istio-1.4.600 chart changes

9c38a89b · Caleb Bron · 8a41cdca · 9c38a89b · 9c38a89b · 9c38a89b
Commit 9c38a89b authored Mar 03, 2020 by Caleb Bron
5 changed files
--- a/charts/rancher-istio/1.4.600/charts/galley/templates/clusterrole.yaml
+++ b/charts/rancher-istio/1.4.600/charts/galley/templates/clusterrole.yaml
@@ -41,9 +41,8 @@ rules:
 - apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
+- apiGroups: [""]
-  resources: ["deployments/finalizers"]
+  resources: ["namespaces/finalizers"]
-  resourceNames: ["istio-galley"]
  verbs: ["update"]
 - apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]

--- a/charts/rancher-istio/1.4.600/charts/gateways/templates/deployment.yaml
+++ b/charts/rancher-istio/1.4.600/charts/gateways/templates/deployment.yaml
@@ -270,15 +270,15 @@ spec:
            value: "{{ $.Values.global.tracer.stackdriver.debug }}"
          {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
          - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS
-            value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}"
+            value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations.Value }}"
          {{- end }}
          {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
          - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES
-            value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}"
+            value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes.Value }}"
          {{- end }}
          {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
          - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS
-            value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}"
+            value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents.Value }}"
          {{- end }}
          {{- end }}
          {{- if $spec.sds }}

--- a/charts/rancher-istio/1.4.600/charts/grafana/dashboards/galley-dashboard.json
+++ b/charts/rancher-istio/1.4.600/charts/grafana/dashboards/galley-dashboard.json
@@ -1689,6 +1689,95 @@
        "align": false,
        "alignLevel": null
      }
+    },
+    {
+      "aliasColors": {},
+      "bars": false,
+      "dashLength": 10,
+      "dashes": false,
+      "datasource": null,
+      "fill": 1,
+      "fillGradient": 0,
+      "gridPos": {
+        "h": 7,
+        "w": 8,
+        "x": 0,
+        "y": 48
+      },
+      "id": 48,
+      "legend": {
+        "avg": false,
+        "current": false,
+        "max": false,
+        "min": false,
+        "show": true,
+        "total": false,
+        "values": false
+      },
+      "lines": true,
+      "linewidth": 1,
+      "nullPointMode": "null",
+      "options": {
+        "dataLinks": []
+      },
+      "percentage": false,
+      "pointradius": 2,
+      "points": false,
+      "renderer": "flot",
+      "seriesOverrides": [],
+      "spaceLength": 10,
+      "stack": false,
+      "steppedLine": false,
+      "targets": [
+        {
+          "expr": "sum(increase(istio_mcp_message_sizes_bytes_bucket[5m])) by (le)",
+          "format": "heatmap",
+          "instant": false,
+          "intervalFactor": 1,
+          "legendFormat": "{{le}}",
+          "refId": "A"
+        }
+      ],
+      "thresholds": [],
+      "timeFrom": null,
+      "timeRegions": [],
+      "timeShift": null,
+      "title": "Response message sizes",
+      "tooltip": {
+        "shared": true,
+        "sort": 2,
+        "value_type": "individual"
+      },
+      "type": "graph",
+      "xaxis": {
+        "buckets": null,
+        "mode": "time",
+        "name": null,
+        "show": true,
+        "values": []
+      },
+      "yaxes": [
+        {
+          "format": "none",
+          "label": null,
+          "logBase": 1,
+          "max": null,
+          "min": null,
+          "show": true
+        },
+        {
+          "format": "short",
+          "label": null,
+          "logBase": 1,
+          "max": null,
+          "min": null,
+          "show": true
+        }
+      ],
+      "yaxis": {
+        "align": false,
+        "alignLevel": null
+      }
    }
  ],
  "refresh": "5s",

--- a/charts/rancher-istio/1.4.600/files/injection-template.yaml
+++ b/charts/rancher-istio/1.4.600/files/injection-template.yaml
+{{- $cniDisabled := (not .Values.istio_cni.enabled) }}
+{{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }}
+{{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }}
 rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
-{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
+{{- if $enableInitContainer }}
 initContainers:
-{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+{{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
-{{- if not .Values.istio_cni.enabled }}
+{{ if $cniRepairEnabled -}}
+- name: istio-validation
+{{ else -}}
 - name: istio-init
-  {{- if .Values.global.systemDefaultRegistry }}
+{{ end -}}
+{{- if .Values.global.systemDefaultRegistry }}
  image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
-  {{- else }}
+{{- else }}
  image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
-  {{- end }}
+{{- end }}
  command:
+{{- if $cniRepairEnabled }}
+  - istio-iptables-go
+{{- else }}
  - istio-iptables
+{{- end }}
  - "-p"
  - "15001"
  - "-z"
@@ -27,7 +37,7 @@ initContainers:
  - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
  - "-d"
  - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
-  {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}}
+  {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
  - "-o"
  - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
  {{ end -}}
@@ -35,7 +45,11 @@ initContainers:
  - "-k"
  - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
  {{ end -}}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+{{ if $cniRepairEnabled -}}
+  - "--run-validation"
+  - "--skip-rule-apply"
+{{- end }}
+  imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
 {{- if .Values.global.proxy.init.resources }}
  resources:
    {{ toYaml .Values.global.proxy.init.resources | indent 4 }}
@@ -44,20 +58,27 @@ initContainers:
 {{- end }}
  securityContext:
    allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+    privileged: {{ .Values.global.proxy.privileged }}
    capabilities:
+{{- if not $cniRepairEnabled }}
      add:
      - NET_ADMIN
      - NET_RAW
+{{- end }}
      drop:
      - ALL
-    privileged: {{ .Values.global.proxy.privileged }}
    readOnlyRootFilesystem: false
+  {{- if not $cniRepairEnabled }}
    runAsGroup: 0
    runAsNonRoot: false
    runAsUser: 0
+  {{- else }}
+    runAsGroup: 1337
+    runAsUser: 1337
+    runAsNonRoot: true
+  {{- end }}
  restartPolicy: Always
-{{- end }}
+  {{ end -}}
-{{  end -}}
 {{- if eq .Values.global.proxy.enableCoreDump true }}
 - name: enable-core-dump
  args:
@@ -85,13 +106,17 @@ initContainers:
    runAsNonRoot: false
    runAsUser: 0
 {{ end }}
-{{- end }}
+  {{ end }}
 containers:
 - name: istio-proxy
-{{- if .Values.global.systemDefaultRegistry }}
+{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` "") }} # if custom pod then use that
-  image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
+  image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
 {{- else }}
-  image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.repository}}:{{ .Values.global.proxy.tag }}"
+  {{- if .Values.global.systemDefaultRegistry }}
+  image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
+  {{- else }}
+  image: "{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
+  {{- end }}
 {{- end }}
  ports:
  - containerPort: 15090
@@ -282,15 +307,15 @@ containers:
    value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetDebug }}"
  {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }}
  - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS
-    value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }}"
+    value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations.Value }}"
  {{- end }}
  {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }}
  - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES
-    value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }}"
+    value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes.Value }}"
  {{- end }}
  {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }}
  - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS
-    value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }}"
+    value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents.Value }}"
  {{- end }}
  {{- end }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy }}
@@ -318,7 +343,7 @@ containers:
    {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
    runAsNonRoot: false
    runAsUser: 0
-    {{- else -}}
+    {{- else }}
    runAsNonRoot: true
    runAsUser: 1337
    {{- end }}
@@ -425,12 +450,12 @@ dnsConfig:
    {{- end }}
 {{- end }}
 podRedirectAnnot:
-   sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+  sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
-   traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+  traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
-   traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+  traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
-   traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
+  traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
-   traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
-   traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+  traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
 {{- end }}
-   traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+  traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
--- a/charts/rancher-istio/1.4.600/values.yaml
+++ b/charts/rancher-istio/1.4.600/values.yaml
@@ -131,6 +131,8 @@ certmanager:
 #
 istio_cni:
  enabled: false
+  repair:
+    enabled: true
 # addon Istio CoreDNS configuration
 #