }
charts/rancher-istio/0.0.1/charts/grafana/fix_datasources.sh 100644 → 100755
File mode changed from 100644 to 100755
charts/rancher-istio/0.0.1/charts/grafana/templates/create-custom-resources-job.yaml
...@@ -14,6 +14,12 @@ metadata: ...@@ -14,6 +14,12 @@ metadata:
chart: {{ template "grafana.chart" . }} chart: {{ template "grafana.chart" . }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
......
charts/rancher-istio/0.0.1/charts/grafana/templates/deployment.yaml
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: grafana name: grafana
...@@ -10,6 +10,9 @@ metadata: ...@@ -10,6 +10,9 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: grafana
template: template:
metadata: metadata:
labels: labels:
...@@ -19,6 +22,7 @@ spec: ...@@ -19,6 +22,7 @@ spec:
release: {{ .Release.Name }} release: {{ .Release.Name }}
annotations: annotations:
sidecar.istio.io/inject: "false" sidecar.istio.io/inject: "false"
prometheus.io/scrape: "true"
spec: spec:
securityContext: securityContext:
fsGroup: 472 fsGroup: 472
...@@ -115,6 +119,10 @@ spec: ...@@ -115,6 +119,10 @@ spec:
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
volumes: volumes:
- name: config - name: config
configMap: configMap:
......
charts/rancher-istio/0.0.1/charts/grafana/templates/tests/test-grafana-connection.yaml
...@@ -26,4 +26,5 @@ spec: ...@@ -26,4 +26,5 @@ spec:
restartPolicy: Never restartPolicy: Never
affinity: affinity:
{{- include "nodeaffinity" . | indent 4 }} {{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/charts/grafana/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Grafana Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/grafana/values.yaml
...@@ -28,6 +28,7 @@ security: ...@@ -28,6 +28,7 @@ security:
usernameKey: username usernameKey: username
passphraseKey: passphrase passphraseKey: passphrase
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -47,8 +48,8 @@ nodeSelector: {} ...@@ -47,8 +48,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
contextPath: /grafana contextPath: /grafana
service: service:
......
charts/rancher-istio/0.0.1/charts/istiocoredns/templates/deployment.yaml
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: istiocoredns name: istiocoredns
...@@ -10,6 +10,9 @@ metadata: ...@@ -10,6 +10,9 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: istiocoredns
template: template:
metadata: metadata:
name: istiocoredns name: istiocoredns
...@@ -28,7 +31,7 @@ spec: ...@@ -28,7 +31,7 @@ spec:
containers: containers:
- name: coredns - name: coredns
image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: IfNotPresent imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args: [ "-conf", "/etc/coredns/Corefile" ] args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts: volumeMounts:
- name: config-volume - name: config-volume
...@@ -62,7 +65,7 @@ spec: ...@@ -62,7 +65,7 @@ spec:
command: command:
- /usr/local/bin/plugin - /usr/local/bin/plugin
image: "{{ template "system_default_registry" . }}{{ .Values.pluginImage.repository }}:{{ .Values.pluginImage.tag }}" image: "{{ template "system_default_registry" . }}{{ .Values.pluginImage.repository }}:{{ .Values.pluginImage.tag }}"
imagePullPolicy: IfNotPresent imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports: ports:
- containerPort: 8053 - containerPort: 8053
name: dns-grpc name: dns-grpc
...@@ -84,3 +87,7 @@ spec: ...@@ -84,3 +87,7 @@ spec:
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/istiocoredns/values.yaml
...@@ -7,6 +7,7 @@ replicaCount: 1 ...@@ -7,6 +7,7 @@ replicaCount: 1
# https://github.com/istio-ecosystem/istio-coredns-plugin # https://github.com/istio-ecosystem/istio-coredns-plugin
# The plugin listens for DNS requests from coredns server at 127.0.0.1:8053 # The plugin listens for DNS requests from coredns server at 127.0.0.1:8053
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -26,5 +27,5 @@ nodeSelector: {} ...@@ -26,5 +27,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/kiali/Chart.yaml
...@@ -2,5 +2,5 @@ apiVersion: v1 ...@@ -2,5 +2,5 @@ apiVersion: v1
description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details. description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details.
name: kiali name: kiali
version: 1.1.0 version: 1.1.0
appVersion: 0.17 appVersion: 0.20
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
charts/rancher-istio/0.0.1/charts/kiali/templates/clusterrole.yaml
...@@ -15,8 +15,9 @@ rules: ...@@ -15,8 +15,9 @@ rules:
- namespaces - namespaces
- nodes - nodes
- pods - pods
- services - pods/log
- replicationcontrollers - replicationcontrollers
- services
verbs: verbs:
- get - get
- list - list
...@@ -24,8 +25,8 @@ rules: ...@@ -24,8 +25,8 @@ rules:
- apiGroups: ["extensions", "apps"] - apiGroups: ["extensions", "apps"]
resources: resources:
- deployments - deployments
- statefulsets
- replicasets - replicasets
- statefulsets
verbs: verbs:
- get - get
- list - list
...@@ -47,13 +48,19 @@ rules: ...@@ -47,13 +48,19 @@ rules:
- watch - watch
- apiGroups: ["config.istio.io"] - apiGroups: ["config.istio.io"]
resources: resources:
- adapters
- apikeys - apikeys
- bypasses
- authorizations - authorizations
- checknothings - checknothings
- circonuses - circonuses
- cloudwatches
- deniers - deniers
- dogstatsds
- edges
- fluentds - fluentds
- handlers - handlers
- instances
- kubernetesenvs - kubernetesenvs
- kuberneteses - kuberneteses
- listcheckers - listcheckers
...@@ -61,18 +68,24 @@ rules: ...@@ -61,18 +68,24 @@ rules:
- logentries - logentries
- memquotas - memquotas
- metrics - metrics
- noops
- opas - opas
- prometheuses - prometheuses
- quotas - quotas
- quotaspecbindings - quotaspecbindings
- quotaspecs - quotaspecs
- rbacs - rbacs
- redisquotas
- reportnothings - reportnothings
- rules - rules
- signalfxs
- solarwindses - solarwindses
- stackdrivers - stackdrivers
- statsds - statsds
- stdios - stdios
- templates
- tracespans
- zipkins
verbs: verbs:
- create - create
- delete - delete
...@@ -95,8 +108,8 @@ rules: ...@@ -95,8 +108,8 @@ rules:
- watch - watch
- apiGroups: ["authentication.istio.io"] - apiGroups: ["authentication.istio.io"]
resources: resources:
- policies
- meshpolicies - meshpolicies
- policies
verbs: verbs:
- create - create
- delete - delete
...@@ -108,8 +121,8 @@ rules: ...@@ -108,8 +121,8 @@ rules:
resources: resources:
- clusterrbacconfigs - clusterrbacconfigs
- rbacconfigs - rbacconfigs
- serviceroles
- servicerolebindings - servicerolebindings
- serviceroles
verbs: verbs:
- create - create
- delete - delete
...@@ -122,6 +135,7 @@ rules: ...@@ -122,6 +135,7 @@ rules:
- monitoringdashboards - monitoringdashboards
verbs: verbs:
- get - get
- list
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
...@@ -140,8 +154,9 @@ rules: ...@@ -140,8 +154,9 @@ rules:
- namespaces - namespaces
- nodes - nodes
- pods - pods
- services - pods/log
- replicationcontrollers - replicationcontrollers
- services
verbs: verbs:
- get - get
- list - list
...@@ -149,8 +164,8 @@ rules: ...@@ -149,8 +164,8 @@ rules:
- apiGroups: ["extensions", "apps"] - apiGroups: ["extensions", "apps"]
resources: resources:
- deployments - deployments
- statefulsets
- replicasets - replicasets
- statefulsets
verbs: verbs:
- get - get
- list - list
...@@ -172,13 +187,19 @@ rules: ...@@ -172,13 +187,19 @@ rules:
- watch - watch
- apiGroups: ["config.istio.io"] - apiGroups: ["config.istio.io"]
resources: resources:
- adapters
- apikeys - apikeys
- bypasses
- authorizations - authorizations
- checknothings - checknothings
- circonuses - circonuses
- cloudwatches
- deniers - deniers
- dogstatsds
- edges
- fluentds - fluentds
- handlers - handlers
- instances
- kubernetesenvs - kubernetesenvs
- kuberneteses - kuberneteses
- listcheckers - listcheckers
...@@ -186,20 +207,24 @@ rules: ...@@ -186,20 +207,24 @@ rules:
- logentries - logentries
- memquotas - memquotas
- metrics - metrics
- noops
- opas - opas
- prometheuses - prometheuses
- quotas - quotas
- quotaspecbindings - quotaspecbindings
- quotaspecs - quotaspecs
- rbacs - rbacs
- redisquotas
- reportnothings - reportnothings
- rules - rules
- servicecontrolreports - signalfxs
- servicecontrols
- solarwindses - solarwindses
- stackdrivers - stackdrivers
- statsds - statsds
- stdios - stdios
- templates
- tracespans
- zipkins
verbs: verbs:
- get - get
- list - list
...@@ -216,8 +241,8 @@ rules: ...@@ -216,8 +241,8 @@ rules:
- watch - watch
- apiGroups: ["authentication.istio.io"] - apiGroups: ["authentication.istio.io"]
resources: resources:
- policies
- meshpolicies - meshpolicies
- policies
verbs: verbs:
- get - get
- list - list
...@@ -226,8 +251,8 @@ rules: ...@@ -226,8 +251,8 @@ rules:
resources: resources:
- clusterrbacconfigs - clusterrbacconfigs
- rbacconfigs - rbacconfigs
- serviceroles
- servicerolebindings - servicerolebindings
- serviceroles
verbs: verbs:
- get - get
- list - list
...@@ -237,3 +262,4 @@ rules: ...@@ -237,3 +262,4 @@ rules:
- monitoringdashboards - monitoringdashboards
verbs: verbs:
- get - get
- list
charts/rancher-istio/0.0.1/charts/kiali/templates/clusterrolebinding.yaml
...@@ -10,7 +10,7 @@ metadata: ...@@ -10,7 +10,7 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: kiali name: kiali{{- if .Values.dashboard.viewOnlyMode }}-viewer{{- end }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kiali-service-account name: kiali-service-account
......
charts/rancher-istio/0.0.1/charts/kiali/templates/configmap.yaml
...@@ -14,12 +14,12 @@ data: ...@@ -14,12 +14,12 @@ data:
server: server:
port: 20001 port: 20001
external_services: external_services:
istio: tracing:
url_service_version: http://istio-pilot:8080/version service: "tracing/jaeger"
jaeger: {{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }}
service: "jaeger-query" {{- if not .Values.dashboard.jaegerURL }}
{{- if .Values.dashboard.jaegerURL }} url: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:tracing:80/proxy/jaeger'
url: {{ .Values.dashboard.jaegerURL }} {{- end }}
{{- end }} {{- end }}
grafana: grafana:
custom_metrics_url: "http://prometheus.{{ .Release.Namespace }}:9090" custom_metrics_url: "http://prometheus.{{ .Release.Namespace }}:9090"
......
charts/rancher-istio/0.0.1/charts/kiali/templates/deployment.yaml
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: kiali name: kiali
...@@ -23,6 +23,9 @@ spec: ...@@ -23,6 +23,9 @@ spec:
release: {{ .Release.Name }} release: {{ .Release.Name }}
annotations: annotations:
sidecar.istio.io/inject: "false" sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/scrape: "true"
prometheus.io/port: "9090"
spec: spec:
serviceAccountName: kiali-service-account serviceAccountName: kiali-service-account
{{- if .Values.global.priorityClassName }} {{- if .Values.global.priorityClassName }}
...@@ -39,10 +42,6 @@ spec: ...@@ -39,10 +42,6 @@ spec:
- "4" - "4"
env: env:
{{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }} {{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }}
{{- if not .Values.dashboard.jaegerURL }}
- name: JAEGER_URL
value: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/tracing:80/proxy/jaeger'
{{- end }}
{{- if not .Values.dashboard.grafanaURL }} {{- if not .Values.dashboard.grafanaURL }}
- name: GRAFANA_URL - name: GRAFANA_URL
value: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:grafana:80/proxy/' value: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:grafana:80/proxy/'
...@@ -75,6 +74,8 @@ spec: ...@@ -75,6 +74,8 @@ spec:
volumeMounts: volumeMounts:
- name: kiali-configuration - name: kiali-configuration
mountPath: "/kiali-configuration" mountPath: "/kiali-configuration"
- name: kiali-secret
mountPath: "/kiali-secret"
resources: resources:
{{- if .Values.resources }} {{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }} {{ toYaml .Values.resources | indent 10 }}
...@@ -111,6 +112,10 @@ spec: ...@@ -111,6 +112,10 @@ spec:
- key: nginx.conf - key: nginx.conf
mode: 438 mode: 438
path: nginx.conf path: nginx.conf
- name: kiali-secret
secret:
secretName: {{ .Values.dashboard.secretName }}
optional: true
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
charts/rancher-istio/0.0.1/charts/kiali/templates/secret.yaml
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: kiali name: {{ .Values.dashboard.secretName }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app: {{ template "kiali.name" . }} app: {{ template "kiali.name" . }}
......
charts/rancher-istio/0.0.1/charts/kiali/templates/tests/test-kiali-connection.yaml
...@@ -26,4 +26,5 @@ spec: ...@@ -26,4 +26,5 @@ spec:
restartPolicy: Never restartPolicy: Never
affinity: affinity:
{{- include "nodeaffinity" . | indent 4 }} {{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/charts/kiali/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Kiali Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/kiali/values.yaml
# #
# addon kiali # addon kiali
# #
enabled: false enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`.
replicaCount: 1 replicaCount: 1
contextPath: / contextPath: /
nodeSelector: {} nodeSelector: {}
...@@ -24,8 +24,8 @@ nodeSelector: {} ...@@ -24,8 +24,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
ingress: ingress:
enabled: false enabled: false
...@@ -44,15 +44,15 @@ ingress: ...@@ -44,15 +44,15 @@ ingress:
dashboard: dashboard:
# login/anonymous # login/anonymous
authStrategy: anonymous authStrategy: anonymous
secretName: kiali
username: admin username: admin
passphrase: admin passphrase: admin
# Override the automatically detected Grafana URL, useful when Grafana service has no ExternalIPs secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
grafanaURL: viewOnlyMode: false # Bind the service account to a role with only read access
grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.
jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.
# Override the automatically detected Jaeger URL, useful when Jaeger service has no ExternalIPs
jaegerURL:
prometheusAddr: http://prometheus:9090 prometheusAddr: http://prometheus:9090
service: service:
......
charts/rancher-istio/0.0.1/charts/mixer/templates/autoscale.yaml
...@@ -15,7 +15,7 @@ spec: ...@@ -15,7 +15,7 @@ spec:
maxReplicas: {{ $spec.autoscaleMax }} maxReplicas: {{ $spec.autoscaleMax }}
minReplicas: {{ $spec.autoscaleMin }} minReplicas: {{ $spec.autoscaleMin }}
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
name: istio-{{ $key }} name: istio-{{ $key }}
metrics: metrics:
......
charts/rancher-istio/0.0.1/charts/mixer/templates/config.yaml
...@@ -222,7 +222,7 @@ spec: ...@@ -222,7 +222,7 @@ spec:
outputAsJson: {{ .Values.adapters.stdio.outputAsJson }} outputAsJson: {{ .Values.adapters.stdio.outputAsJson }}
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: logentry kind: instance
metadata: metadata:
name: accesslog name: accesslog
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -232,6 +232,8 @@ metadata: ...@@ -232,6 +232,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: logentry
params:
severity: '"Info"' severity: '"Info"'
timestamp: request.time timestamp: request.time
variables: variables:
...@@ -279,7 +281,7 @@ spec: ...@@ -279,7 +281,7 @@ spec:
monitored_resource_type: '"global"' monitored_resource_type: '"global"'
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: logentry kind: instance
metadata: metadata:
name: tcpaccesslog name: tcpaccesslog
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -289,6 +291,8 @@ metadata: ...@@ -289,6 +291,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: logentry
params:
severity: '"Info"' severity: '"Info"'
timestamp: context.time | timestamp("2017-01-01T00:00:00Z") timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
variables: variables:
...@@ -335,7 +339,7 @@ spec: ...@@ -335,7 +339,7 @@ spec:
actions: actions:
- handler: stdio - handler: stdio
instances: instances:
- accesslog.logentry - accesslog
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: rule kind: rule
...@@ -352,12 +356,12 @@ spec: ...@@ -352,12 +356,12 @@ spec:
actions: actions:
- handler: stdio - handler: stdio
instances: instances:
- tcpaccesslog.logentry - tcpaccesslog
{{- end }} {{- end }}
--- ---
{{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }} {{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }}
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: metric kind: instance
metadata: metadata:
name: requestcount name: requestcount
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -367,6 +371,8 @@ metadata: ...@@ -367,6 +371,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: metric
params:
value: "1" value: "1"
dimensions: dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
...@@ -392,7 +398,7 @@ spec: ...@@ -392,7 +398,7 @@ spec:
monitored_resource_type: '"UNSPECIFIED"' monitored_resource_type: '"UNSPECIFIED"'
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: metric kind: instance
metadata: metadata:
name: requestduration name: requestduration
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -402,6 +408,8 @@ metadata: ...@@ -402,6 +408,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: metric
params:
value: response.duration | "0ms" value: response.duration | "0ms"
dimensions: dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
...@@ -427,7 +435,7 @@ spec: ...@@ -427,7 +435,7 @@ spec:
monitored_resource_type: '"UNSPECIFIED"' monitored_resource_type: '"UNSPECIFIED"'
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: metric kind: instance
metadata: metadata:
name: requestsize name: requestsize
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -437,6 +445,8 @@ metadata: ...@@ -437,6 +445,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: metric
params:
value: request.size | 0 value: request.size | 0
dimensions: dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
...@@ -462,7 +472,7 @@ spec: ...@@ -462,7 +472,7 @@ spec:
monitored_resource_type: '"UNSPECIFIED"' monitored_resource_type: '"UNSPECIFIED"'
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: metric kind: instance
metadata: metadata:
name: responsesize name: responsesize
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -472,6 +482,8 @@ metadata: ...@@ -472,6 +482,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: metric
params:
value: response.size | 0 value: response.size | 0
dimensions: dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
...@@ -497,7 +509,7 @@ spec: ...@@ -497,7 +509,7 @@ spec:
monitored_resource_type: '"UNSPECIFIED"' monitored_resource_type: '"UNSPECIFIED"'
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: metric kind: instance
metadata: metadata:
name: tcpbytesent name: tcpbytesent
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -507,6 +519,8 @@ metadata: ...@@ -507,6 +519,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: metric
params:
value: connection.sent.bytes | 0 value: connection.sent.bytes | 0
dimensions: dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
...@@ -528,7 +542,7 @@ spec: ...@@ -528,7 +542,7 @@ spec:
monitored_resource_type: '"UNSPECIFIED"' monitored_resource_type: '"UNSPECIFIED"'
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: metric kind: instance
metadata: metadata:
name: tcpbytereceived name: tcpbytereceived
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -538,6 +552,8 @@ metadata: ...@@ -538,6 +552,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: metric
params:
value: connection.received.bytes | 0 value: connection.received.bytes | 0
dimensions: dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
...@@ -559,7 +575,7 @@ spec: ...@@ -559,7 +575,7 @@ spec:
monitored_resource_type: '"UNSPECIFIED"' monitored_resource_type: '"UNSPECIFIED"'
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: metric kind: instance
metadata: metadata:
name: tcpconnectionsopened name: tcpconnectionsopened
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -569,6 +585,8 @@ metadata: ...@@ -569,6 +585,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: metric
params:
value: "1" value: "1"
dimensions: dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
...@@ -590,7 +608,7 @@ spec: ...@@ -590,7 +608,7 @@ spec:
monitored_resource_type: '"UNSPECIFIED"' monitored_resource_type: '"UNSPECIFIED"'
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: metric kind: instance
metadata: metadata:
name: tcpconnectionsclosed name: tcpconnectionsclosed
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -600,6 +618,8 @@ metadata: ...@@ -600,6 +618,8 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: metric
params:
value: "1" value: "1"
dimensions: dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
...@@ -637,7 +657,7 @@ spec: ...@@ -637,7 +657,7 @@ spec:
metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}" metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}"
metrics: metrics:
- name: requests_total - name: requests_total
instance_name: requestcount.metric.{{ .Release.Namespace }} instance_name: requestcount.instance.{{ .Release.Namespace }}
kind: COUNTER kind: COUNTER
label_names: label_names:
- reporter - reporter
...@@ -661,7 +681,7 @@ spec: ...@@ -661,7 +681,7 @@ spec:
- permissive_response_policyid - permissive_response_policyid
- connection_security_policy - connection_security_policy
- name: request_duration_seconds - name: request_duration_seconds
instance_name: requestduration.metric.{{ .Release.Namespace }} instance_name: requestduration.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION kind: DISTRIBUTION
label_names: label_names:
- reporter - reporter
...@@ -688,7 +708,7 @@ spec: ...@@ -688,7 +708,7 @@ spec:
explicit_buckets: explicit_buckets:
bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
- name: request_bytes - name: request_bytes
instance_name: requestsize.metric.{{ .Release.Namespace }} instance_name: requestsize.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION kind: DISTRIBUTION
label_names: label_names:
- reporter - reporter
...@@ -717,7 +737,7 @@ spec: ...@@ -717,7 +737,7 @@ spec:
scale: 1 scale: 1
growthFactor: 10 growthFactor: 10
- name: response_bytes - name: response_bytes
instance_name: responsesize.metric.{{ .Release.Namespace }} instance_name: responsesize.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION kind: DISTRIBUTION
label_names: label_names:
- reporter - reporter
...@@ -746,7 +766,7 @@ spec: ...@@ -746,7 +766,7 @@ spec:
scale: 1 scale: 1
growthFactor: 10 growthFactor: 10
- name: tcp_sent_bytes_total - name: tcp_sent_bytes_total
instance_name: tcpbytesent.metric.{{ .Release.Namespace }} instance_name: tcpbytesent.instance.{{ .Release.Namespace }}
kind: COUNTER kind: COUNTER
label_names: label_names:
- reporter - reporter
...@@ -766,7 +786,7 @@ spec: ...@@ -766,7 +786,7 @@ spec:
- connection_security_policy - connection_security_policy
- response_flags - response_flags
- name: tcp_received_bytes_total - name: tcp_received_bytes_total
instance_name: tcpbytereceived.metric.{{ .Release.Namespace }} instance_name: tcpbytereceived.instance.{{ .Release.Namespace }}
kind: COUNTER kind: COUNTER
label_names: label_names:
- reporter - reporter
...@@ -786,7 +806,7 @@ spec: ...@@ -786,7 +806,7 @@ spec:
- connection_security_policy - connection_security_policy
- response_flags - response_flags
- name: tcp_connections_opened_total - name: tcp_connections_opened_total
instance_name: tcpconnectionsopened.metric.{{ .Release.Namespace }} instance_name: tcpconnectionsopened.instance.{{ .Release.Namespace }}
kind: COUNTER kind: COUNTER
label_names: label_names:
- reporter - reporter
...@@ -806,7 +826,7 @@ spec: ...@@ -806,7 +826,7 @@ spec:
- connection_security_policy - connection_security_policy
- response_flags - response_flags
- name: tcp_connections_closed_total - name: tcp_connections_closed_total
instance_name: tcpconnectionsclosed.metric.{{ .Release.Namespace }} instance_name: tcpconnectionsclosed.instance.{{ .Release.Namespace }}
kind: COUNTER kind: COUNTER
label_names: label_names:
- reporter - reporter
...@@ -837,14 +857,14 @@ metadata: ...@@ -837,14 +857,14 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false)
actions: actions:
- handler: prometheus - handler: prometheus
instances: instances:
- requestcount.metric - requestcount
- requestduration.metric - requestduration
- requestsize.metric - requestsize
- responsesize.metric - responsesize
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: rule kind: rule
...@@ -861,8 +881,8 @@ spec: ...@@ -861,8 +881,8 @@ spec:
actions: actions:
- handler: prometheus - handler: prometheus
instances: instances:
- tcpbytesent.metric - tcpbytesent
- tcpbytereceived.metric - tcpbytereceived
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: rule kind: rule
...@@ -879,7 +899,7 @@ spec: ...@@ -879,7 +899,7 @@ spec:
actions: actions:
- handler: prometheus - handler: prometheus
instances: instances:
- tcpconnectionsopened.metric - tcpconnectionsopened
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: rule kind: rule
...@@ -896,7 +916,7 @@ spec: ...@@ -896,7 +916,7 @@ spec:
actions: actions:
- handler: prometheus - handler: prometheus
instances: instances:
- tcpconnectionsclosed.metric - tcpconnectionsclosed
{{- end }} {{- end }}
--- ---
{{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }} {{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }}
...@@ -935,7 +955,7 @@ spec: ...@@ -935,7 +955,7 @@ spec:
actions: actions:
- handler: kubernetesenv - handler: kubernetesenv
instances: instances:
- attributes.kubernetes - attributes
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: rule kind: rule
...@@ -952,10 +972,10 @@ spec: ...@@ -952,10 +972,10 @@ spec:
actions: actions:
- handler: kubernetesenv - handler: kubernetesenv
instances: instances:
- attributes.kubernetes - attributes
--- ---
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
kind: kubernetes kind: instance
metadata: metadata:
name: attributes name: attributes
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
...@@ -965,12 +985,14 @@ metadata: ...@@ -965,12 +985,14 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
compiledTemplate: kubernetes
params:
# Pass the required attribute data to the adapter # Pass the required attribute data to the adapter
source_uid: source.uid | "" source_uid: source.uid | ""
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
destination_uid: destination.uid | "" destination_uid: destination.uid | ""
destination_port: destination.port | 0 destination_port: destination.port | 0
attribute_bindings: attributeBindings:
# Fill the new attributes from the adapter produced output. # Fill the new attributes from the adapter produced output.
# $out refers to an instance of OutputTemplate message # $out refers to an instance of OutputTemplate message
source.ip: $out.source_pod_ip | ip("0.0.0.0") source.ip: $out.source_pod_ip | ip("0.0.0.0")
......
charts/rancher-istio/0.0.1/charts/mixer/templates/deployment.yaml
...@@ -9,6 +9,20 @@ ...@@ -9,6 +9,20 @@
secret: secret:
secretName: istio.istio-mixer-service-account secretName: istio.istio-mixer-service-account
optional: true optional: true
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.trustDomain }}
expirationSeconds: 43200
path: istio-token
{{- end }}
{{- end }}
- name: uds-socket - name: uds-socket
emptyDir: {} emptyDir: {}
- name: policy-adapter-secret - name: policy-adapter-secret
...@@ -18,6 +32,10 @@ ...@@ -18,6 +32,10 @@
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
containers: containers:
- name: mixer - name: mixer
image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}" image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}"
...@@ -47,10 +65,15 @@ ...@@ -47,10 +65,15 @@
{{- else }} {{- else }}
- --useAdapterCRDs=false - --useAdapterCRDs=false
{{- end }} {{- end }}
{{- if $.Values.templates.useTemplateCRDs }}
- --useTemplateCRDs=true
{{- else }}
- --useTemplateCRDs=false
{{- end }}
{{- if $.Values.global.tracer.zipkin.address }} {{- if $.Values.global.tracer.zipkin.address }}
- --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
{{- else }} {{- else }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans
{{- end }} {{- end }}
{{- if .Values.env }} {{- if .Values.env }}
env: env:
...@@ -134,6 +157,15 @@ ...@@ -134,6 +157,15 @@
- name: istio-certs - name: istio-certs
mountPath: /etc/certs mountPath: /etc/certs
readOnly: true readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
- name: uds-socket - name: uds-socket
mountPath: /sock mountPath: /sock
- name: policy-adapter-secret - name: policy-adapter-secret
...@@ -149,6 +181,20 @@ ...@@ -149,6 +181,20 @@
secret: secret:
secretName: istio.istio-mixer-service-account secretName: istio.istio-mixer-service-account
optional: true optional: true
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.trustDomain }}
expirationSeconds: 43200
path: istio-token
{{- end }}
{{- end }}
- name: uds-socket - name: uds-socket
emptyDir: {} emptyDir: {}
- name: telemetry-adapter-secret - name: telemetry-adapter-secret
...@@ -158,6 +204,10 @@ ...@@ -158,6 +204,10 @@
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
containers: containers:
- name: mixer - name: mixer
image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}" image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}"
...@@ -190,10 +240,15 @@ ...@@ -190,10 +240,15 @@
{{- else }} {{- else }}
- --useAdapterCRDs=false - --useAdapterCRDs=false
{{- end }} {{- end }}
{{- if $.Values.templates.useTemplateCRDs }}
- --useTemplateCRDs=true
{{- else }}
- --useTemplateCRDs=false
{{- end }}
{{- if $.Values.global.tracer.zipkin.address }} {{- if $.Values.global.tracer.zipkin.address }}
- --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
{{- else }} {{- else }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans
{{- end }} {{- end }}
- --averageLatencyThreshold - --averageLatencyThreshold
- {{ $.Values.telemetry.loadshedding.latencyThreshold }} - {{ $.Values.telemetry.loadshedding.latencyThreshold }}
...@@ -281,6 +336,15 @@ ...@@ -281,6 +336,15 @@
- name: istio-certs - name: istio-certs
mountPath: /etc/certs mountPath: /etc/certs
readOnly: true readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
- name: uds-socket - name: uds-socket
mountPath: /sock mountPath: /sock
{{- end }} {{- end }}
...@@ -289,7 +353,7 @@ ...@@ -289,7 +353,7 @@
{{- range $key, $spec := .Values }} {{- range $key, $spec := .Values }}
{{- if or (eq $key "policy") (eq $key "telemetry") }} {{- if or (eq $key "policy") (eq $key "telemetry") }}
{{- if $spec.enabled }} {{- if $spec.enabled }}
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: istio-{{ $key }} name: istio-{{ $key }}
......
charts/rancher-istio/0.0.1/charts/mixer/templates/service.yaml
...@@ -36,3 +36,4 @@ spec: ...@@ -36,3 +36,4 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/charts/mixer/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Mixer Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
policy.enabled: true
telemetry.enabled: false
asserts:
- isNull:
path: spec.replicas
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should pass all kinds of assertion
set:
policy.enabled: false
telemetry.enabled: true
asserts:
- isNull:
path: spec.replicas
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should pass all kinds of assertion
set:
policy.enabled: true
telemetry.enabled: true
asserts:
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 2
charts/rancher-istio/0.0.1/charts/mixer/values.yaml
# #
# mixer configuration # mixer configuration
# #
enabled: true
env: env:
GODEBUG: gctrace=1 GODEBUG: gctrace=1
# max procs should be ceil(cpu limit + 1) # max procs should be ceil(cpu limit + 1)
...@@ -47,6 +45,7 @@ telemetry: ...@@ -47,6 +45,7 @@ telemetry:
podAnnotations: {} podAnnotations: {}
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -66,8 +65,11 @@ nodeSelector: {} ...@@ -66,8 +65,11 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
templates:
useTemplateCRDs: false
adapters: adapters:
kubernetesenv: kubernetesenv:
...@@ -81,4 +83,4 @@ adapters: ...@@ -81,4 +83,4 @@ adapters:
enabled: true enabled: true
metricsExpiryDuration: 10m metricsExpiryDuration: 10m
# Setting this to false sets the useAdapterCRDs mixer startup argument to false # Setting this to false sets the useAdapterCRDs mixer startup argument to false
useAdapterCRDs: true useAdapterCRDs: false
charts/rancher-istio/0.0.1/charts/nodeagent/templates/daemonset.yaml
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: istio-nodeagent name: istio-nodeagent
...@@ -10,6 +10,9 @@ metadata: ...@@ -10,6 +10,9 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
istio: nodeagent istio: nodeagent
spec: spec:
selector:
matchLabels:
istio: nodeagent
template: template:
metadata: metadata:
labels: labels:
...@@ -18,8 +21,13 @@ spec: ...@@ -18,8 +21,13 @@ spec:
release: {{ .Release.Name }} release: {{ .Release.Name }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
istio: nodeagent istio: nodeagent
annotations:
sidecar.istio.io/inject: "false"
spec: spec:
serviceAccountName: istio-nodeagent-service-account serviceAccountName: istio-nodeagent-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers: containers:
- name: nodeagent - name: nodeagent
image: "{{ template "system_default_registry" . }}{{ $.Values.global.nodeAgent.repository }}:{{ $.Values.global.nodeAgent.tag }}" image: "{{ template "system_default_registry" . }}{{ $.Values.global.nodeAgent.repository }}:{{ $.Values.global.nodeAgent.tag }}"
...@@ -43,3 +51,8 @@ spec: ...@@ -43,3 +51,8 @@ spec:
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/nodeagent/values.yaml
...@@ -2,7 +2,6 @@ ...@@ -2,7 +2,6 @@
# nodeagent configuration # nodeagent configuration
# #
enabled: false enabled: false
image: node-agent-k8s
env: env:
# name of authentication provider. # name of authentication provider.
CA_PROVIDER: "" CA_PROVIDER: ""
...@@ -11,6 +10,7 @@ env: ...@@ -11,6 +10,7 @@ env:
# names of authentication provider's plugins. # names of authentication provider's plugins.
Plugins: "" Plugins: ""
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -30,5 +30,5 @@ nodeSelector: {} ...@@ -30,5 +30,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/pilot/templates/_helpers.tpl
...@@ -30,4 +30,3 @@ Create chart name and version as used by the chart label. ...@@ -30,4 +30,3 @@ Create chart name and version as used by the chart label.
{{- define "pilot.chart" -}} {{- define "pilot.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} {{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
charts/rancher-istio/0.0.1/charts/pilot/templates/autoscale.yaml
...@@ -13,7 +13,7 @@ spec: ...@@ -13,7 +13,7 @@ spec:
maxReplicas: {{ .Values.autoscaleMax }} maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }} minReplicas: {{ .Values.autoscaleMin }}
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
name: istio-pilot name: istio-pilot
metrics: metrics:
......
charts/rancher-istio/0.0.1/charts/pilot/templates/deployment.yaml
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: istio-pilot name: istio-pilot
...@@ -173,8 +173,31 @@ spec: ...@@ -173,8 +173,31 @@ spec:
- name: istio-certs - name: istio-certs
mountPath: /etc/certs mountPath: /etc/certs
readOnly: true readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
{{- end }} {{- end }}
volumes: volumes:
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
{{- if $.Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.trustDomain }}
expirationSeconds: 43200
path: istio-token
{{- end }}
{{- end }}
- name: config-volume - name: config-volume
configMap: configMap:
name: istio name: istio
...@@ -185,3 +208,7 @@ spec: ...@@ -185,3 +208,7 @@ spec:
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/pilot/templates/meshexpansion.yaml
...@@ -88,3 +88,4 @@ spec: ...@@ -88,3 +88,4 @@ spec:
--- ---
{{- end }} {{- end }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/charts/pilot/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Pilot Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
service.internalPort: 8080
sidecar: true
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: istio/pilot:1.1.5
- notEqual:
path: spec.template.spec.containers[0].image
value: istio/pilot:1.1
- matchRegex:
path: metadata.name
pattern: .*istio-pilot.*
- contains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 8080
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
# sidecar tests
- equal:
path: spec.template.spec.containers[1].name
value: istio-proxy
- notContains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 15011
- it: should not set replicas
set:
autoscaleEnabled: true
asserts:
- equal:
path: spec.replicas
value: null
- it: should not add sidecar
set:
sidecar: false
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
containerPort: 15011
- contains:
path: spec.template.spec.containers[0].args
content:
--secureGrpcAddr
charts/rancher-istio/0.0.1/charts/pilot/values.yaml
...@@ -20,6 +20,7 @@ env: ...@@ -20,6 +20,7 @@ env:
cpu: cpu:
targetAverageUtilization: 80 targetAverageUtilization: 80
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -39,8 +40,8 @@ nodeSelector: {} ...@@ -39,8 +40,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
# The following is used to limit how long a sidecar can be connected # The following is used to limit how long a sidecar can be connected
# to a pilot. It balances out load across pilot instances at the cost of # to a pilot. It balances out load across pilot instances at the cost of
......
charts/rancher-istio/0.0.1/charts/prometheus/Chart.yaml
...@@ -2,5 +2,5 @@ apiVersion: v1 ...@@ -2,5 +2,5 @@ apiVersion: v1
description: A Helm chart for Kubernetes description: A Helm chart for Kubernetes
name: prometheus name: prometheus
version: 1.1.0 version: 1.1.0
appVersion: 2.3.1 appVersion: 2.8.0
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
charts/rancher-istio/0.0.1/charts/prometheus/templates/configmap.yaml
...@@ -50,38 +50,6 @@ data: ...@@ -50,38 +50,6 @@ data:
action: replace action: replace
target_label: pod_name target_label: pod_name
metric_relabel_configs:
# Exclude some of the envoy metrics that have massive cardinality
# This list may need to be pruned further moving forward, as informed
# by performance and scalability testing.
- source_labels: [ cluster_name ]
regex: '(outbound|inbound|prometheus_stats).*'
action: drop
- source_labels: [ tcp_prefix ]
regex: '(outbound|inbound|prometheus_stats).*'
action: drop
- source_labels: [ listener_address ]
regex: '(.+)'
action: drop
- source_labels: [ http_conn_manager_listener_prefix ]
regex: '(.+)'
action: drop
- source_labels: [ http_conn_manager_prefix ]
regex: '(.+)'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_tls.*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_tcp_downstream.*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_http_(stats|admin).*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*'
action: drop
- job_name: 'istio-policy' - job_name: 'istio-policy'
kubernetes_sd_configs: kubernetes_sd_configs:
- role: endpoints - role: endpoints
......
charts/rancher-istio/0.0.1/charts/prometheus/templates/deployment.yaml
# TODO: the original template has service account, roles, etc # TODO: the original template has service account, roles, etc
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: prometheus name: prometheus
...@@ -89,7 +89,9 @@ spec: ...@@ -89,7 +89,9 @@ spec:
- name: istio-certs - name: istio-certs
secret: secret:
defaultMode: 420 defaultMode: 420
{{- if not .Values.security.enabled }}
optional: true optional: true
{{- end }}
secretName: istio.default secretName: istio.default
- name: prometheus-nginx - name: prometheus-nginx
configMap: configMap:
...@@ -97,3 +99,7 @@ spec: ...@@ -97,3 +99,7 @@ spec:
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
charts/rancher-istio/0.0.1/charts/prometheus/templates/tests/test-prometheus-connection.yaml
...@@ -21,8 +21,9 @@ spec: ...@@ -21,8 +21,9 @@ spec:
- name: "{{ template "prometheus.fullname" . }}-test" - name: "{{ template "prometheus.fullname" . }}-test"
image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && break || sleep 15; done'] command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1']
restartPolicy: Never restartPolicy: Never
affinity: affinity:
{{- include "nodeaffinity" . | indent 4 }} {{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/charts/prometheus/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Prometheus Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/prometheus/values.yaml
...@@ -6,6 +6,7 @@ replicaCount: 1 ...@@ -6,6 +6,7 @@ replicaCount: 1
retention: 6h retention: 6h
nodeSelector: {} nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -25,8 +26,8 @@ nodeSelector: {} ...@@ -25,8 +26,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
# Controls the frequency of prometheus scraping # Controls the frequency of prometheus scraping
scrapeInterval: 15s scrapeInterval: 15s
...@@ -49,6 +50,9 @@ ingress: ...@@ -49,6 +50,9 @@ ingress:
service: service:
annotations: {} annotations: {}
nodePort:
enabled: false
port: 32090
security: security:
enabled: true enabled: true
......
charts/rancher-istio/0.0.1/charts/security/templates/cleanup-secrets.yaml
...@@ -27,6 +27,12 @@ metadata: ...@@ -27,6 +27,12 @@ metadata:
chart: {{ template "security.chart" . }} chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
......
charts/rancher-istio/0.0.1/charts/security/templates/deployment.yaml
# istio CA watching all namespaces # istio CA watching all namespaces
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: istio-citadel name: istio-citadel
...@@ -11,7 +11,10 @@ metadata: ...@@ -11,7 +11,10 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
istio: citadel istio: citadel
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: 1
selector:
matchLabels:
istio: citadel
strategy: strategy:
rollingUpdate: rollingUpdate:
maxSurge: 1 maxSurge: 1
...@@ -38,7 +41,6 @@ spec: ...@@ -38,7 +41,6 @@ spec:
args: args:
- --append-dns-names=true - --append-dns-names=true
- --grpc-port=8060 - --grpc-port=8060
- --grpc-hostname=citadel
- --citadel-storage-namespace={{ .Release.Namespace }} - --citadel-storage-namespace={{ .Release.Namespace }}
- --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }} - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }}
- --monitoring-port={{ .Values.global.monitoringPort }} - --monitoring-port={{ .Values.global.monitoringPort }}
...@@ -54,12 +56,22 @@ spec: ...@@ -54,12 +56,22 @@ spec:
{{- if .Values.global.trustDomain }} {{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }} - --trust-domain={{ .Values.global.trustDomain }}
{{- end }} {{- end }}
{{- if .Values.citadelHealthCheck }}
- --liveness-probe-path=/tmp/ca.liveness # path to the liveness health check status file
- --liveness-probe-interval=60s # interval for health check file update
- --probe-check-interval=15s # interval for health status check
{{- end }}
{{- if .Values.citadelHealthCheck }}
livenessProbe: livenessProbe:
httpGet: exec:
path: /version command:
port: {{ .Values.global.monitoringPort }} - /usr/local/bin/istio_ca
initialDelaySeconds: 5 - probe
periodSeconds: 5 - --probe-path=/tmp/ca.liveness # path to the liveness health check status file
- --interval=125s # the maximum time gap allowed between the file mtime and the current sys clock
initialDelaySeconds: 60
periodSeconds: 60
{{- end }}
resources: resources:
{{- if .Values.resources }} {{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }} {{ toYaml .Values.resources | indent 12 }}
...@@ -80,3 +92,7 @@ spec: ...@@ -80,3 +92,7 @@ spec:
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/security/templates/enable-mesh-mtls.yaml
...@@ -40,7 +40,7 @@ spec: ...@@ -40,7 +40,7 @@ spec:
mode: ISTIO_MUTUAL mode: ISTIO_MUTUAL
--- ---
# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar. # Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar.
# Customer should add similar destination rules for other services that dont' have sidecar. # Customer should add similar destination rules for other services that don't have sidecar.
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule kind: DestinationRule
metadata: metadata:
......
charts/rancher-istio/0.0.1/charts/security/templates/tests/test-citadel-connection.yaml
...@@ -21,8 +21,9 @@ spec: ...@@ -21,8 +21,9 @@ spec:
- name: "{{ template "security.fullname" . }}-test" - name: "{{ template "security.fullname" . }}-test"
image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}" image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && break || sleep 15; done'] command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && exit 0 || sleep 15; done; exit 1']
restartPolicy: Never restartPolicy: Never
affinity: affinity:
{{- include "nodeaffinity" . | indent 4 }} {{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/charts/security/tests/deployment_test.yaml deleted 100644 → 0
suite: Test Istio Citadel Deployment
templates:
- deployment.yaml
tests:
- it: should pass all kinds of assertion
set:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/security/values.yaml
...@@ -2,10 +2,13 @@ ...@@ -2,10 +2,13 @@
# security configuration # security configuration
# #
enabled: true enabled: true
replicaCount: 1
selfSigned: true # indicate if self-signed CA is used. selfSigned: true # indicate if self-signed CA is used.
createMeshPolicy: true createMeshPolicy: true
nodeSelector: {} nodeSelector: {}
tolerations: []
# Enable health checking on the Citadel CSR signing API.
# https://istio.io/docs/tasks/security/health-check/
citadelHealthCheck: false
# Specify the pod anti-affinity that allows you to constrain which nodes # Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are # your pod is eligible to be scheduled based on labels on pods that are
...@@ -25,5 +28,5 @@ nodeSelector: {} ...@@ -25,5 +28,5 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/templates/deployment.yaml
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: istio-sidecar-injector name: istio-sidecar-injector
...@@ -11,6 +11,9 @@ metadata: ...@@ -11,6 +11,9 @@ metadata:
istio: sidecar-injector istio: sidecar-injector
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
istio: sidecar-injector
strategy: strategy:
rollingUpdate: rollingUpdate:
maxSurge: 1 maxSurge: 1
...@@ -27,7 +30,7 @@ spec: ...@@ -27,7 +30,7 @@ spec:
sidecar.istio.io/inject: "false" sidecar.istio.io/inject: "false"
spec: spec:
serviceAccountName: istio-sidecar-injector-service-account serviceAccountName: istio-sidecar-injector-service-account
{{- if .Values.global.priorityClassName }} {{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}" priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }} {{- end }}
containers: containers:
...@@ -89,6 +92,8 @@ spec: ...@@ -89,6 +92,8 @@ spec:
items: items:
- key: config - key: config
path: config path: config
- key: values
path: values
affinity: affinity:
{{- include "nodeaffinity" . | indent 6 }} {{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }}
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
...@@ -2,7 +2,6 @@ apiVersion: admissionregistration.k8s.io/v1beta1 ...@@ -2,7 +2,6 @@ apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
name: istio-sidecar-injector name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels: labels:
app: {{ template "sidecar-injector.name" . }} app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }} chart: {{ template "sidecar-injector.chart" . }}
...@@ -25,6 +24,10 @@ webhooks: ...@@ -25,6 +24,10 @@ webhooks:
namespaceSelector: namespaceSelector:
{{- if .Values.enableNamespacesByDefault }} {{- if .Values.enableNamespacesByDefault }}
matchExpressions: matchExpressions:
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
- key: istio-injection - key: istio-injection
operator: NotIn operator: NotIn
values: values:
......
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml 0 → 100644
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
release: {{ .Release.Name }}
istio: sidecar-injector
spec:
{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
selector:
matchLabels:
app: {{ template "sidecar-injector.name" . }}
release: {{ .Release.Name }}
istio: sidecar-injector
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/tests/mutatingwebhook_test.yaml deleted 100644 → 0
suite: Test SidecarInjectorWebhook MutatingWebhook
templates:
- mutatingwebhook.yaml
tests:
- it: should pass all kinds of assertion
set:
enableNamespacesByDefault: false
asserts:
- isNull:
path: webhooks[0].namespaceSelector.matchExpressions
- isEmpty:
path: webhooks[0].namespaceSelector.matchExpressions
- isNotNull:
path: webhooks[0].namespaceSelector.matchLabels
- isNotEmpty:
path: webhooks[0].namespaceSelector.matchLabels
- contains:
path: webhooks[0].rules
content:
operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
- isKind:
of: MutatingWebhookConfiguration
- isAPIVersion:
of: admissionregistration.k8s.io/v1beta1
- hasDocuments:
count: 1
- it: should not set autoInjection selector
set:
enableNamespacesByDefault: true
asserts:
- isNotNull:
path: webhooks[0].namespaceSelector.matchExpressions
- isNotEmpty:
path: webhooks[0].namespaceSelector.matchExpressions
- isNull:
path: webhooks[0].namespaceSelector.matchLabels
- isEmpty:
path: webhooks[0].namespaceSelector.matchLabels
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/tests/rbac_test.yaml deleted 100644 → 0
suite: Test SidecarInjectorWebhook RBAC
templates:
- clusterrole.yaml
tests:
- it: should pass all kinds of assertion
set:
provider: jaeger
asserts:
- isNotNull:
path: rules
- isNotEmpty:
path: rules
- contains:
path: rules
content:
apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
- isKind:
of: ClusterRole
- isAPIVersion:
of: rbac.authorization.k8s.io/v1
- hasDocuments:
count: 1
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/values.yaml
...@@ -24,10 +24,17 @@ nodeSelector: {} ...@@ -24,10 +24,17 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
# If true, webhook or istioctl injector will rewrite PodSpec for liveness # If true, webhook or istioctl injector will rewrite PodSpec for liveness
# health check to redirect request to sidecar. This makes liveness check work # health check to redirect request to sidecar. This makes liveness check work
# even when mTLS is enabled. # even when mTLS is enabled.
rewriteAppHTTPProbe: false rewriteAppHTTPProbe: false
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
neverInjectSelector: []
alwaysInjectSelector: []
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/tracing/templates/deployment-jaeger.yaml
{{ if eq .Values.provider "jaeger" }} {{ if eq .Values.provider "jaeger" }}
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: istio-tracing name: istio-tracing
...@@ -11,6 +11,9 @@ metadata: ...@@ -11,6 +11,9 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
selector:
matchLabels:
app: jaeger
template: template:
metadata: metadata:
labels: labels:
......
charts/rancher-istio/0.0.1/charts/tracing/templates/deployment-zipkin.yaml
{{ if eq .Values.provider "zipkin" }} {{ if eq .Values.provider "zipkin" }}
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ .Release.Name }}-zipkin name: istio-tracing
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app: zipkin app: zipkin
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} chart: {{ template "tracing.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec: spec:
selector:
matchLabels:
app: zipkin
template: template:
metadata: metadata:
labels: labels:
app: zipkin app: zipkin
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec: spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
containers: containers:
- name: {{ .Chart.Name }} - name: zipkin
image: "{{ template "system_default_registry" . }}{{ .Values.zipkin.repository }}:{{ .Values.zipkin.tag }}" image: "{{ template "system_default_registry" . }}{{ .Values.zipkin.repository }}:{{ .Values.zipkin.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports: ports:
- containerPort: {{ .Values.zipkin.queryPort }} - containerPort: {{ .Values.zipkin.queryPort }}
livenessProbe: livenessProbe:
......
charts/rancher-istio/0.0.1/charts/tracing/templates/tests/test-tracing-connection.yaml
...@@ -29,4 +29,5 @@ spec: ...@@ -29,4 +29,5 @@ spec:
restartPolicy: Never restartPolicy: Never
affinity: affinity:
{{- include "nodeaffinity" . | indent 4 }} {{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/charts/tracing/tests/jaeger_test.yaml deleted 100644 → 0
suite: Test Jaeger Deployment
templates:
- deployment-jaeger.yaml
- deployment-zipkin.yaml
tests:
- it: should pass all kinds of assertion
set:
provider: jaeger
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: jaegertracing/all-in-one:1.9
- equal:
path: spec.template.metadata.labels.app
value: jaeger
- equal:
path: spec.template.spec.containers[0].name
value: jaeger
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should not deploy jaeger
set:
provider: zipkin
asserts:
- hasDocuments:
count: 0
charts/rancher-istio/0.0.1/charts/tracing/tests/zipkin_test.yaml deleted 100644 → 0
suite: Test Zipkinn Deployment
templates:
- deployment-zipkin.yaml
tests:
- it: should pass all kinds of assertion
set:
provider: zipkin
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: openzipkin/zipkin:2
- equal:
path: spec.template.metadata.labels.app
value: zipkin
- equal:
path: spec.template.spec.containers[0].name
value: tracing
- isNull:
path: spec.template.nodeSelector
- isNotNull:
path: spec.template
- isNotEmpty:
path: spec.template.spec.containers[0].resources
- isNotEmpty:
path: spec.template.spec.containers[0]
- isKind:
of: Deployment
- isAPIVersion:
of: extensions/v1beta1
- hasDocuments:
count: 1
- it: should not deploy zipkin
set:
provider: jaeger
asserts:
- hasDocuments:
count: 0
charts/rancher-istio/0.0.1/charts/tracing/values.yaml
# #
# addon jeager tracing configuration # addon jaeger tracing configuration
# #
enabled: false enabled: false
...@@ -24,8 +24,8 @@ nodeSelector: {} ...@@ -24,8 +24,8 @@ nodeSelector: {}
# This pod anti-affinity rule says that the pod requires not to be scheduled # This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key # onto a node if that node is already running a pod with label having key
# “security” and value “S1”. # “security” and value “S1”.
podAntiAffinityLabelSelector: {} podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: {} podAntiAffinityTermLabelSelector: []
jaeger: jaeger:
memory: memory:
......
charts/rancher-istio/0.0.1/files/injection-template.yaml 0 → 100644
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{- if not .Values.istio_cni.enabled }}
- name: istio-init
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- else }}
image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- end }}
args:
- "-p"
- "15001"
- "-u"
- 1337
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
- "-d"
- "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
requests:
cpu: 10m
memory: 10Mi
limits:
cpu: 100m
memory: 50Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- NET_ADMIN
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
restartPolicy: Always
env:
{{- if contains "*" (annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` "") }}
- name: INBOUND_CAPTURE_PORT
value: 15006
{{- end }}
{{- end }}
{{ end -}}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- else }}
image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- end }}
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
runAsUser: 0
runAsNonRoot: false
privileged: true
{{ end }}
{{- end }}
containers:
- name: istio-proxy
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
{{- else }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.repository}}:{{ .Values.global.proxy.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --configPath
- "{{ .ProxyConfig.ConfigPath }}"
- --binaryPath
- "{{ .ProxyConfig.BinaryPath }}"
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --drainDuration
- "{{ formatDuration .ProxyConfig.DrainDuration }}"
- --parentShutdownDuration
- "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}"
- --discoveryAddress
- "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}"
{{- if eq .Values.global.proxy.tracer "lightstep" }}
- --lightstepAddress
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}"
- --lightstepAccessToken
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}"
- --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }}
- --lightstepCacertPath
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}"
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
- --zipkinAddress
- "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}"
{{- else if eq .Values.global.proxy.tracer "datadog" }}
- --datadogAgentAddress
- "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}"
{{- end }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
- --dnsRefreshRate
- {{ .Values.global.proxy.dnsRefreshRate }}
- --connectTimeout
- "{{ formatDuration .ProxyConfig.ConnectTimeout }}"
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- "{{ .ProxyConfig.StatsdUdpAddress }}"
{{- end }}
{{- if .Values.global.proxy.envoyMetricsService.enabled }}
- --envoyMetricsServiceAddress
- "{{ .ProxyConfig.EnvoyMetricsServiceAddress }}"
{{- end }}
- --proxyAdminPort
- "{{ .ProxyConfig.ProxyAdminPort }}"
{{ if gt .ProxyConfig.Concurrency 0 -}}
- --concurrency
- "{{ .ProxyConfig.Concurrency }}"
{{ end -}}
- --controlPlaneAuthPolicy
- "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}"
{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }}
- --statusPort
- "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}"
- --applicationPorts
- "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}"
{{- end }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{ if eq .Values.global.proxy.tracer "datadog" }}
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{ end }}
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{ if .ObjectMeta.Labels }}
- name: ISTIO_METAJSON_LABELS
value: |
{{ toJSON .ObjectMeta.Labels }}
{{ end }}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.sds.customTokenDirectory }}
- name: ISTIO_META_SDS_TOKEN_PATH
value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
{{- if ne .Values.global.proxy.enableCoreDump true }}
readOnlyRootFilesystem: true
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
capabilities:
add:
- NET_ADMIN
runAsGroup: 1337
{{ else -}}
{{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
runAsGroup: 1337
{{- end }}
runAsUser: 1337
{{- end }}
resources:
{{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end}}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{ else -}}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 4 }}
{{- end }}
{{ end -}}
volumeMounts:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- mountPath: /var/run/sds
name: sds-uds-path
readOnly: true
{{- if .Values.global.sds.useTrustworthyJwt }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.sds.customTokenDirectory }}
- mountPath: "{{ .Values.global.sds.customTokenDirectory -}}"
name: custom-sds-token
readOnly: true
{{- end }}
{{- else }}
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{- end }}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
- emptyDir:
medium: Memory
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- name: sds-uds-path
hostPath:
path: /var/run/sds
{{- if .Values.global.sds.customTokenDirectory }}
- name: custom-sds-token
secret:
secretName: sdstokensecret
{{- end }}
{{- if .Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.trustDomain }}
{{- end }}
{{- else }}
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 2 }}
{{ end }}
{{ end }}
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.podDNSSearchNamespaces }}
dnsConfig:
searches:
{{- range .Values.global.podDNSSearchNamespaces }}
- {{ render . }}
{{- end }}
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/templates/_affinity.tpl
...@@ -66,7 +66,7 @@ ...@@ -66,7 +66,7 @@
matchExpressions: matchExpressions:
- key: {{ $item.key }} - key: {{ $item.key }}
operator: {{ $item.operator }} operator: {{ $item.operator }}
{{- if $item.value }} {{- if $item.values }}
values: values:
{{- $vals := split "," $item.values }} {{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }} {{- range $i, $v := $vals }}
......
charts/rancher-istio/0.0.1/templates/crds.yaml
...@@ -37,7 +37,6 @@ spec: ...@@ -37,7 +37,6 @@ spec:
- JSONPath: .metadata.creationTimestamp - JSONPath: .metadata.creationTimestamp
description: |- description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age name: Age
type: date type: date
...@@ -76,7 +75,6 @@ spec: ...@@ -76,7 +75,6 @@ spec:
- JSONPath: .metadata.creationTimestamp - JSONPath: .metadata.creationTimestamp
description: |- description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age name: Age
type: date type: date
...@@ -123,7 +121,6 @@ spec: ...@@ -123,7 +121,6 @@ spec:
- JSONPath: .metadata.creationTimestamp - JSONPath: .metadata.creationTimestamp
description: |- description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age name: Age
type: date type: date
...@@ -157,720 +154,30 @@ spec: ...@@ -157,720 +154,30 @@ spec:
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: envoyfilters.networking.istio.io name: sidecars.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: networking.istio.io
names:
kind: EnvoyFilter
plural: envoyfilters
singular: envoyfilter
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: clusterrbacconfigs.rbac.istio.io
labels:
app: istio-pilot
istio: rbac
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: rbac.istio.io
names:
kind: ClusterRbacConfig
plural: clusterrbacconfigs
singular: clusterrbacconfig
categories:
- istio-io
- rbac-istio-io
scope: Cluster
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: policies.authentication.istio.io
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: authentication.istio.io
names:
kind: Policy
plural: policies
singular: policy
categories:
- istio-io
- authentication-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: meshpolicies.authentication.istio.io
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: authentication.istio.io
names:
kind: MeshPolicy
listKind: MeshPolicyList
plural: meshpolicies
singular: meshpolicy
categories:
- istio-io
- authentication-istio-io
scope: Cluster
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: httpapispecbindings.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: httpapispecs.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotaspecbindings.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotaspecs.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rules.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: core
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: rule
plural: rules
singular: rule
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: attributemanifests.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: core
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: bypasses.config.istio.io
labels:
app: mixer
package: bypass
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: bypass
plural: bypasses
singular: bypass
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: circonuses.config.istio.io
labels:
app: mixer
package: circonus
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: circonus
plural: circonuses
singular: circonus
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: deniers.config.istio.io
labels:
app: mixer
package: denier
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: denier
plural: deniers
singular: denier
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: fluentds.config.istio.io
labels:
app: mixer
package: fluentd
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: fluentd
plural: fluentds
singular: fluentd
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kubernetesenvs.config.istio.io
labels:
app: mixer
package: kubernetesenv
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: kubernetesenv
plural: kubernetesenvs
singular: kubernetesenv
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listcheckers.config.istio.io
labels:
app: mixer
package: listchecker
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: listchecker
plural: listcheckers
singular: listchecker
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: memquotas.config.istio.io
labels:
app: mixer
package: memquota
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: memquota
plural: memquotas
singular: memquota
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: noops.config.istio.io
labels:
app: mixer
package: noop
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: noop
plural: noops
singular: noop
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: opas.config.istio.io
labels:
app: mixer
package: opa
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: opa
plural: opas
singular: opa
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: prometheuses.config.istio.io
labels:
app: mixer
package: prometheus
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: prometheus
plural: prometheuses
singular: prometheus
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rbacs.config.istio.io
labels:
app: mixer
package: rbac
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: rbac
plural: rbacs
singular: rbac
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: redisquotas.config.istio.io
labels:
app: mixer
package: redisquota
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: redisquota
plural: redisquotas
singular: redisquota
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: signalfxs.config.istio.io
labels:
app: mixer
package: signalfx
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: signalfx
plural: signalfxs
singular: signalfx
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: solarwindses.config.istio.io
labels:
app: mixer
package: solarwinds
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: solarwinds
plural: solarwindses
singular: solarwinds
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stackdrivers.config.istio.io
labels:
app: mixer
package: stackdriver
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
spec:
group: config.istio.io
names:
kind: stackdriver
plural: stackdrivers
singular: stackdriver
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: statsds.config.istio.io
labels:
app: mixer
package: statsd
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: statsd
plural: statsds
singular: statsd
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stdios.config.istio.io
labels: labels:
app: mixer app: istio-pilot
package: stdio
istio: mixer-adapter
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec: spec:
group: config.istio.io group: networking.istio.io
names: names:
kind: stdio kind: Sidecar
plural: stdios plural: sidecars
singular: stdio singular: sidecar
categories: categories:
- istio-io - istio-io
- policy-istio-io - networking-istio-io
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha3
--- ---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: apikeys.config.istio.io
labels:
app: mixer
package: apikey
istio: mixer-instance
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: apikey
plural: apikeys
singular: apikey
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: authorizations.config.istio.io name: envoyfilters.networking.istio.io
labels: labels:
app: mixer app: istio-pilot
package: authorization
istio: mixer-instance
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -878,51 +185,47 @@ metadata: ...@@ -878,51 +185,47 @@ metadata:
"helm.sh/resource-policy": keep "helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install" "helm.sh/hook": "crd-install"
spec: spec:
group: config.istio.io group: networking.istio.io
names: names:
kind: authorization kind: EnvoyFilter
plural: authorizations plural: envoyfilters
singular: authorization singular: envoyfilter
categories: categories:
- istio-io - istio-io
- policy-istio-io - networking-istio-io
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha3
--- ---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: checknothings.config.istio.io name: clusterrbacconfigs.rbac.istio.io
labels: labels:
app: mixer app: istio-pilot
package: checknothing istio: rbac
istio: mixer-instance
chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
annotations: annotations:
"helm.sh/resource-policy": keep "helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install" "helm.sh/hook": "crd-install"
spec: spec:
group: config.istio.io group: rbac.istio.io
names: names:
kind: checknothing kind: ClusterRbacConfig
plural: checknothings plural: clusterrbacconfigs
singular: checknothing singular: clusterrbacconfig
categories: categories:
- istio-io - istio-io
- policy-istio-io - rbac-istio-io
scope: Namespaced scope: Cluster
version: v1alpha2 version: v1alpha1
--- ---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: kuberneteses.config.istio.io name: policies.authentication.istio.io
labels: labels:
app: mixer app: istio-citadel
package: adapter.template.kubernetes
istio: mixer-instance
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -930,25 +233,23 @@ metadata: ...@@ -930,25 +233,23 @@ metadata:
"helm.sh/resource-policy": keep "helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install" "helm.sh/hook": "crd-install"
spec: spec:
group: config.istio.io group: authentication.istio.io
names: names:
kind: kubernetes kind: Policy
plural: kuberneteses plural: policies
singular: kubernetes singular: policy
categories: categories:
- istio-io - istio-io
- policy-istio-io - authentication-istio-io
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha1
--- ---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: listentries.config.istio.io name: meshpolicies.authentication.istio.io
labels: labels:
app: mixer app: istio-citadel
package: listentry
istio: mixer-instance
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -956,25 +257,24 @@ metadata: ...@@ -956,25 +257,24 @@ metadata:
"helm.sh/resource-policy": keep "helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install" "helm.sh/hook": "crd-install"
spec: spec:
group: config.istio.io group: authentication.istio.io
names: names:
kind: listentry kind: MeshPolicy
plural: listentries listKind: MeshPolicyList
singular: listentry plural: meshpolicies
singular: meshpolicy
categories: categories:
- istio-io - istio-io
- policy-istio-io - authentication-istio-io
scope: Namespaced scope: Cluster
version: v1alpha2 version: v1alpha1
--- ---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: logentries.config.istio.io name: httpapispecbindings.config.istio.io
labels: labels:
app: mixer app: istio-mixer
package: logentry
istio: mixer-instance
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -984,43 +284,21 @@ metadata: ...@@ -984,43 +284,21 @@ metadata:
spec: spec:
group: config.istio.io group: config.istio.io
names: names:
kind: logentry kind: HTTPAPISpecBinding
plural: logentries plural: httpapispecbindings
singular: logentry singular: httpapispecbinding
categories: categories:
- istio-io - istio-io
- policy-istio-io - apim-istio-io
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha2
additionalPrinterColumns:
- JSONPath: .spec.severity
description: The importance of the log entry
name: Severity
type: string
- JSONPath: .spec.timestamp
description: The time value for the log entry
name: Timestamp
type: string
- JSONPath: .spec.monitored_resource_type
description: Optional expression to compute the type of the monitored resource this log entry is being recorded on
name: Res Type
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
--- ---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: edges.config.istio.io name: httpapispecs.config.istio.io
labels: labels:
app: mixer app: istio-mixer
package: edge
istio: mixer-instance
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -1030,23 +308,21 @@ metadata: ...@@ -1030,23 +308,21 @@ metadata:
spec: spec:
group: config.istio.io group: config.istio.io
names: names:
kind: edge kind: HTTPAPISpec
plural: edges plural: httpapispecs
singular: edge singular: httpapispec
categories: categories:
- istio-io - istio-io
- policy-istio-io - apim-istio-io
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha2
--- ---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: metrics.config.istio.io name: quotaspecbindings.config.istio.io
labels: labels:
app: mixer app: istio-mixer
package: metric
istio: mixer-instance
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -1056,23 +332,21 @@ metadata: ...@@ -1056,23 +332,21 @@ metadata:
spec: spec:
group: config.istio.io group: config.istio.io
names: names:
kind: metric kind: QuotaSpecBinding
plural: metrics plural: quotaspecbindings
singular: metric singular: quotaspecbinding
categories: categories:
- istio-io - istio-io
- policy-istio-io - apim-istio-io
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha2
--- ---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: quotas.config.istio.io name: quotaspecs.config.istio.io
labels: labels:
app: mixer app: istio-mixer
package: quota
istio: mixer-instance
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -1082,23 +356,23 @@ metadata: ...@@ -1082,23 +356,23 @@ metadata:
spec: spec:
group: config.istio.io group: config.istio.io
names: names:
kind: quota kind: QuotaSpec
plural: quotas plural: quotaspecs
singular: quota singular: quotaspec
categories: categories:
- istio-io - istio-io
- policy-istio-io - apim-istio-io
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha2
--- ---
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: reportnothings.config.istio.io name: rules.config.istio.io
labels: labels:
app: mixer app: mixer
package: reportnothing package: istio.io.mixer
istio: mixer-instance istio: core
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -1108,9 +382,9 @@ metadata: ...@@ -1108,9 +382,9 @@ metadata:
spec: spec:
group: config.istio.io group: config.istio.io
names: names:
kind: reportnothing kind: rule
plural: reportnothings plural: rules
singular: reportnothing singular: rule
categories: categories:
- istio-io - istio-io
- policy-istio-io - policy-istio-io
...@@ -1120,11 +394,11 @@ spec: ...@@ -1120,11 +394,11 @@ spec:
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: tracespans.config.istio.io name: attributemanifests.config.istio.io
labels: labels:
app: mixer app: mixer
package: tracespan package: istio.io.mixer
istio: mixer-instance istio: core
chart: istio chart: istio
heritage: Tiller heritage: Tiller
release: istio release: istio
...@@ -1134,9 +408,9 @@ metadata: ...@@ -1134,9 +408,9 @@ metadata:
spec: spec:
group: config.istio.io group: config.istio.io
names: names:
kind: tracespan kind: attributemanifest
plural: tracespans plural: attributemanifests
singular: tracespan singular: attributemanifest
categories: categories:
- istio-io - istio-io
- policy-istio-io - policy-istio-io
...@@ -1228,7 +502,6 @@ spec: ...@@ -1228,7 +502,6 @@ spec:
- JSONPath: .metadata.creationTimestamp - JSONPath: .metadata.creationTimestamp
description: |- description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age name: Age
type: date type: date
...@@ -1337,52 +610,6 @@ spec: ...@@ -1337,52 +610,6 @@ spec:
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha2
--- ---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: cloudwatches.config.istio.io
labels:
app: mixer
package: cloudwatch
istio: mixer-adapter
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: cloudwatch
plural: cloudwatches
singular: cloudwatch
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: dogstatsds.config.istio.io
labels:
app: mixer
package: dogstatsd
istio: mixer-adapter
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: dogstatsd
plural: dogstatsds
singular: dogstatsd
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
...@@ -1410,23 +637,22 @@ spec: ...@@ -1410,23 +637,22 @@ spec:
kind: CustomResourceDefinition kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
metadata: metadata:
name: zipkins.config.istio.io name: authorizationpolicies.rbac.istio.io
labels: labels:
app: mixer app: istio-pilot
package: zipkin istio: rbac
istio: mixer-adapter heritage: Tiller
annotations: release: istio
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec: spec:
group: config.istio.io group: rbac.istio.io
names: names:
kind: zipkin kind: AuthorizationPolicy
plural: zipkins plural: authorizationpolicies
singular: zipkin singular: authorizationpolicy
categories: categories:
- istio-io - istio-io
- policy-istio-io - rbac-istio-io
scope: Namespaced scope: Namespaced
version: v1alpha2 version: v1alpha1
---
{{- end }} {{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/templates/endpoints.yaml
...@@ -47,7 +47,7 @@ apiVersion: v1 ...@@ -47,7 +47,7 @@ apiVersion: v1
kind: Endpoints kind: Endpoints
metadata: metadata:
name: istio-telemetry name: istio-telemetry
namespace: istio-system namespace: {{ .Release.Namespace }}
subsets: subsets:
- addresses: - addresses:
- ip: {{ .Values.global.remoteTelemetryAddress }} - ip: {{ .Values.global.remoteTelemetryAddress }}
......
charts/rancher-istio/0.0.1/templates/sidecar-injector-configmap.yaml
...@@ -11,311 +11,15 @@ metadata: ...@@ -11,311 +11,15 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
istio: sidecar-injector istio: sidecar-injector
data: data:
values: |-
{{ .Values | toJson }}
config: |- config: |-
policy: {{ .Values.global.proxy.autoInject }} policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | indent 6 }}
template: |- template: |-
rewriteAppHTTPProbe: {{ .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe }} {{ .Files.Get "files/injection-template.yaml" | indent 6 }}
{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
initContainers:
{{ "[[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"NONE\" ]]" }}
{{- if not .Values.istio_cni.enabled }}
- name: istio-init
image: "{{ template "system_default_registry" . }}{{ $.Values.global.proxy_init.repository }}:{{ $.Values.global.proxy_init.tag }}"
args:
- "-p"
- {{ "[[ .MeshConfig.ProxyListenPort ]]" }}
- "-u"
- 1337
- "-m"
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }}
- "-i"
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }}
- "-x"
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }}
- "-b"
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }}
- "-d"
- {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }}
{{ "[[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]" }}
- "-k"
{{ "- \"[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]\"" }}
{{ "[[ end -]]" }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
resources:
requests:
cpu: 10m
memory: 10Mi
limits:
cpu: 100m
memory: 50Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- NET_ADMIN
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
restartPolicy: Always
{{- end }}
{{ "[[ end -]]" }}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
command:
- /bin/sh
image: "{{ template "system_default_registry" . }}{{ $.Values.global.proxy_init.repository }}:{{ $.Values.global.proxy_init.tag }}"
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
runAsUser: 0
runAsNonRoot: false
privileged: true
{{ end }}
{{- end }}
containers:
- name: istio-proxy
image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ template "system_default_registry" . }}{{ $.Values.global.proxy.repository }}:{{ $.Values.global.proxy.tag }}" {{ " ]]" }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --configPath
- {{ "[[ .ProxyConfig.ConfigPath ]]" }}
- --binaryPath
- {{ "[[ .ProxyConfig.BinaryPath ]]" }}
- --serviceCluster
{{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }}
- {{ "[[ index .ObjectMeta.Labels \"app\" ]]." }}$(POD_NAMESPACE)
{{ "[[ else -]]" }}
- {{ "[[ valueOrDefault .DeploymentMeta.Name \"istio-proxy\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]" }}
{{ "[[ end -]]" }}
- --drainDuration
- {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }}
- --parentShutdownDuration
- {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }}
- --discoveryAddress
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]" }}
{{- if eq .Values.global.proxy.tracer "lightstep" }}
- --lightstepAddress
- {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAddress ]]" }}
- --lightstepAccessToken
- {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken ]]" }}
- --lightstepSecure={{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetSecure ]]" }}
- --lightstepCacertPath
- {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
- --zipkinAddress
- {{ "[[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]" }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
- --datadogAgentAddress
- {{ "[[ .ProxyConfig.GetTracing.GetDatadog.GetAddress ]]" }}
{{- end }}
- --connectTimeout
- {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }}
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }}
{{- end }}
{{- if .Values.global.proxy.envoyMetricsService.enabled }}
- --envoyMetricsServiceAddress
- {{ "[[ .ProxyConfig.EnvoyMetricsServiceAddress ]]" }}
{{- end }}
- --proxyAdminPort
- {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }}
{{ "[[ if gt .ProxyConfig.Concurrency 0 -]]" }}
- --concurrency
- {{ "[[ .ProxyConfig.Concurrency ]]" }}
{{ "[[ end -]]" }}
- --controlPlaneAuthPolicy
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }}
{{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }}
- --statusPort
- {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }}
- --applicationPorts
- {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }}
{{ "[[- end ]]" }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{ if eq .Values.global.proxy.tracer "datadog" }}
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{ end }}
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_META_INTERCEPTION_MODE
value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }}
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ "[[ if .ObjectMeta.Annotations ]]" }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ "[[ toJSON .ObjectMeta.Annotations ]]" }}
{{ "[[ end ]]" }}
{{ "[[ if .ObjectMeta.Labels ]]" }}
- name: ISTIO_METAJSON_LABELS
value: |
{{ "[[ toJSON .ObjectMeta.Labels ]]" }}
{{ "[[ end ]]" }}
{{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{ "[[- end ]]" }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }}
initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }}
periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }}
failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }}
{{ "[[ end -]]" -}}
securityContext:
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
{{- if ne .Values.global.proxy.enableCoreDump true }}
readOnlyRootFilesystem: true
{{- end }}
{{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }}
capabilities:
add:
- NET_ADMIN
runAsGroup: 1337
{{ "[[ else -]]" }}
{{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
runAsGroup: 1337
{{- end }}
runAsUser: 1337
{{ "[[- end ]]" }}
resources:
{{ "[[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }}
requests:
{{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }}
cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }}
{{ "[[ end ]]" }}
{{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }}
memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }}
{{ "[[ end ]]" }}
{{ "[[ else -]]" }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 10 }}
{{- end }}
{{ "[[ end -]]" }}
volumeMounts:
{{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{ "[[- end ]]" }}
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- mountPath: /var/run/sds/uds_path
name: sds-uds-path
readOnly: true
{{- if .Values.global.sds.useTrustworthyJwt }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- else }}
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- mountPath: {{ "[[ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }}
name: lightstep-certs
readOnly: true
{{- end }}
{{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]]" }}
{{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]]" }}
- name: {{ "\"[[ $index ]]\"" }}
{{ "[[ toYaml $value | indent 4 ]]" }}
{{ "[[ end ]]" }}
{{ "[[- end ]]" }}
volumes:
{{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
- name: custom-bootstrap-volume
configMap:
name: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]]" }}
{{ "[[- end ]]" }}
- emptyDir:
medium: Memory
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- name: sds-uds-path
hostPath:
path: /var/run/sds/uds_path
type: Socket
{{- if .Values.global.sds.useTrustworthyJwt }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.trustDomain }}
{{- end }}
{{- else }}
- name: istio-certs
secret:
optional: true
{{ "[[ if eq .Spec.ServiceAccountName \"\" -]]" }}
secretName: istio.default
{{ "[[ else -]]" }}
secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }}
{{ "[[ end -]]" }}
{{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]]" }}
{{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]]" }}
- name: {{ "\"[[ $index ]]\"" }}
{{ "[[ toYaml $value | indent 2 ]]" }}
{{ "[[ end ]]" }}
{{ "[[ end ]]" }}
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- end }}
{{- if .Values.global.podDNSSearchNamespaces }}
dnsConfig:
searches:
{{- range .Values.global.podDNSSearchNamespaces }}
- {{ . }}
{{- end }}
{{- end }} {{- end }}
charts/rancher-istio/0.0.1/tests/crd_certmanager_test.yaml deleted 100644 → 0
suite: Test Certmanager CRDs
templates:
- crd-certmanager.yaml
tests:
- it: should create certmanager CRDs
set:
enableCRDs: true
certmanager.enabled: true
asserts:
- hasDocuments:
count: 5
- isKind:
of: CustomResourceDefinition
- it: should not render certmanager CRDs
set:
enableCRDs: true
certmanager.enabled: false
asserts:
- hasDocuments:
count: 0
- it: should set helm crd hook annotations
set:
enableCRDs: true
certmanager.enabled: true
asserts:
- equal:
path: metadata.annotations
value:
helm.sh/resource-policy: keep
helm.sh/hook: "crd-install"
charts/rancher-istio/0.0.1/tests/crd_test.yaml deleted 100644 → 0
suite: Test Istio CRDs
templates:
- crds.yaml
tests:
- it: should create custom resource definition
set:
enableCRDs: true
asserts:
- hasDocuments:
count: 53 #istio v1.1.5 contains total 53 CRDs
- isKind:
of: CustomResourceDefinition
- it: should not render custom resource definition
set:
enableCRDs: false
asserts:
- hasDocuments:
count: 0
- it: should set helm crd hook annotations
set:
enableCRDs: true
asserts:
- equal:
path: metadata.annotations
value:
helm.sh/resource-policy: keep
helm.sh/hook: "crd-install"
charts/rancher-istio/0.0.1/values.yaml
...@@ -23,7 +23,7 @@ gateways: ...@@ -23,7 +23,7 @@ gateways:
# #
sidecarInjectorWebhook: sidecarInjectorWebhook:
repository: rancher/istio-sidecar_injector repository: rancher/istio-sidecar_injector
tag: "1.1.5" tag: "1.2.0"
enabled: true enabled: true
# #
...@@ -32,7 +32,7 @@ sidecarInjectorWebhook: ...@@ -32,7 +32,7 @@ sidecarInjectorWebhook:
# #
galley: galley:
repository: rancher/istio-galley repository: rancher/istio-galley
tag: 1.1.5 tag: 1.2.0
enabled: true enabled: true
# #
...@@ -41,7 +41,7 @@ galley: ...@@ -41,7 +41,7 @@ galley:
# @see charts/mixer/values.yaml, it takes precedence # @see charts/mixer/values.yaml, it takes precedence
mixer: mixer:
repository: rancher/istio-mixer repository: rancher/istio-mixer
tag: "1.1.5" tag: "1.2.0"
enabled: true enabled: true
policy: policy:
# if policy is enabled the global.disablePolicyChecks has affect. # if policy is enabled the global.disablePolicyChecks has affect.
...@@ -55,7 +55,7 @@ mixer: ...@@ -55,7 +55,7 @@ mixer:
# @see charts/pilot/values.yaml # @see charts/pilot/values.yaml
pilot: pilot:
repository: rancher/istio-pilot repository: rancher/istio-pilot
tag: "1.1.5" tag: "1.2.0"
enabled: true enabled: true
# #
...@@ -63,7 +63,7 @@ pilot: ...@@ -63,7 +63,7 @@ pilot:
# #
security: security:
repository: rancher/istio-citadel repository: rancher/istio-citadel
tag: "1.1.5" tag: "1.2.0"
enabled: true enabled: true
# #
...@@ -77,7 +77,7 @@ nodeagent: ...@@ -77,7 +77,7 @@ nodeagent:
# #
grafana: grafana:
repository: rancher/grafana-grafana repository: rancher/grafana-grafana
tag: 5.4.0 tag: 6.1.6
enabled: false enabled: false
# #
...@@ -85,7 +85,7 @@ grafana: ...@@ -85,7 +85,7 @@ grafana:
# #
prometheus: prometheus:
repository: rancher/prom-prometheus repository: rancher/prom-prometheus
tag: v2.3.1 tag: v2.8.0
enabled: true enabled: true
# #
...@@ -105,10 +105,16 @@ tracing: ...@@ -105,10 +105,16 @@ tracing:
# #
kiali: kiali:
repository: rancher/kiali-kiali repository: rancher/kiali-kiali
tag: v0.17 tag: v0.20
enabled: true enabled: true
# #
# addon certmanager configuration
#
certmanager:
enabled: false
#
# Istio CNI plugin enabled # Istio CNI plugin enabled
# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately. # This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately.
# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect # If true, the privileged initContainer istio-init is not needed to perform the traffic redirect
...@@ -128,9 +134,6 @@ istiocoredns: ...@@ -128,9 +134,6 @@ istiocoredns:
tag: 0.2-istio-1.1 tag: 0.2-istio-1.1
enabled: false enabled: false
certmanager:
enabled: false
# Common settings used among istio subcharts. # Common settings used among istio subcharts.
global: global:
# Specify rancher domain and clusterId of external tracing config # Specify rancher domain and clusterId of external tracing config
...@@ -148,7 +151,7 @@ global: ...@@ -148,7 +151,7 @@ global:
# Default tag for Istio images. # Default tag for Istio images.
# tag: release-1.1-latest-daily # tag: release-1.1-latest-daily
tag: 1.1.5 tag: 1.2.0
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level> # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components # The control plane has different scopes depending on component, but can configure default log level across all components
...@@ -158,7 +161,7 @@ global: ...@@ -158,7 +161,7 @@ global:
kubectl: kubectl:
repository: rancher/istio-kubectl repository: rancher/istio-kubectl
tag: 1.1.5 tag: 1.2.0
# monitoring port used by mixer, pilot, galley # monitoring port used by mixer, pilot, galley
monitoringPort: 15014 monitoringPort: 15014
...@@ -182,7 +185,7 @@ global: ...@@ -182,7 +185,7 @@ global:
proxy: proxy:
repository: rancher/istio-proxyv2 repository: rancher/istio-proxyv2
tag: 1.1.5 tag: 1.2.0
# cluster domain. Default value is "cluster.local". # cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local" clusterDomain: "cluster.local"
...@@ -194,7 +197,7 @@ global: ...@@ -194,7 +197,7 @@ global:
memory: 128Mi memory: 128Mi
limits: limits:
cpu: 2000m cpu: 2000m
memory: 128Mi memory: 1024Mi
# Controls number of Proxy worker threads. # Controls number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core. # If set to 0 (default), then start worker thread for each CPU thread/core.
...@@ -217,9 +220,13 @@ global: ...@@ -217,9 +220,13 @@ global:
# Expected values are: trace|debug|info|warning|error|critical|off # Expected values are: trace|debug|info|warning|error|critical|off
logLevel: "" logLevel: ""
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
componentLogLevel: ""
# Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS
# 5 seconds is the default refresh rate used by Envoy # This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.
dnsRefreshRate: 5s dnsRefreshRate: 300s
#If set to true, istio-proxy container will have privileged securityContext #If set to true, istio-proxy container will have privileged securityContext
privileged: false privileged: false
...@@ -246,6 +253,7 @@ global: ...@@ -246,6 +253,7 @@ global:
# be allowed by the sidecar # be allowed by the sidecar
includeIPRanges: "*" includeIPRanges: "*"
excludeIPRanges: "" excludeIPRanges: ""
excludeOutboundPorts: ""
# pod internal interfaces # pod internal interfaces
kubevirtInterfaces: "" kubevirtInterfaces: ""
...@@ -291,14 +299,14 @@ global: ...@@ -291,14 +299,14 @@ global:
proxy_init: proxy_init:
# Base name for the proxy_init container, used to configure iptables. # Base name for the proxy_init container, used to configure iptables.
repository: rancher/istio-proxy_init repository: rancher/istio-proxy_init
tag: "1.1.5" tag: "1.2.0"
# imagePullPolicy is applied to istio control plane components. # imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub. # local tests require IfNotPresent, to avoid uploading to dockerhub.
# TODO: Switch to Always as default, and override in the local tests. # TODO: Switch to Always as default, and override in the local tests.
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests. # propagated, not recommended for tests.
controlPlaneSecurityEnabled: false controlPlaneSecurityEnabled: false
...@@ -348,7 +356,7 @@ global: ...@@ -348,7 +356,7 @@ global:
# to use for pulling any images in pods that reference this ServiceAccount. # to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any clustser configured with private docker registry. # Must be set for any cluster configured with private docker registry.
imagePullSecrets: imagePullSecrets:
# - private-registry-key # - private-registry-key
...@@ -466,7 +474,7 @@ global: ...@@ -466,7 +474,7 @@ global:
nodeAgent: nodeAgent:
repository: rancher/istio-node-agent-k8s repository: rancher/istio-node-agent-k8s
tag: "1.1.5" tag: "1.2.0"
sds: sds:
# SDS enabled. IF set to true, mTLS certificates for the sidecars will be # SDS enabled. IF set to true, mTLS certificates for the sidecars will be
# distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
...@@ -484,8 +492,9 @@ global: ...@@ -484,8 +492,9 @@ global:
# The second network, `network2`, in this example is defined differently with all endpoints # The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The # retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote # gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (not # cluster. The public IP for the gateway will be determined from that remote service (only
# supported yet). # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
# #
# meshNetworks: # meshNetworks:
# network1: # network1:
...@@ -498,7 +507,7 @@ global: ...@@ -498,7 +507,7 @@ global:
# endpoints: # endpoints:
# - fromRegistry: reg1 # - fromRegistry: reg1
# gateways: # gateways:
# - registryServiceName: istio-ingressgateway # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443 # port: 443
# #
meshNetworks: {} meshNetworks: {}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment