Skip to content

S
system-charts
Commit b0831cb2 by Daishan
Options

Generate rancher customization

parent b789e338
Showing with 502 additions and 7 deletions
charts/rancher-istio/1.4.2/Chart.yaml
......@@ -10,7 +10,7 @@ keywords:
- mixer
- pilot
- galley
name: istio
name: rancher-istio
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2-0'
......
charts/rancher-istio/1.4.2/charts/security/templates/create-custom-resources-job.yaml
......@@ -83,7 +83,7 @@ spec:
serviceAccountName: istio-security-post-install-account
containers:
- name: kubectl
image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
image: "{{ .Values.global.hub }}/istio-kubectl:{{ .Values.global.tag }}"
imagePullPolicy: IfNotPresent
command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
volumeMounts:
......
charts/rancher-istio/1.4.2/questions.yaml 0 → 100644
labels:
rancher.istio.v1.4.2: 1.4.2
rancher_min_version: 2.3.0-rc1
charts/rancher-istio/1.4.2/templates/crd-10.yaml 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
charts/rancher-istio/1.4.2/templates/crd-11.yaml 0 → 100644
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Sidecar
plural: sidecars
singular: sidecar
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting network reachability of a sidecar.
See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html'
properties:
egress:
items:
properties:
bind:
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
hosts:
items:
format: string
type: string
type: array
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
type: object
type: array
ingress:
items:
properties:
bind:
description: The ip to which the listener should be bound.
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
defaultEndpoint:
format: string
type: string
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
type: object
type: array
outboundTrafficPolicy:
description: This allows to configure the outbound traffic policy.
properties:
mode:
enum:
- REGISTRY_ONLY
- ALLOW_ANY
type: string
type: object
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
charts/rancher-istio/1.4.2/templates/crd-14.yaml 0 → 100644
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
heritage: Tiller
istio: security
release: istio
name: authorizationpolicies.security.istio.io
annotations:
helm.sh/hook: crd-install
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for access control on workloads. See more details
at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html'
properties:
rules:
description: Optional.
items:
properties:
from:
description: Optional.
items:
properties:
source:
description: Source specifies the source of a request.
properties:
ipBlocks:
description: Optional.
items:
format: string
type: string
type: array
namespaces:
description: Optional.
items:
format: string
type: string
type: array
principals:
description: Optional.
items:
format: string
type: string
type: array
requestPrincipals:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
to:
description: Optional.
items:
properties:
operation:
description: Operation specifies the operation of a request.
properties:
hosts:
description: Optional.
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
when:
description: Optional.
items:
properties:
key:
description: The name of an Istio attribute.
format: string
type: string
values:
description: The allowed values for the attribute.
items:
format: string
type: string
type: array
type: object
type: array
type: object
type: array
selector:
description: Optional.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
type: object
versions:
- name: v1beta1
served: true
storage: true
charts/rancher-istio/1.4.2/templates/crd-certmanager-10.yaml 0 → 100644
{{- if .Values.certmanager.enabled }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: Issuer
plural: issuers
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.secretName
name: Secret
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
type: string
priority: 1
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
priority: 1
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
scope: Namespaced
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs
{{- end }}
charts/rancher-istio/1.4.2/templates/crd-certmanager-11.yaml 0 → 100644
{{- if .Values.certmanager.enabled }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: orders.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
type: string
priority: 1
- JSONPath: .status.reason
name: Reason
type: string
priority: 1
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: Order
plural: orders
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: challenges.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.dnsName
name: Domain
type: string
- JSONPath: .status.reason
name: Reason
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: Challenge
plural: challenges
scope: Namespaced
{{- end }}
charts/rancher-istio/1.4.2/templates/istio-service-rbac.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
name: istio-service-reader
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["http:kiali:20001", "http:tracing:80", "http:grafana:80", "http:prometheus-http:80"]
verbs: ["get", "watch", "list"]
---
{{- if .Values.global.members }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-istio-service
namespace: {{ .Release.Namespace }}
subjects:
{{- range $member := .Values.global.members }}
- kind: {{ $member.kind }}
name: {{ $member.name }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
roleRef:
kind: Role
name: istio-service-reader
apiGroup: rbac.authorization.k8s.io
{{- end }}
\ No newline at end of file
charts/rancher-istio/1.4.2/values.yaml
......@@ -13,12 +13,16 @@
#
gateways:
enabled: true
istio-ingressgateway:
labels:
release: cluster-istio
#
# sidecar-injector webhook configuration, refer to the
# charts/sidecarInjectorWebhook/values.yaml for detailed configuration
#
sidecarInjectorWebhook:
image: istio-sidecar_injector
enabled: true
#
......@@ -26,6 +30,7 @@ sidecarInjectorWebhook:
# for detailed configuration
#
galley:
image: istio-galley
enabled: true
#
......@@ -33,6 +38,7 @@ galley:
#
# @see charts/mixer/values.yaml for all values
mixer:
image: istio-mixer
policy:
# if policy is enabled the global.disablePolicyChecks has affect.
enabled: true
......@@ -44,43 +50,63 @@ mixer:
#
# @see charts/pilot/values.yaml
pilot:
image: istio-pilot
enabled: true
#
# security configuration
#
security:
image: istio-citadel
enabled: true
#
# nodeagent configuration
#
nodeagent:
image: istio-node-agent-k8s
enabled: false
#
# addon grafana configuration
#
grafana:
image: grafana-grafana
enabled: false
#
# addon prometheus configuration
#
prometheus:
enabled: true
image: prom-prometheus
enabled: false
#
# addon jaeger tracing configuration
#
tracing:
jaeger:
hub: docker.io/rancher
image: jaegertracing-all-in-one
zipkin:
hub: docker.io/rancher
image: openzipkin-zipkin
enabled: false
#
# addon kiali tracing configuration
#
kiali:
hub: docker.io/rancher
image: kiali-kiali
contextPath: /
dashboard:
jaegerURL: http://tracing.istio-system:80
grafanaURL: http://access-grafana.cattle-prometheus:80
auth:
strategy: anonymous
enabled: false
prometheusAddr: http://access-prometheus.cattle-prometheus:80
#
# addon certmanager configuration
......@@ -100,6 +126,8 @@ istio_cni:
# addon Istio CoreDNS configuration
#
istiocoredns:
coreDNSImage: coredns-coredns
coreDNSPluginImage: istio-coredns-plugin
enabled: false
# Common settings used among istio subcharts.
......@@ -107,7 +135,7 @@ global:
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: docker.io/istio
hub: docker.io/rancher
# Default tag for Istio images.
tag: 1.4.2
......@@ -145,7 +173,7 @@ global:
cpu: 10m
memory: 10Mi
# use fully qualified image names for alternate path to proxy.
image: proxyv2
image: istio-proxyv2
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
......@@ -303,7 +331,7 @@ global:
proxy_init:
# Base name for the istio-init container, used to configure iptables.
image: proxyv2
image: istio-proxyv2
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
......@@ -451,7 +479,7 @@ global:
# enable pod distruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
enabled: false
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment