Skip to content

S
system-charts
Commit 9c5e36ae by loganhz Committed by Alena Prokharchyk
Options

Add proxy and service proxy rbac for Istio 1.2.0

parent c7e789a4
Showing with 1573 additions and 921 deletions
charts/rancher-istio/0.0.1/.helmignore
......@@ -19,3 +19,4 @@
.project
.idea/
*.tmproj
tests/
charts/rancher-istio/0.0.1/Chart.yaml
apiVersion: v1
name: istio
version: 1.1.0
appVersion: 1.1.0
name: rancher-istio
version: 0.0.1
appVersion: 1.2.0
tillerVersion: ">=2.7.2-0"
description: Helm chart for all istio components
home: https://istio.io/
keywords:
- istio
- security
......@@ -15,3 +16,5 @@ sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
maintainers:
- name: istio
charts/rancher-istio/0.0.1/app-readme.md 0 → 100644
# Istio
[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
## Introduction
This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Chart Details
This chart can install multiple istio components as subcharts:
- gateways
- sidecarInjectorWebhook
- galley
- mixer
- pilot
- security(citadel)
- tracing(jaeger)
- kiali
- grafana
- prometheus
To enable or disable each component, change the corresponding `enabled` flag.
Notes: You will need to apply `kubectl label namespace $your-namesapce istio-injection=enabled` to enabled automatic sidecar injection of your desired kubernetes namespaces.
charts/rancher-istio/0.0.1/charts/certmanager/templates/deployment.yaml
......@@ -35,7 +35,11 @@ spec:
{{- end }}
containers:
- name: certmanager
image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}"
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
{{- else }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --cluster-resource-namespace=$(POD_NAMESPACE)
......
charts/rancher-istio/0.0.1/charts/certmanager/values.yaml
......@@ -5,8 +5,9 @@
# restart, DestinationRules can be created using the ACME-signed certificates.
enabled: false
replicaCount: 1
hub: quay.io/jetstack
tag: v0.6.2
image:
repository: rancher/jetstack-cert-manager-controller
tag: v0.6.2
resources: {}
nodeSelector: {}
tolerations: []
......
charts/rancher-istio/0.0.1/charts/galley/templates/deployment.yaml
......@@ -35,11 +35,7 @@ spec:
{{- end }}
containers:
- name: galley
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 443
......
charts/rancher-istio/0.0.1/charts/galley/values.yaml
......@@ -3,7 +3,6 @@
#
enabled: true
replicaCount: 1
image: galley
nodeSelector: {}
tolerations: []
......
charts/rancher-istio/0.0.1/charts/gateways/templates/deployment.yaml
......@@ -23,6 +23,7 @@ spec:
{{- end }}
selector:
matchLabels:
release: {{ $.Release.Name }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
......@@ -48,11 +49,7 @@ spec:
{{- if $.Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" $.Values.global.proxy_init.image }}
image: "{{ $.Values.global.proxy_init.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy_init.image }}:{{ $.Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" $ }}{{ $.Values.global.proxy_init.repository }}:{{ $.Values.global.proxy_init.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
command:
- /bin/sh
......@@ -66,11 +63,7 @@ spec:
{{- if $spec.sds }}
{{- if $spec.sds.enabled }}
- name: ingress-sds
{{- if contains "/" $spec.sds.image }}
image: "{{ $spec.sds.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $spec.sds.image }}:{{ $.Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" $ }}{{ $.Values.global.nodeAgent.repository }}:{{ $.Values.global.nodeAgent.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
resources:
{{- if $spec.sds.resources }}
......@@ -94,11 +87,7 @@ spec:
{{- end }}
{{- end }}
- name: istio-proxy
{{- if contains "/" $.Values.global.proxy.image }}
image: "{{ $.Values.global.proxy.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" $ }}{{ $.Values.global.proxy.repository }}:{{ $.Values.global.proxy.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
{{- range $key, $val := $spec.ports }}
......@@ -167,10 +156,6 @@ spec:
{{- else }}
- istio-pilot:15010
{{- end }}
{{- if $spec.applicationPorts }}
- --applicationPorts
- "{{ $spec.applicationPorts }}"
{{- end }}
{{- end }}
{{- if $.Values.global.trustDomain }}
- --trust-domain={{ $.Values.global.trustDomain }}
......
charts/rancher-istio/0.0.1/charts/gateways/templates/service.yaml
......@@ -45,6 +45,16 @@ spec:
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
# range addon ports
{{- range $key, $val := $spec.addOnPorts }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
# range meshExpansion ports
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $spec.meshExpansionPorts }}
-
......
charts/rancher-istio/0.0.1/charts/gateways/values.yaml
......@@ -17,7 +17,6 @@ istio-ingressgateway:
enabled: false
# SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
# This server runs in the same pod as ingress gateway.
image: node-agent-k8s
resources:
requests:
cpu: 100m
......@@ -55,9 +54,6 @@ istio-ingressgateway:
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15020
targetPort: 15020
name: status-port
- port: 80
targetPort: 80
name: http2
......@@ -65,28 +61,28 @@ istio-ingressgateway:
- port: 443
name: https
nodePort: 31390
# Example of a port to add. Remove if not needed
- port: 31400
name: tcp
nodePort: 31400
### PORTS FOR UI/metrics #####
## Disable if not needed
- port: 15029
targetPort: 15029
name: https-kiali
- port: 15030
targetPort: 15030
name: https-prometheus
- port: 15031
targetPort: 15031
name: https-grafana
- port: 15032
targetPort: 15032
name: https-tracing
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
addOnPorts:
# - port: 15029
# targetPort: 15029
# name: https-kiali
# - port: 15030
# targetPort: 15030
# name: https-prometheus
# - port: 15031
# targetPort: 15031
# name: https-grafana
# - port: 15032
# targetPort: 15032
# name: https-tracing
# # This is the port where sni routing happens
# - port: 15443
# targetPort: 15443
# name: tls
# - port: 15020
# targetPort: 15020
# name: status-port
#### MESH EXPANSION PORTS ########
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
......
charts/rancher-istio/0.0.1/charts/grafana/templates/create-custom-resources-job.yaml
......@@ -79,7 +79,7 @@ spec:
serviceAccountName: istio-grafana-post-install-account
containers:
- name: kubectl
image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ]
volumeMounts:
- mountPath: "/tmp/grafana"
......
charts/rancher-istio/0.0.1/charts/grafana/templates/deployment.yaml
......@@ -25,7 +25,6 @@ spec:
prometheus.io/scrape: "true"
spec:
securityContext:
runAsUser: 472
fsGroup: 472
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
......@@ -38,7 +37,7 @@ spec:
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 3000
......@@ -98,6 +97,25 @@ spec:
- name: config
mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml"
subPath: dashboardproviders.yaml
- name: grafana-proxy
image: "{{ template "system_default_registry" . }}{{ .Values.global.nginxProxy.repository }}:{{ .Values.global.nginxProxy.tag }}"
args:
- nginx
- -g
- daemon off;
- -c
- /nginx/nginx.conf
ports:
- name: http
containerPort: 80
protocol: TCP
volumeMounts:
- mountPath: /nginx/
name: grafana-nginx
{{- if and .Values.resources .Values.resources.proxy }}
resources:
{{ toYaml .Values.resources.proxy | indent 10 }}
{{- end }}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
......@@ -109,10 +127,17 @@ spec:
- name: config
configMap:
name: istio-grafana
- name: grafana-nginx
configMap:
name: grafana-nginx
items:
- key: nginx.conf
mode: 438
path: nginx.conf
- name: data
{{- if .Values.persist }}
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: istio-grafana-pvc
claimName: {{ .Values.persistence.existingClaim | default ("istio-grafana-pvc") }}
{{- else }}
emptyDir: {}
{{- end }}
......
charts/rancher-istio/0.0.1/charts/grafana/templates/nginx-configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-nginx
labels:
app: grafana-nginx
chart: {{ template "grafana.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
nginx.conf: |-
user nginx;
worker_processes auto;
error_log /dev/stdout warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
log_format main '[$time_local - $status] $remote_addr - $remote_user $request ($http_referer)';
proxy_connect_timeout 10;
proxy_read_timeout 180;
proxy_send_timeout 5;
proxy_buffering off;
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:100m inactive=1d max_size=10g;
server {
listen 80;
access_log off;
gzip on;
gzip_min_length 1k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
proxy_set_header Host $host;
location /api/dashboards {
proxy_pass http://localhost:3000;
}
location /api/search {
proxy_pass http://localhost:3000;
sub_filter_types application/json;
sub_filter_once off;
sub_filter '"url":"/d' '"url":"d';
}
location / {
proxy_cache my_zone;
proxy_cache_valid 200 302 1d;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_cache_bypass $http_cache_control;
add_header X-Proxy-Cache $upstream_cache_status;
add_header Cache-Control "public";
proxy_pass http://localhost:3000/;
sub_filter_types text/html;
sub_filter_once off;
sub_filter '"appSubUrl":""' '"appSubUrl":"."';
sub_filter '"url":"/' '"url":"./';
sub_filter ':"/avatar/' ':"avatar/';
if ($request_filename ~ .*\.(?:js|css|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$) {
expires 90d;
}
}
}
}
charts/rancher-istio/0.0.1/charts/grafana/templates/pvc.yaml
{{- if .Values.persist }}
{{- if .Values.persistence.enabled }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
......@@ -10,10 +10,10 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
storageClassName: {{ .Values.storageClassName }}
storageClassName: {{ .Values.persistence.storageClass }}
accessModes:
- {{ .Values.accessMode }}
- {{ .Values.persistence.accessMode }}
resources:
requests:
storage: 5Gi
storage: {{ .Values.persistence.size }}
{{- end }}
charts/rancher-istio/0.0.1/charts/grafana/templates/service.yaml
......@@ -12,21 +12,13 @@ metadata:
chart: {{ template "grafana.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
kubernetes.io/cluster-service: "true"
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: 3000
protocol: TCP
name: {{ .Values.service.name }}
- name: http-access-grafana
protocol: TCP
targetPort: 80
port: 80
selector:
app: grafana
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: "{{ .Values.service.loadBalancerIP }}"
{{- end }}
{{if .Values.service.loadBalancerSourceRanges}}
loadBalancerSourceRanges:
{{range $rangeList := .Values.service.loadBalancerSourceRanges}}
- {{ $rangeList }}
{{end}}
{{end}}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/grafana/templates/tests/test-grafana-connection.yaml
......@@ -19,7 +19,7 @@ spec:
{{- end }}
containers:
- name: "{{ template "grafana.fullname" . }}-test"
image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['curl']
args: ['http://grafana:{{ .Values.grafana.service.externalPort }}']
......
charts/rancher-istio/0.0.1/charts/grafana/values.yaml
......@@ -3,9 +3,6 @@
#
enabled: false
replicaCount: 1
image:
repository: grafana/grafana
tag: 6.1.6
ingress:
enabled: false
## Used to create an Ingress record.
......@@ -19,9 +16,12 @@ ingress:
# - secretName: grafana-tls
# hosts:
# - grafana.local
persist: false
storageClassName: ""
accessMode: ReadWriteMany
persistence:
enabled: false
storageClass: ""
accessMode: ReadWriteOnce
existingClaim: ""
size: 5Gi
security:
enabled: false
secretName: grafana
......@@ -54,11 +54,7 @@ podAntiAffinityTermLabelSelector: []
contextPath: /grafana
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 3000
loadBalancerIP:
loadBalancerSourceRanges:
datasources:
datasources.yaml:
......@@ -85,3 +81,5 @@ dashboardProviders:
disableDeletion: false
options:
path: /var/lib/grafana/dashboards/istio
resources: {}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/istiocoredns/templates/deployment.yaml
......@@ -30,7 +30,7 @@ spec:
{{- end }}
containers:
- name: coredns
image: {{ .Values.coreDNSImage }}
image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
......@@ -64,8 +64,8 @@ spec:
- name: istio-coredns-plugin
command:
- /usr/local/bin/plugin
image: {{ .Values.coreDNSPluginImage }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
image: "{{ template "system_default_registry" . }}{{ .Values.pluginImage.repository }}:{{ .Values.pluginImage.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 8053
name: dns-grpc
......
charts/rancher-istio/0.0.1/charts/istiocoredns/values.yaml
......@@ -3,11 +3,9 @@
#
enabled: false
replicaCount: 1
coreDNSImage: coredns/coredns:1.1.2
# Source code for the plugin can be found at
# https://github.com/istio-ecosystem/istio-coredns-plugin
# The plugin listens for DNS requests from coredns server at 127.0.0.1:8053
coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1
nodeSelector: {}
tolerations: []
......
charts/rancher-istio/0.0.1/charts/kiali/templates/configmap.yaml
......@@ -11,17 +11,18 @@ metadata:
data:
config.yaml: |
istio_namespace: {{ .Release.Namespace }}
auth:
strategy: "login"
server:
port: 20001
{{- if .Values.contextPath }}
web_root: {{ .Values.contextPath }}
{{- end }}
external_services:
tracing:
url: {{ .Values.dashboard.jaegerURL }}
service: "tracing/jaeger"
{{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }}
{{- if not .Values.dashboard.jaegerURL }}
url: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:tracing:80/proxy/jaeger'
{{- end }}
{{- end }}
grafana:
custom_metrics_url: "http://prometheus.{{ .Release.Namespace }}:9090"
{{- if .Values.dashboard.grafanaURL }}
url: {{ .Values.dashboard.grafanaURL }}
prometheus:
url: {{ .Values.prometheusAddr }}
{{- end }}
charts/rancher-istio/0.0.1/charts/kiali/templates/deployment.yaml
......@@ -32,8 +32,7 @@ spec:
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- image: "{{ .Values.hub }}/kiali:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
- image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
name: kiali
command:
- "/opt/kiali/kiali"
......@@ -42,10 +41,36 @@ spec:
- "-v"
- "4"
env:
{{- if and .Values.global.rancher (and .Values.global.rancher.domain .Values.global.rancher.clusterId) }}
{{- if not .Values.dashboard.grafanaURL }}
- name: GRAFANA_URL
value: 'https://{{ .Values.global.rancher.domain }}/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:grafana:80/proxy/'
{{- end }}
{{- end }}
- name: ACTIVE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: AUTH_STRATEGY
value: {{ .Values.dashboard.authStrategy }}
- name: SERVER_CREDENTIALS_USERNAME
valueFrom:
secretKeyRef:
name: {{ .Values.dashboard.secretName }}
key: username
optional: true
- name: SERVER_CREDENTIALS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.dashboard.secretName }}
key: passphrase
optional: true
- name: PROMETHEUS_SERVICE_URL
value: {{ .Values.prometheusAddr }}
{{- if .Values.contextPath }}
- name: SERVER_WEB_ROOT
value: {{ .Values.contextPath }}
{{- end }}
volumeMounts:
- name: kiali-configuration
mountPath: "/kiali-configuration"
......@@ -57,10 +82,36 @@ spec:
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
- name: kiali-proxy
image: "{{ template "system_default_registry" . }}{{ .Values.global.nginxProxy.repository }}:{{ .Values.global.nginxProxy.tag }}"
args:
- nginx
- -g
- daemon off;
- -c
- /nginx/nginx.conf
ports:
- name: http
containerPort: 80
protocol: TCP
volumeMounts:
- mountPath: /nginx/
name: kiali-nginx
{{- if and .Values.resources .Values.resources.proxy }}
resources:
{{ toYaml .Values.resources.proxy | indent 10 }}
{{- end }}
volumes:
- name: kiali-configuration
configMap:
name: kiali
- name: kiali-nginx
configMap:
name: kiali-nginx
items:
- key: nginx.conf
mode: 438
path: nginx.conf
- name: kiali-secret
secret:
secretName: {{ .Values.dashboard.secretName }}
......
charts/rancher-istio/0.0.1/charts/kiali/templates/nginx-configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: kiali-nginx
namespace: {{ .Release.Namespace }}
labels:
app: kiali-nginx
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
nginx.conf: |-
user nginx;
worker_processes auto;
error_log /dev/stdout warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
log_format main '[$time_local - $status] $remote_addr - $remote_user $request ($http_referer)';
proxy_connect_timeout 10;
proxy_read_timeout 180;
proxy_send_timeout 5;
proxy_buffering off;
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:100m inactive=1d max_size=10g;
server {
listen 80;
access_log off;
gzip on;
gzip_min_length 1k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
proxy_set_header Host $host;
location / {
proxy_cache my_zone;
proxy_cache_valid 200 302 1d;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_cache_bypass $http_cache_control;
add_header X-Proxy-Cache $upstream_cache_status;
add_header Cache-Control "public";
proxy_pass http://localhost:20001/;
sub_filter_types text/html;
sub_filter_once on;
sub_filter </head> '<script>var path = window.location.pathname; var pathName = path.substring(0, path.lastIndexOf("/proxy") + 6); window.WEB_ROOT = window.WEB_ROOT ? pathName + window.WEB_ROOT:pathName</script></head>';
if ($request_filename ~ .*\.(?:js|css|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$) {
expires 90d;
}
}
}
}
charts/rancher-istio/0.0.1/charts/kiali/templates/demosecret.yaml charts/rancher-istio/0.0.1/charts/kiali/templates/secret.yaml
{{- if .Values.createDemoSecret }}
apiVersion: v1
kind: Secret
metadata:
......@@ -11,6 +10,5 @@ metadata:
release: {{ .Release.Name }}
type: Opaque
data:
username: YWRtaW4= # admin
passphrase: YWRtaW4= # admin
{{- end }}
username: {{ .Values.dashboard.username | b64enc | quote }}
passphrase: {{ .Values.dashboard.passphrase | b64enc | quote }}
charts/rancher-istio/0.0.1/charts/kiali/templates/service.yaml
......@@ -9,9 +9,30 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
type: ClusterIP
ports:
- name: http-kiali
protocol: TCP
port: 20001
selector:
app: kiali
---
apiVersion: v1
kind: Service
metadata:
name: kiali-http
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
kubernetes.io/cluster-service: "true"
spec:
type: {{ .Values.service.type }}
ports:
- name: http-access-kiali
protocol: TCP
port: 80
selector:
app: kiali
charts/rancher-istio/0.0.1/charts/kiali/templates/tests/test-kiali-connection.yaml
......@@ -19,7 +19,7 @@ spec:
{{- end }}
containers:
- name: "{{ template "kiali.fullname" . }}-test"
image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['curl']
args: ['http://kiali:20001']
......
charts/rancher-istio/0.0.1/charts/kiali/values.yaml
......@@ -3,9 +3,7 @@
#
enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`.
replicaCount: 1
hub: quay.io/kiali
tag: v0.20
contextPath: /kiali # The root context path to access the Kiali UI.
contextPath: /
nodeSelector: {}
# Specify the pod anti-affinity that allows you to constrain which nodes
......@@ -44,11 +42,20 @@ ingress:
# - kiali.local
dashboard:
# login/anonymous
authStrategy: anonymous
username: admin
passphrase: admin
secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
viewOnlyMode: false # Bind the service account to a role with only read access
grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.
jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.
prometheusAddr: http://prometheus:9090
# When true, a secret will be created with a default username and password. Useful for demos.
createDemoSecret: false
service:
type: ClusterIP
resources: {}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/mixer/templates/deployment.yaml
......@@ -38,11 +38,7 @@
{{- end }}
containers:
- name: mixer
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.global.monitoringPort }}
......@@ -109,11 +105,7 @@
initialDelaySeconds: 5
periodSeconds: 5
- name: istio-proxy
{{- if contains "/" $.Values.global.proxy.image }}
image: "{{ $.Values.global.proxy.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ $.Values.global.proxy.repository }}:{{ $.Values.global.proxy.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: 9091
......@@ -218,11 +210,7 @@
{{- end }}
containers:
- name: mixer
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.global.monitoringPort }}
......@@ -299,11 +287,7 @@
initialDelaySeconds: 5
periodSeconds: 5
- name: istio-proxy
{{- if contains "/" $.Values.global.proxy.image }}
image: "{{ $.Values.global.proxy.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ $.Values.global.proxy.repository }}:{{ $.Values.global.proxy.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: 9091
......
charts/rancher-istio/0.0.1/charts/mixer/values.yaml
#
# mixer configuration
#
image: mixer
env:
GODEBUG: gctrace=1
# max procs should be ceil(cpu limit + 1)
......
charts/rancher-istio/0.0.1/charts/nodeagent/templates/daemonset.yaml
......@@ -30,11 +30,7 @@ spec:
{{- end }}
containers:
- name: nodeagent
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ $.Values.global.nodeAgent.repository }}:{{ $.Values.global.nodeAgent.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
volumeMounts:
- mountPath: /var/run/sds
......
charts/rancher-istio/0.0.1/charts/nodeagent/values.yaml
......@@ -2,7 +2,6 @@
# nodeagent configuration
#
enabled: false
image: node-agent-k8s
env:
# name of authentication provider.
CA_PROVIDER: ""
......
charts/rancher-istio/0.0.1/charts/pilot/templates/deployment.yaml
......@@ -44,11 +44,7 @@ spec:
{{- end }}
containers:
- name: discovery
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- "discovery"
......@@ -126,11 +122,7 @@ spec:
readOnly: true
{{- if .Values.sidecar }}
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 15003
......
charts/rancher-istio/0.0.1/charts/pilot/values.yaml
......@@ -7,7 +7,6 @@ autoscaleMin: 1
autoscaleMax: 5
# specify replicaCount when autoscaleEnabled: false
# replicaCount: 1
image: pilot
sidecar: true
traceSampling: 1.0
# Resources for a small pilot install
......
charts/rancher-istio/0.0.1/charts/prometheus/templates/deployment.yaml
......@@ -30,7 +30,7 @@ spec:
{{- end }}
containers:
- name: prometheus
image: "{{ .Values.hub }}/prometheus:{{ .Values.tag }}"
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- '--storage.tsdb.retention={{ .Values.retention }}'
......@@ -57,6 +57,31 @@ spec:
mountPath: /etc/prometheus
- mountPath: /etc/istio-certs
name: istio-certs
- name: prometheus-nginx
command:
- /bin/sh
- -c
- cp /nginx/run-sh.tmpl /var/run/nginx-start.sh; chmod +x /var/run/nginx-start.sh; /var/run/nginx-start.sh
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: "{{ template "system_default_registry" . }}{{ .Values.global.nginxProxy.repository }}:{{ .Values.global.nginxProxy.tag }}"
ports:
- containerPort: 80
name: http
protocol: TCP
{{- if and .Values.resources .Values.resources.proxy }}
resources:
{{ toYaml .Values.resources.proxy | indent 6 }}
{{- end }}
securityContext:
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- mountPath: /nginx
name: prometheus-nginx
volumes:
- name: config-volume
configMap:
......@@ -68,6 +93,9 @@ spec:
optional: true
{{- end }}
secretName: istio.default
- name: prometheus-nginx
configMap:
name: {{ template "prometheus.chart" . }}-nginx
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
......
charts/rancher-istio/0.0.1/charts/prometheus/templates/nginx-configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-nginx
labels:
app: prometheus-nginx
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
run-sh.tmpl: |-
#!/bin/sh
set -e
srcpath="/nginx/nginx-conf.tmpl"
dstpath="/var/run/nginx.conf"
if ! [ -f $srcpath ]; then
exit 1
fi
token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
sed "s/REPLACE_PARAM_AUTHORIZATION/Bearer ${token}/g" $srcpath | sed "s/REPLACE_PARAM_IP/${POD_IP}/g" > $dstpath
exec nginx -g "daemon off;" -c /var/run/nginx.conf
nginx-conf.tmpl: |-
user nginx;
worker_processes auto;
error_log /dev/stdout warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
log_format main '[$time_local - $status] $remote_addr - $remote_user $request ($http_referer)';
proxy_connect_timeout 10;
proxy_read_timeout 180;
proxy_send_timeout 5;
proxy_buffering off;
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:100m inactive=1d max_size=10g;
server {
listen 80;
access_log off;
gzip on;
gzip_min_length 1k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
proxy_set_header Host $host;
proxy_set_header Authorization "REPLACE_PARAM_AUTHORIZATION";
proxy_pass_header Authorization;
location / {
proxy_cache my_zone;
proxy_cache_valid 200 302 1d;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_cache_bypass $http_cache_control;
add_header X-Proxy-Cache $upstream_cache_status;
add_header Cache-Control "public";
proxy_pass http://REPLACE_PARAM_IP:9090/;
sub_filter_types text/html;
sub_filter_once off;
sub_filter 'var PATH_PREFIX = "";' 'var PATH_PREFIX = ".";';
if ($request_filename ~ .*\.(?:js|css|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$) {
expires 90d;
}
}
}
}
\ No newline at end of file
charts/rancher-istio/0.0.1/charts/prometheus/templates/service.yaml
......@@ -14,32 +14,31 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
type: ClusterIP
selector:
app: prometheus
ports:
- name: http-prometheus
- name: prometheus
protocol: TCP
port: 9090
{{- if .Values.service.nodePort.enabled }}
# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs.
---
apiVersion: v1
kind: Service
metadata:
name: prometheus-nodeport
name: prometheus-http
namespace: {{ .Release.Namespace }}
annotations:
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
kubernetes.io/cluster-service: "true"
spec:
type: NodePort
ports:
- port: 9090
nodePort: {{ .Values.service.nodePort.port }}
name: http-prometheus
type: ClusterIP
selector:
app: prometheus
{{- end }}
ports:
- name: access-prometheus
protocol: TCP
port: 80
charts/rancher-istio/0.0.1/charts/prometheus/templates/tests/test-prometheus-connection.yaml
......@@ -19,7 +19,7 @@ spec:
{{- end }}
containers:
- name: "{{ template "prometheus.fullname" . }}-test"
image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1']
restartPolicy: Never
......
charts/rancher-istio/0.0.1/charts/prometheus/values.yaml
......@@ -3,8 +3,7 @@
#
enabled: true
replicaCount: 1
hub: docker.io/prom
tag: v2.8.0
retention: 6h
nodeSelector: {}
tolerations: []
......@@ -57,3 +56,5 @@ service:
security:
enabled: true
resources: {}
charts/rancher-istio/0.0.1/charts/security/templates/cleanup-secrets.yaml
......@@ -101,7 +101,7 @@ spec:
serviceAccountName: istio-cleanup-secrets-service-account
containers:
- name: kubectl
image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
imagePullPolicy: IfNotPresent
command:
- /bin/bash
......
charts/rancher-istio/0.0.1/charts/security/templates/create-custom-resources-job.yaml
......@@ -77,7 +77,7 @@ spec:
serviceAccountName: istio-security-post-install-account
containers:
- name: kubectl
image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
imagePullPolicy: IfNotPresent
command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
volumeMounts:
......
charts/rancher-istio/0.0.1/charts/security/templates/deployment.yaml
......@@ -36,11 +36,7 @@ spec:
{{- end }}
containers:
- name: citadel
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --append-dns-names=true
......
charts/rancher-istio/0.0.1/charts/security/templates/tests/test-citadel-connection.yaml
......@@ -19,7 +19,7 @@ spec:
{{- end }}
containers:
- name: "{{ template "security.fullname" . }}-test"
image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && exit 0 || sleep 15; done; exit 1']
restartPolicy: Never
......
charts/rancher-istio/0.0.1/charts/security/values.yaml
......@@ -2,7 +2,6 @@
# security configuration
#
enabled: true
image: citadel
selfSigned: true # indicate if self-signed CA is used.
createMeshPolicy: true
nodeSelector: {}
......
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/templates/deployment.yaml
......@@ -35,11 +35,7 @@ spec:
{{- end }}
containers:
- name: sidecar-injector-webhook
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --caCertFile=/etc/istio/certs/root-cert.pem
......
charts/rancher-istio/0.0.1/charts/sidecarInjectorWebhook/values.yaml
......@@ -3,7 +3,6 @@
#
enabled: true
replicaCount: 1
image: sidecar_injector
enableNamespacesByDefault: false
nodeSelector: {}
......
charts/rancher-istio/0.0.1/charts/tracing/templates/deployment-jaeger.yaml
......@@ -42,7 +42,7 @@ spec:
{{- end }}
containers:
- name: jaeger
image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}"
image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 9411
......@@ -79,6 +79,33 @@ spec:
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
- name: jaeger-proxy
image: "{{ template "system_default_registry" . }}{{ .Values.global.nginxProxy.repository }}:{{ .Values.global.nginxProxy.tag }}"
args:
- nginx
- -g
- daemon off;
- -c
- /nginx/nginx.conf
ports:
- name: http
containerPort: 80
protocol: TCP
volumeMounts:
- mountPath: /nginx/
name: tracing-nginx
{{- if and .Values.jaeger.proxy .Values.jaeger.proxy.resources }}
resources:
{{ toYaml .Values.jaeger.proxy.resources | indent 12 }}
{{- end }}
volumes:
- name: tracing-nginx
configMap:
name: tracing-nginx
items:
- key: nginx.conf
mode: 438
path: nginx.conf
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
......
charts/rancher-istio/0.0.1/charts/tracing/templates/deployment-zipkin.yaml
......@@ -36,7 +36,7 @@ spec:
{{- end }}
containers:
- name: zipkin
image: "{{ .Values.zipkin.hub }}/zipkin:{{ .Values.zipkin.tag }}"
image: "{{ template "system_default_registry" . }}{{ .Values.zipkin.repository }}:{{ .Values.zipkin.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.zipkin.queryPort }}
......@@ -69,6 +69,33 @@ spec:
value: "mem"
- name: ZIPKIN_STORAGE_MEM_MAXSPANS
value: "{{ .Values.zipkin.maxSpans }}"
- name: zipkin-proxy
image: "{{ template "system_default_registry" . }}{{ .Values.global.nginxProxy.repository }}:{{ .Values.global.nginxProxy.tag }}"
args:
- nginx
- -g
- daemon off;
- -c
- /nginx/nginx.conf
ports:
- name: http
containerPort: 80
protocol: TCP
volumeMounts:
- mountPath: /nginx/
name: tracing-nginx
{{- if and .Values.zipkin.proxy .Values.zipkin.proxy.resources }}
resources:
{{ toYaml .Values.zipkin.proxy.resources | indent 12 }}
{{- end }}
volumes:
- name: tracing-nginx
configMap:
name: tracing-nginx
items:
- key: nginx.conf
mode: 438
path: nginx.conf
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
......
charts/rancher-istio/0.0.1/charts/tracing/templates/nginx-configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: tracing-nginx
namespace: {{ .Release.Namespace }}
labels:
app: tracing-nginx
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
nginx.conf: |-
user nginx;
worker_processes auto;
error_log /dev/stdout warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
log_format main '[$time_local - $status] $remote_addr - $remote_user $request ($http_referer)';
proxy_connect_timeout 10;
proxy_read_timeout 180;
proxy_send_timeout 5;
proxy_buffering off;
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:100m inactive=1d max_size=10g;
server {
listen 80;
access_log off;
gzip on;
gzip_min_length 1k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
proxy_set_header Host $host;
location / {
proxy_cache my_zone;
proxy_cache_valid 200 302 1d;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_cache_bypass $http_cache_control;
add_header X-Proxy-Cache $upstream_cache_status;
add_header Cache-Control "public";
{{ if eq .Values.provider "jaeger" }}
proxy_pass http://localhost:16686/;
{{ else }}
proxy_pass http://localhost:9411/;
{{ end}}
if ($request_filename ~ .*\.(?:js|css|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$) {
expires 90d;
}
}
}
}
charts/rancher-istio/0.0.1/charts/tracing/templates/service.yaml
......@@ -42,15 +42,13 @@ items:
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
kubernetes.io/cluster-service: "true"
spec:
type: {{ .Values.service.uiType }}
ports:
- name: http-query
- name: http-access-tracing
port: 80
protocol: TCP
{{ if eq .Values.provider "jaeger" }}
targetPort: 16686
{{ else }}
targetPort: 9411
{{ end}}
targetPort: 80
selector:
app: {{ .Values.provider }}
charts/rancher-istio/0.0.1/charts/tracing/templates/tests/test-tracing-connection.yaml
......@@ -18,7 +18,7 @@ spec:
{{- end }}
containers:
- name: "{{ .Values.provider }}-test"
image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['curl']
{{- if eq .Values.provider "jaeger" }}
......
charts/rancher-istio/0.0.1/charts/tracing/values.yaml
......@@ -28,14 +28,12 @@ podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
jaeger:
hub: docker.io/jaegertracing
tag: 1.9
memory:
max_traces: 50000
proxy:
resources: {}
zipkin:
hub: docker.io/openzipkin
tag: 2
probeStartupDelay: 200
queryPort: 9411
resources:
......@@ -53,11 +51,14 @@ zipkin:
maxSpans: 500000
node:
cpus: 2
proxy:
resources: {}
service:
annotations: {}
name: http
type: ClusterIP
uiType: ClusterIP
externalPort: 9411
ingress:
......
charts/rancher-istio/0.0.1/example-values/README.md deleted 100644 → 0
# Example Values
These files provide various example values for different Istio setups.
To use them, [read the docs](https://istio.io/docs/setup/kubernetes/helm-install/) and add the flag `--values example-file.yaml`.
charts/rancher-istio/0.0.1/example-values/values-istio-example-sds-vault.yaml deleted 100644 → 0
global:
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
useNormalJwt: true
nodeagent:
enabled: true
image: node-agent-k8s
env:
# The IP address and the port number of a publicly accessible example Vault server.
CA_ADDR: "https://34.83.129.211:8200"
CA_PROVIDER: "VaultCA"
VALID_TOKEN: true
# The IP address and the port number of a publicly accessible example Vault server.
VAULT_ADDR: "https://34.83.129.211:8200"
VAULT_AUTH_PATH: "auth/kubernetes/login"
VAULT_ROLE: "istio-cert"
VAULT_SIGN_CSR_PATH: "istio_ca/sign/istio-pki-role"
VAULT_TLS_ROOT_CERT: '-----BEGIN CERTIFICATE-----\nMIIC3jCCAcagAwIBAgIRAO1S7vuRQmo2He+RtBq3fv8wDQYJKoZIhvcNAQELBQAw\nEDEOMAwGA1UEChMFVmF1bHQwIBcNMTkwNDI3MTY1ODE1WhgPMjExOTA0MDMxNjU4\nMTVaMBAxDjAMBgNVBAoTBVZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA7/CTbnENEIvFZg9hmVtYnOx3OfMy/GNCuP7sqtAeVVTopAKKkcAAWQck\nrhpBooEGpCugNxXGNCuJh/2nu0AfGFRfdafwSJRoI6yHwQouDm0o4r3h9uL3tu5N\nD+x9j+eejbFsoZVn84CxGkEB6oyeXYHjc6eWh3PFGMtKuOQD4pezvDH0yNCx5waK\nhtPuYtl0ebfdbyh+WQuptO+Q9VSaQNqE3ipZ461y8PduwRRll241W0gQB2iasX03\nD36F2ZrMz3KEVRVKM1yCUDCy2RPJqkXPdnVMWmDGbe8Uw69zr25JltzuRZFT9HL3\nY1RnMTecmSc4ikTUHcMhFX3PYbfR5wIDAQABozEwLzAOBgNVHQ8BAf8EBAMCBaAw\nDAYDVR0TAQH/BAIwADAPBgNVHREECDAGhwQiU4HTMA0GCSqGSIb3DQEBCwUAA4IB\nAQCdLh6olDVQB71LD6srbfAE4EsxLEBbIRnv7Nf1S0KQwgW/QxK8DHBwJBxJkr1N\nzgEPx86f2Fo2UsY9m6rvgP3+iquyMsKi0ooUah3y3LSnONuZcdfSTl/HYd38S6Dp\nVkVOZ7781xxpFVUqQ5voQX1Y1Ipn5qw0FyIcNYWLkNX+iMf1b9kpEIWQNhRC/Yiv\nTS0VA/BzQemGyf2UB6QsuZLH+JFEZnzU859qURnNIITa1Wf4YUtka5Sp1kDnEll3\nwj4IlXKU+Wl1CzxJyn4SSQAXy/Lb08ZKrF/YSzcIISnRX5j+wa8ApOSwwA/B7iaT\nTWz1g+RlV9qHap70eIjPsQvb\n-----END CERTIFICATE-----'
\ No newline at end of file
charts/rancher-istio/0.0.1/example-values/values-istio-gateways.yaml deleted 100644 → 0
# Common settings.
global:
# Omit the istio-sidecar-injector configmap when generate a
# standalone gateway. Gateways may be created in namespaces other
# than `istio-system` and we don't want to re-create the injector
# configmap in those.
omitSidecarInjectorConfigMap: true
# Istio control plane namespace: This specifies where the Istio control
# plane was installed earlier. Modify this if you installed the control
# plane in a different namespace than istio-system.
istioNamespace: istio-system
proxy:
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
#
# Gateways Configuration
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
# You can add more gateways in addition to the defaults but make sure those are uniquely named
# and that NodePorts are not conflicting.
# Disable specific gateway by setting the `enabled` to false.
#
gateways:
enabled: true
custom-gateway:
enabled: true
labels:
app: custom-gateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
#requests:
# cpu: 1800m
# memory: 256Mi
cpu:
targetAverageUtilization: 80
loadBalancerIP: ""
loadBalancerSourceRanges: {}
externalIPs: []
serviceAnnotations: {}
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
ports:
## You can add custom gateway ports
- port: 80
targetPort: 80
name: http2
# nodePort: 31380
- port: 443
name: https
# nodePort: 31390
- port: 31400
name: tcp
# nodePort: 31400
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
# Addon ports for kiali are enabled in gateway - but will only redirect if
# the gateway configuration for the various components are enabled.
- port: 15029
targetPort: 15029
name: http2-kiali
# Telemetry-related ports are enabled in gateway - but will only redirect if
# the gateway configuration for the various components are enabled.
- port: 15030
targetPort: 15030
name: http2-prometheus
- port: 15031
targetPort: 15031
name: http2-grafana
- port: 15032
targetPort: 15032
name: http2-tracing
secretVolumes:
- name: customgateway-certs
secretName: istio-customgateway-certs
mountPath: /etc/istio/customgateway-certs
- name: customgateway-ca-certs
secretName: istio-customgateway-ca-certs
mountPath: /etc/istio/customgateway-ca-certs
# all other components are disabled except the gateways
security:
enabled: false
sidecarInjectorWebhook:
enabled: false
galley:
enabled: false
mixer:
policy:
enabled: false
telemetry:
enabled: false
pilot:
enabled: false
grafana:
enabled: false
prometheus:
enabled: false
tracing:
enabled: false
kiali:
enabled: false
certmanager:
enabled: false
charts/rancher-istio/0.0.1/example-values/values-istio-googleca.yaml deleted 100644 → 0
global:
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
useTrustworthyJwt: true
trustDomain: ""
nodeagent:
enabled: true
image: node-agent-k8s
env:
CA_PROVIDER: "GoogleCA"
CA_ADDR: "istioca.googleapis.com:443"
Plugins: "GoogleTokenExchange"
charts/rancher-istio/0.0.1/example-values/values-istio-multicluster-gateways.yaml deleted 100644 → 0
global:
# Provides dns resolution for global services
podDNSSearchNamespaces:
- global
- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
multiCluster:
enabled: true
controlPlaneSecurityEnabled: true
# Multicluster with gateways requires a root CA
# Cluster local CAs are bootstrapped with the root CA.
security:
selfSigned: false
# Provides dns resolution for service entries of form
# name.namespace.global
istiocoredns:
enabled: true
gateways:
istio-egressgateway:
enabled: true
env:
# Needed to route traffic via egress gateway if desired.
ISTIO_META_REQUESTED_NETWORK_VIEW: "external"
charts/rancher-istio/0.0.1/files/injection-template.yaml
......@@ -4,11 +4,11 @@ initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{- if not .Values.istio_cni.enabled }}
- name: istio-init
{{- if contains "/" .Values.global.proxy_init.image }}
image: "{{ .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- else }}
image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- end }}
args:
- "-p"
- "15001"
......@@ -64,11 +64,11 @@ initContainers:
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" .Values.global.proxy_init.image }}
image: "{{ .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- else }}
image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- end }}
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
......@@ -79,11 +79,11 @@ initContainers:
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
{{- else }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.repository}}:{{ .Values.global.proxy.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
......
charts/rancher-istio/0.0.1/templates/_affinity.tpl
......@@ -11,6 +11,10 @@
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/os
operator: In
values:
- linux
- key: beta.kubernetes.io/arch
operator: In
values:
......
charts/rancher-istio/0.0.1/templates/_helpers.tpl
......@@ -44,3 +44,12 @@ Configmap checksum.
{{- define "istio.configmap.checksum" -}}
{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
charts/rancher-istio/0.0.1/templates/crd-certmanager.yaml 0 → 100644
{{- if and .Values.enableCRDs .Values.certmanager.enabled }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Issuer
plural: issuers
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.secretName
name: Secret
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
type: string
priority: 1
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
priority: 1
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
version: v1alpha1
scope: Namespaced
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: orders.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
type: string
priority: 1
- JSONPath: .status.reason
name: Reason
type: string
priority: 1
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Order
plural: orders
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: challenges.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.dnsName
name: Domain
type: string
- JSONPath: .status.reason
name: Reason
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Challenge
plural: challenges
scope: Namespaced
{{- end }}
charts/rancher-istio/0.0.1/templates/crds.yaml 0 → 100644
{{- if .Values.enableCRDs }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: virtualservices.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: networking.istio.io
names:
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
singular: virtualservice
shortNames:
- vs
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
additionalPrinterColumns:
- JSONPath: .spec.gateways
description: The names of gateways and sidecars that should apply these routes
name: Gateways
type: string
- JSONPath: .spec.hosts
description: The destination hosts to which traffic is being sent
name: Hosts
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: destinationrules.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: networking.istio.io
names:
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
singular: destinationrule
shortNames:
- dr
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
additionalPrinterColumns:
- JSONPath: .spec.host
description: The name of a service from the service registry
name: Host
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: serviceentries.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: networking.istio.io
names:
kind: ServiceEntry
listKind: ServiceEntryList
plural: serviceentries
singular: serviceentry
shortNames:
- se
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
additionalPrinterColumns:
- JSONPath: .spec.hosts
description: The hosts associated with the ServiceEntry
name: Hosts
type: string
- JSONPath: .spec.location
description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)
name: Location
type: string
- JSONPath: .spec.resolution
description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
name: Resolution
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: gateways.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: networking.istio.io
names:
kind: Gateway
plural: gateways
singular: gateway
shortNames:
- gw
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: sidecars.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
spec:
group: networking.istio.io
names:
kind: Sidecar
plural: sidecars
singular: sidecar
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: envoyfilters.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: networking.istio.io
names:
kind: EnvoyFilter
plural: envoyfilters
singular: envoyfilter
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: clusterrbacconfigs.rbac.istio.io
labels:
app: istio-pilot
istio: rbac
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: rbac.istio.io
names:
kind: ClusterRbacConfig
plural: clusterrbacconfigs
singular: clusterrbacconfig
categories:
- istio-io
- rbac-istio-io
scope: Cluster
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: policies.authentication.istio.io
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: authentication.istio.io
names:
kind: Policy
plural: policies
singular: policy
categories:
- istio-io
- authentication-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: meshpolicies.authentication.istio.io
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: authentication.istio.io
names:
kind: MeshPolicy
listKind: MeshPolicyList
plural: meshpolicies
singular: meshpolicy
categories:
- istio-io
- authentication-istio-io
scope: Cluster
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: httpapispecbindings.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: httpapispecs.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotaspecbindings.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotaspecs.config.istio.io
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rules.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: core
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: rule
plural: rules
singular: rule
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: attributemanifests.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: core
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rbacconfigs.rbac.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: rbac
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: rbac.istio.io
names:
kind: RbacConfig
plural: rbacconfigs
singular: rbacconfig
categories:
- istio-io
- rbac-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: serviceroles.rbac.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: rbac
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: rbac.istio.io
names:
kind: ServiceRole
plural: serviceroles
singular: servicerole
categories:
- istio-io
- rbac-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicerolebindings.rbac.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: rbac
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: rbac.istio.io
names:
kind: ServiceRoleBinding
plural: servicerolebindings
singular: servicerolebinding
categories:
- istio-io
- rbac-istio-io
scope: Namespaced
version: v1alpha1
additionalPrinterColumns:
- JSONPath: .spec.roleRef.name
description: The name of the ServiceRole object being referenced
name: Reference
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: adapters.config.istio.io
labels:
app: mixer
package: adapter
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: adapter
plural: adapters
singular: adapter
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: instances.config.istio.io
labels:
app: mixer
package: instance
istio: mixer-instance
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: instance
plural: instances
singular: instance
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: templates.config.istio.io
labels:
app: mixer
package: template
istio: mixer-template
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: template
plural: templates
singular: template
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: handlers.config.istio.io
labels:
app: mixer
package: handler
istio: mixer-handler
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: config.istio.io
names:
kind: handler
plural: handlers
singular: handler
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: sidecars.networking.istio.io
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
group: networking.istio.io
names:
kind: Sidecar
plural: sidecars
singular: sidecar
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: authorizationpolicies.rbac.istio.io
labels:
app: istio-pilot
istio: rbac
heritage: Tiller
release: istio
spec:
group: rbac.istio.io
names:
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
categories:
- istio-io
- rbac-istio-io
scope: Namespaced
version: v1alpha1
---
{{- end }}
\ No newline at end of file
charts/rancher-istio/0.0.1/templates/istio-service-rbac.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
name: istio-service-reader
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["http:kiali-http:80", "http:tracing:80", "http:grafana:80", "http:prometheus-http:80"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-istio-service
namespace: {{ .Release.Namespace }}
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: istio-service-reader
apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
charts/rancher-istio/0.0.1/test-values/README.md deleted 100644 → 0
# Test Values
These files are intended to be used to install Istio for E2E tests.
The rendered files can be generated with `make generate_e2e_yaml`.
These files will all have `values-e2e.yaml` applied to them *first*, so if there are settings there that should not be included in the test the must be overridden.
charts/rancher-istio/0.0.1/test-values/values-e2e.yaml deleted 100644 → 0
# This file overrides values for e2e testing.
global:
proxy:
concurrency: 0
resources:
requests:
cpu: 10m
memory: 40Mi
accessLogFile: "/dev/stdout"
enableCoreDump: true
disablePolicyChecks: false
outboundTrafficPolicy:
mode: REGISTRY_ONLY
prometheus:
scrapeInterval: 5s
gateways:
istio-ingressgateway:
autoscaleMax: 1
resources:
requests:
cpu: 10m
memory: 40Mi
limits:
cpu: 100m
memory: 128Mi
istio-egressgateway:
enabled: true
autoscaleMax: 1
resources:
requests:
cpu: 10m
memory: 40Mi
limits:
cpu: 100m
memory: 128Mi
mixer:
policy:
enabled: true
replicaCount: 2
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 100Mi
limits:
cpu: 100m
memory: 100Mi
telemetry:
enabled: true
loadshedding:
mode: disabled
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 100m
memory: 100Mi
adapters:
stdio:
enabled: true
kiali:
enabled: true
charts/rancher-istio/0.0.1/test-values/values-istio-auth-mcp.yaml deleted 100644 → 0
# This is used to generate istio-auth.yaml with MCP enabled
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
useMCP: true
charts/rancher-istio/0.0.1/test-values/values-istio-auth-multicluster.yaml deleted 100644 → 0
# This is used to generate istio-auth-multicluster.yaml, used for CI/CD.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
proxy:
accessLogFile: "/dev/stdout"
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# In a multiple cluster environment, citadel uses the same root certificate in all the clusters
security:
selfSigned: false
charts/rancher-istio/0.0.1/test-values/values-istio-auth-non-mcp.yaml deleted 100644 → 0
global:
mtls:
enabled: true
controlPlaneSecurityEnabled: true
useMCP: false
\ No newline at end of file
charts/rancher-istio/0.0.1/test-values/values-istio-auth-sds.yaml deleted 100644 → 0
global:
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
useNormalJwt: true
proxy:
enableCoreDump: true
nodeagent:
enabled: true
image: node-agent-k8s
env:
CA_PROVIDER: "Citadel"
CA_ADDR: "istio-citadel:8060"
VALID_TOKEN: true
\ No newline at end of file
charts/rancher-istio/0.0.1/test-values/values-istio-auth.yaml deleted 100644 → 0
# This is used to generate istio-auth.yaml for automated CI/CD test, using v1/alpha1
# or v2/alpha3 with 'gradual migration' (using env variable at inject time).
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
charts/rancher-istio/0.0.1/test-values/values-istio-mcp.yaml deleted 100644 → 0
# This is used to generate istio.yaml with MCP enabled
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
useMCP: true
charts/rancher-istio/0.0.1/test-values/values-istio-multicluster-split-horizon.yaml deleted 100644 → 0
# This is used to generate istio-multicluster-split-horizon.yaml, used for CI/CD.
global:
controlPlaneSecurityEnabled: true
mtls:
enabled: true
proxy:
accessLogFile: "/dev/stdout"
outboundTrafficPolicy:
mode: ALLOW_ANY
meshExpansion:
enabled: true
meshNetworks:
network2:
endpoints:
- fromRegistry: N2_REGISTRY_TOKEN
gateways:
- address: 0.0.0.0
port: 443
security:
selfSigned: false
gateways:
istio-egressgateway:
enabled: false
charts/rancher-istio/0.0.1/test-values/values-istio-multicluster.yaml deleted 100644 → 0
# This is used to generate istio-multicluster.yaml, used for CI/CD.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
proxy:
accessLogFile: "/dev/stdout"
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# In a multiple cluster environment, citadel uses the same root certificate in all the clusters
security:
selfSigned: false
charts/rancher-istio/0.0.1/test-values/values-istio-one-namespace-auth.yaml deleted 100644 → 0
# This is used to generate istio.yaml used for deprecated CI/CD testing.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Restrict the applications in one namespace the controller manages
oneNamespace: true
charts/rancher-istio/0.0.1/test-values/values-istio-one-namespace-trust-domain.yaml deleted 100644 → 0
# This is used to generate istio.yaml used for deprecated CI/CD testing.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
# Default is 10s second
refreshInterval: 1s
# The trust domain corresponds to the trust root of a system
trustDomain: test.local
# Restrict the applications in one namespace the controller manages
oneNamespace: true
charts/rancher-istio/0.0.1/test-values/values-istio-one-namespace.yaml deleted 100644 → 0
# This is used to generate istio.yaml used for deprecated CI/CD testing.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Restrict the applications in one namespace the controller manages
oneNamespace: true
charts/rancher-istio/0.0.1/test-values/values-istio.yaml deleted 100644 → 0
# This is used to generate istio.yaml for automated CI/CD test, using v1/alpha1
# or v2/alpha3 with 'gradual migration' (using env variable at inject time).
# global:
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
charts/rancher-istio/0.0.1/values-istio-demo-auth.yaml deleted 100644 → 0
# This is used to generate istio-auth.yaml for minimal, demo mode with MTLS enabled.
# It is shipped with the release, used for bookinfo or quick installation of istio.
# Includes components used in the demo, defaults to alpha3 rules.
# @include <values-istio-demo-common.yaml>
global:
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
charts/rancher-istio/0.0.1/values-istio-demo-common.yaml deleted 100644 → 0
# This is used to generate minimal demo mode. It is included from demo and demo-auth values.
# It is shipped with the release, used for bookinfo or quick installation of istio.
# Includes components used in the demo, defaults to alpha3 rules.
# Note: please only put common configuration for the demo profiles here.
global:
proxy:
accessLogFile: "/dev/stdout"
resources:
requests:
cpu: 10m
memory: 40Mi
disablePolicyChecks: false
sidecarInjectorWebhook:
enabled: true
# If true, webhook or istioctl injector will rewrite PodSpec for liveness
# health check to redirect request to sidecar. This makes liveness check work
# even when mTLS is enabled.
rewriteAppHTTPProbe: false
pilot:
traceSampling: 100.0
resources:
requests:
cpu: 10m
memory: 100Mi
mixer:
policy:
enabled: true
resources:
requests:
cpu: 10m
memory: 100Mi
telemetry:
enabled: true
resources:
requests:
cpu: 50m
memory: 100Mi
adapters:
stdio:
enabled: true
grafana:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
createDemoSecret: true
gateways:
istio-ingressgateway:
resources:
requests:
cpu: 10m
memory: 40Mi
istio-egressgateway:
enabled: true
resources:
requests:
cpu: 10m
memory: 40Mi
charts/rancher-istio/0.0.1/values-istio-demo.yaml deleted 100644 → 0
# This is used to generate istio.yaml for minimal, demo mode.
# It is shipped with the release, used for bookinfo or quick installation of istio.
# Includes components used in the demo, defaults to alpha3 rules.
# @include <values-istio-demo-common.yaml>
#
global:
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
charts/rancher-istio/0.0.1/values-istio-minimal.yaml deleted 100644 → 0
#
# Minimal Istio Configuration: https://istio.io/docs/setup/kubernetes/minimal-install/
#
pilot:
enabled: true
sidecar: false
gateways:
enabled: false
security:
enabled: false
sidecarInjectorWebhook:
enabled: false
galley:
enabled: false
mixer:
policy:
enabled: false
telemetry:
enabled: false
prometheus:
enabled: false
# Common settings.
global:
proxy:
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
useMCP: false
charts/rancher-istio/0.0.1/values-istio-remote.yaml deleted 100644 → 0
gateways:
enabled: false
galley:
enabled: false
mixer:
policy:
enabled: false
telemetry:
enabled: false
pilot:
enabled: false
security:
enabled: true
createMeshPolicy: false
prometheus:
enabled: false
global:
istioRemote: true
enableTracing: false
# Sets an identifier for the remote network to be used for Split Horizon EDS. The network will be sent
# to the Pilot when connected by the sidecar and will affect the results returned in EDS requests.
# Based on the network identifier Pilot will return all local endpoints + endpoints of gateways to
# other networks.
#
# Must match the names in the meshNetworks section in the Istio local.
network: ""
charts/rancher-istio/0.0.1/values-istio-sds-auth.yaml deleted 100644 → 0
global:
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
useNormalJwt: true
nodeagent:
enabled: true
image: node-agent-k8s
env:
CA_PROVIDER: "Citadel"
CA_ADDR: "istio-citadel:8060"
VALID_TOKEN: true
\ No newline at end of file
charts/rancher-istio/0.0.1/values.yaml
......@@ -8,6 +8,9 @@
# Check the chart level values file for exhaustive list of configuration options.
#
enableCRDs: true
#
# Gateways Configuration, refer to the charts/gateways/values.yaml
# for detailed configuration
#
......@@ -19,6 +22,8 @@ gateways:
# charts/sidecarInjectorWebhook/values.yaml for detailed configuration
#
sidecarInjectorWebhook:
repository: rancher/istio-sidecar_injector
tag: "1.2.0"
enabled: true
#
......@@ -26,6 +31,8 @@ sidecarInjectorWebhook:
# for detailed configuration
#
galley:
repository: rancher/istio-galley
tag: 1.2.0
enabled: true
#
......@@ -33,6 +40,9 @@ galley:
#
# @see charts/mixer/values.yaml, it takes precedence
mixer:
repository: rancher/istio-mixer
tag: "1.2.0"
enabled: true
policy:
# if policy is enabled the global.disablePolicyChecks has affect.
enabled: true
......@@ -44,12 +54,16 @@ mixer:
#
# @see charts/pilot/values.yaml
pilot:
repository: rancher/istio-pilot
tag: "1.2.0"
enabled: true
#
# security configuration
#
security:
repository: rancher/istio-citadel
tag: "1.2.0"
enabled: true
#
......@@ -62,25 +76,37 @@ nodeagent:
# addon grafana configuration
#
grafana:
repository: rancher/grafana-grafana
tag: 6.1.6
enabled: false
#
# addon prometheus configuration
#
prometheus:
repository: rancher/prom-prometheus
tag: v2.8.0
enabled: true
#
# addon jaeger tracing configuration
#
tracing:
enabled: false
jaeger:
repository: rancher/jaegertracing-all-in-one
tag: 1.9
zipkin:
repository: rancher/openzipkin-zipkin
tag: 2
enabled: true
#
# addon kiali tracing configuration
#
kiali:
enabled: false
repository: rancher/kiali-kiali
tag: v0.20
enabled: true
#
# addon certmanager configuration
......@@ -100,17 +126,32 @@ istio_cni:
# addon Istio CoreDNS configuration
#
istiocoredns:
image:
repository: rancher/coredns-coredns
tag: 1.1.2
pluginImage:
repository: rancher/istio-coredns-plugin
tag: 0.2-istio-1.1
enabled: false
# Common settings used among istio subcharts.
global:
# Specify rancher domain and clusterId of external tracing config
# https://github.com/istio/istio.io/issues/4146#issuecomment-493543032
rancher:
domain:
clusterId:
systemDefaultRegistry: ""
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
hub: gcr.io/istio-release
# hub: gcr.io/istio-release
hub: docker.io/istio
# Default tag for Istio images.
tag: release-1.2-latest-daily
# tag: release-1.1-latest-daily
tag: 1.2.0
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
......@@ -118,9 +159,17 @@ global:
logging:
level: "default:info"
kubectl:
repository: rancher/istio-kubectl
tag: 1.2.0
# monitoring port used by mixer, pilot, galley
monitoringPort: 15014
nginxProxy:
repository: rancher/nginx
tag: 1.15.8-alpine
k8sIngress:
enabled: false
# Gateway used for k8s Ingress resources. By default it is
......@@ -135,7 +184,8 @@ global:
enableHttps: false
proxy:
image: proxyv2
repository: rancher/istio-proxyv2
tag: 1.2.0
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
......@@ -235,7 +285,7 @@ global:
# available to scrape via the Envoy admin port at either /stats or /stats/prometheus.
#
# See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto
# for details about Envoy's Metrics Service API.
# for details about Envoy's Metrics Service API.
#
# Disabled by default.
envoyMetricsService:
......@@ -248,7 +298,8 @@ global:
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxy_init
repository: rancher/istio-proxy_init
tag: "1.2.0"
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
......@@ -402,7 +453,7 @@ global:
# services or ServiceEntries for the destination port
# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
# as those defined through ServiceEntries
# ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests
# ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests
# to services outside of the mesh without any ServiceEntry.
# REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY.
outboundTrafficPolicy:
......@@ -417,10 +468,13 @@ global:
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
#defaultConfigVisibilitySettings:
#- '*'
nodeAgent:
repository: rancher/istio-node-agent-k8s
tag: "1.2.0"
sds:
# SDS enabled. IF set to true, mTLS certificates for the sidecars will be
# distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment