Merge pull request #145 from cbron/istio-1.4.3

charts/rancher-istio/1.4.2/Chart.yaml → charts/rancher-istio/1.4.3/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: Helm chart for all istio components
 engine: gotpl
 icon: https://istio.io/favicons/android-192x192.png
@@ -14,4 +14,4 @@ name: rancher-istio
 sources:
 - http://github.com/istio/istio
 tillerVersion: '>=2.7.2-0'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/certmanager/Chart.yaml → charts/rancher-istio/1.4.3/charts/certmanager/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: 0.6.2
 description: A Helm chart for Kubernetes
 name: certmanager
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/galley/Chart.yaml → charts/rancher-istio/1.4.3/charts/galley/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: Helm chart for galley deployment
 engine: gotpl
 icon: https://istio.io/favicons/android-192x192.png
@@ -10,4 +10,4 @@ name: galley
 sources:
 - http://github.com/istio/istio
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/gateways/Chart.yaml → charts/rancher-istio/1.4.3/charts/gateways/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: Helm chart for deploying Istio gateways
 engine: gotpl
 icon: https://istio.io/favicons/android-192x192.png
@@ -12,4 +12,4 @@ name: gateways
 sources:
 - http://github.com/istio/istio
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/gateways/templates/deployment.yaml → charts/rancher-istio/1.4.3/charts/gateways/templates/deployment.yaml

@@ -257,7 +257,7 @@ spec:
           - name: ISTIO_META_WORKLOAD_NAME
             value: {{ $key }}
           - name: ISTIO_META_OWNER
-            value: kubernetes://api/apps/v1/namespaces/{{ $spec.namespace | default $.Release.Namespace }}/deployments/{{ $key }}
+            value: kubernetes://apis/apps/v1/namespaces/{{ $spec.namespace | default $.Release.Namespace }}/deployments/{{ $key }}
           {{- if $.Values.global.meshID }}
           - name: ISTIO_META_MESH_ID
             value: "{{ $.Values.global.meshID }}"

charts/rancher-istio/1.4.2/charts/grafana/Chart.yaml → charts/rancher-istio/1.4.3/charts/grafana/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: A Helm chart for Kubernetes
 name: grafana
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/grafana/templates/create-custom-resources-job.yaml → charts/rancher-istio/1.4.3/charts/grafana/templates/create-custom-resources-job.yaml

@@ -75,6 +75,8 @@ spec:
         chart: {{ template "grafana.chart" . }}
         heritage: {{ .Release.Service }}
         release: {{ .Release.Name }}
+      annotations:
+        sidecar.istio.io/inject: "false"
     spec:
       serviceAccountName: istio-grafana-post-install-account
       containers:

charts/rancher-istio/1.4.2/charts/istiocoredns/Chart.yaml → charts/rancher-istio/1.4.3/charts/istiocoredns/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: "0.1"
 description: Istio CoreDNS provides DNS resolution for services in multicluster setups.
 name: istiocoredns
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/kiali/templates/deployment.yaml → charts/rancher-istio/1.4.3/charts/kiali/templates/deployment.yaml

@@ -71,6 +71,9 @@ spec:
           mountPath: "/kiali-cert"
         - name: kiali-secret
           mountPath: "/kiali-secret"
+        - name: kiali-console
+          subPath: env.js
+          mountPath: /opt/kiali/console/env.js
         resources:
 {{- if .Values.resources }}
 {{ toYaml .Values.resources | indent 10 }}
@@ -78,6 +81,12 @@ spec:
 {{ toYaml .Values.global.defaultResources | indent 10 }}
 {{- end }}
       volumes:
+      - name: kiali-console
+        configMap:
+          name: kiali-console
+          items:
+          - key: env.js
+            path: env.js
       - name: kiali-configuration
         configMap:
           name: kiali

charts/rancher-istio/1.4.3/charts/kiali/templates/kiali-console-configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kiali-console
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "kiali.name" . }}
+    chart: {{ template "kiali.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+data:
+  env.js: |
+    window.WEB_ROOT='/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/istio-system/services/http:kiali:20001/proxy';
\ No newline at end of file

charts/rancher-istio/1.4.2/charts/mixer/Chart.yaml → charts/rancher-istio/1.4.3/charts/mixer/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: Helm chart for mixer deployment
 engine: gotpl
 icon: https://istio.io/favicons/android-192x192.png
@@ -10,4 +10,4 @@ name: mixer
 sources:
 - http://github.com/istio/istio
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/nodeagent/Chart.yaml → charts/rancher-istio/1.4.3/charts/nodeagent/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: Helm chart for nodeagent deployment
 engine: gotpl
 icon: https://istio.io/favicons/android-192x192.png
@@ -10,4 +10,4 @@ name: nodeagent
 sources:
 - http://github.com/istio/istio
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/pilot/Chart.yaml → charts/rancher-istio/1.4.3/charts/pilot/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: Helm chart for pilot deployment
 engine: gotpl
 icon: https://istio.io/favicons/android-192x192.png
@@ -10,4 +10,4 @@ name: pilot
 sources:
 - http://github.com/istio/istio
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/pilot/templates/clusterrole.yaml → charts/rancher-istio/1.4.3/charts/pilot/templates/clusterrole.yaml

@@ -33,7 +33,7 @@ rules:
   resources: ["configmaps"]
   verbs: ["create", "get", "list", "watch", "update"]
 - apiGroups: [""]
-  resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"]
+  resources: ["endpoints", "pods", "services", "namespaces", "nodes"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["secrets"]

charts/rancher-istio/1.4.2/charts/prometheus/Chart.yaml → charts/rancher-istio/1.4.3/charts/prometheus/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: 2.8.0
 description: A Helm chart for Kubernetes
 name: prometheus
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/security/Chart.yaml → charts/rancher-istio/1.4.3/charts/security/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: Helm chart for istio authentication
 engine: gotpl
 icon: https://istio.io/favicons/android-192x192.png
@@ -10,4 +10,4 @@ name: security
 sources:
 - http://github.com/istio/istio
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/security/templates/create-custom-resources-job.yaml → charts/rancher-istio/1.4.3/charts/security/templates/create-custom-resources-job.yaml

@@ -79,6 +79,8 @@ spec:
         chart: {{ template "security.chart" . }}
         heritage: {{ .Release.Service }}
         release: {{ .Release.Name }}
+      annotations:
+        sidecar.istio.io/inject: "false"
     spec:
       serviceAccountName: istio-security-post-install-account
       containers:

charts/rancher-istio/1.4.2/charts/sidecarInjectorWebhook/Chart.yaml → charts/rancher-istio/1.4.3/charts/sidecarInjectorWebhook/Chart.yaml

 apiVersion: v1
-appVersion: 1.4.2
+appVersion: 1.4.3
 description: Helm chart for sidecar injector webhook deployment
 engine: gotpl
 icon: https://istio.io/favicons/android-192x192.png
@@ -10,4 +10,4 @@ name: sidecarInjectorWebhook
 sources:
 - http://github.com/istio/istio
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/charts/tracing/Chart.yaml → charts/rancher-istio/1.4.3/charts/tracing/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: 1.5.1
 description: A Helm chart for Kubernetes
 name: tracing
 tillerVersion: '>=2.7.2'
-version: 1.4.2
+version: 1.4.3

charts/rancher-istio/1.4.2/files/injection-template.yaml → charts/rancher-istio/1.4.3/files/injection-template.yaml

@@ -43,14 +43,18 @@ initContainers:
   resources: {}
 {{- end }}
   securityContext:
-    runAsUser: 0
-    runAsNonRoot: false
+    allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
     capabilities:
       add:
       - NET_ADMIN
-    {{- if .Values.global.proxy.privileged }}
-    privileged: true
-    {{- end }}
+      - NET_RAW
+      drop:
+      - ALL
+    privileged: {{ .Values.global.proxy.privileged }}
+    readOnlyRootFilesystem: false
+    runAsGroup: 0
+    runAsNonRoot: false
+    runAsUser: 0
   restartPolicy: Always
 {{- end }}
 {{  end -}}
@@ -65,9 +69,17 @@ initContainers:
   imagePullPolicy: IfNotPresent
   resources: {}
   securityContext:
-    runAsUser: 0
-    runAsNonRoot: false
+    allowPrivilegeEscalation: true
+    capabilities:
+      add:
+      - SYS_ADMIN
+      drop:
+      - ALL
     privileged: true
+    readOnlyRootFilesystem: false
+    runAsGroup: 0
+    runAsNonRoot: false
+    runAsUser: 0
 {{ end }}
 {{- end }}
 containers:
@@ -156,6 +168,10 @@ containers:
 {{- if .Values.global.trustDomain }}
   - --trust-domain={{ .Values.global.trustDomain }}
 {{- end }}
+{{- if .Values.global.proxy.lifecycle }}
+  lifecycle:
+    {{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
+{{- end }}
   env:
   - name: POD_NAME
     valueFrom:
@@ -164,9 +180,13 @@ containers:
   - name: ISTIO_META_POD_PORTS
     value: |-
       [
+      {{- $first := true }}
       {{- range $index1, $c := .Spec.Containers }}
         {{- range $index2, $p := $c.Ports }}
-          {{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }}
+          {{- if (structToJSON $p) }}
+          {{if not $first}},{{end}}{{ structToJSON $p }}
+          {{- $first = false }}
+          {{- end }}
         {{- end}}
       {{- end}}
       ]
@@ -280,21 +300,22 @@ containers:
     failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
   {{ end -}}
   securityContext:
-    {{- if .Values.global.proxy.privileged }}
-    privileged: true
-    {{- end }}
-    {{- if ne .Values.global.proxy.enableCoreDump true }}
-    readOnlyRootFilesystem: true
-    {{- end }}
-    {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+    allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
     capabilities:
+      {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
       add:
       - NET_ADMIN
-    runAsGroup: 1337
-    {{ else -}}
-    {{ if .Values.global.sds.enabled }}
-    runAsGroup: 1337
       {{- end }}
+      drop:
+      - ALL
+    privileged: {{ .Values.global.proxy.privileged }}
+    readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
+    runAsGroup: 1337
+    {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+    runAsNonRoot: false
+    runAsUser: 0
+    {{- else -}}
+    runAsNonRoot: true
     runAsUser: 1337
     {{- end }}
   resources:

charts/rancher-istio/1.4.2/questions.yaml → charts/rancher-istio/1.4.3/questions.yaml

 labels:
-  rancher.istio.v1.4.2: 1.4.2
+  rancher.istio.v1.4.3: 1.4.3
 rancher_min_version: 2.3.0-rc1

charts/rancher-istio/1.4.2/requirements.yaml → charts/rancher-istio/1.4.3/requirements.yaml

 dependencies:
   - name: sidecarInjectorWebhook
-    version: 1.4.2
+    version: 1.4.3
     condition: sidecarInjectorWebhook.enabled
   - name: security
-    version: 1.4.2
+    version: 1.4.3
     condition: security.enabled
   - name: gateways
-    version: 1.4.2
+    version: 1.4.3
     condition: gateways.enabled
   - name: mixer
-    version: 1.4.2
+    version: 1.4.3
     condition: or mixer.policy.enabled mixer.telemetry.enabled
   - name: nodeagent
-    version: 1.4.2
+    version: 1.4.3
     condition: nodeagent.enabled
   - name: pilot
-    version: 1.4.2
+    version: 1.4.3
     condition: pilot.enabled
   - name: grafana
-    version: 1.4.2
+    version: 1.4.3
     condition: grafana.enabled
   - name: prometheus
-    version: 1.4.2
+    version: 1.4.3
     condition: prometheus.enabled
   - name: tracing
-    version: 1.4.2
+    version: 1.4.3
     condition: tracing.enabled
   - name: galley
-    version: 1.4.2
+    version: 1.4.3
     condition: galley.enabled
   - name: kiali
-    version: 1.4.2
+    version: 1.4.3
     condition: kiali.enabled
   - name: istiocoredns
-    version: 1.4.2
+    version: 1.4.3
     condition: istiocoredns.enabled
   - name: certmanager
-    version: 1.4.2
+    version: 1.4.3
     condition: certmanager.enabled

charts/rancher-istio/1.4.2/values.yaml → charts/rancher-istio/1.4.3/values.yaml

@@ -138,7 +138,7 @@ global:
   hub: docker.io/rancher
 
   # Default tag for Istio images.
-  tag: 1.4.2
+  tag: 1.4.3
 
   # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
   # The control plane has different scopes depending on component, but can configure default log level across all components

scripts/istio/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kiali
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "kiali.name" . }}
+    chart: {{ template "kiali.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: kiali
+  template:
+    metadata:
+      name: kiali
+      labels:
+        app: kiali
+        chart: {{ template "kiali.chart" . }}
+        heritage: {{ .Release.Service }}
+        release: {{ .Release.Name }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        scheduler.alpha.kubernetes.io/critical-pod: ""
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9090"
+        kiali.io/runtimes: go,kiali
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: kiali-service-account
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+      containers:
+      - image: "{{ .Values.hub }}/{{ .Values.image }}:{{ .Values.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        name: kiali
+        command:
+        - "/opt/kiali/kiali"
+        - "-config"
+        - "/kiali-configuration/config.yaml"
+        - "-v"
+        - "3"
+        readinessProbe:
+          httpGet:
+            path: {{ .Values.contextPath }}/healthz
+            port: 20001
+            scheme:  {{ if .Values.security.enabled }} 'HTTPS' {{ else }} 'HTTP' {{ end }}
+          initialDelaySeconds: 5
+          periodSeconds: 30
+        livenessProbe:
+          httpGet:
+            path: {{ .Values.contextPath }}/healthz
+            port: 20001
+            scheme:  {{ if .Values.security.enabled }} 'HTTPS' {{ else }} 'HTTP' {{ end }}
+          initialDelaySeconds: 5
+          periodSeconds: 30
+        env:
+        - name: ACTIVE_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: kiali-configuration
+          mountPath: "/kiali-configuration"
+        - name: kiali-cert
+          mountPath: "/kiali-cert"
+        - name: kiali-secret
+          mountPath: "/kiali-secret"
+        - name: kiali-console
+          subPath: env.js
+          mountPath: /opt/kiali/console/env.js
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 10 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 10 }}
+{{- end }}
+      volumes:
+      - name: kiali-console
+        configMap:
+          name: kiali-console
+          items:
+          - key: env.js
+            path: env.js
+      - name: kiali-configuration
+        configMap:
+          name: kiali
+      - name: kiali-cert
+        secret:
+          secretName: istio.kiali-service-account
+{{- if not .Values.security.enabled }}
+          optional: true
+{{- end }}
+      - name: kiali-secret
+        secret:
+          secretName: {{ .Values.dashboard.secretName }}
+          optional: true
+      affinity:
+      {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}
+      {{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- else if .Values.global.defaultTolerations }}
+      tolerations:
+{{ toYaml .Values.global.defaultTolerations | indent 6 }}
+      {{- end }}

scripts/istio/kiali-console-configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kiali-console
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "kiali.name" . }}
+    chart: {{ template "kiali.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+data:
+  env.js: |
+    window.WEB_ROOT='/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/istio-system/services/http:kiali:20001/proxy';
\ No newline at end of file

scripts/update-istio-release

@@ -55,9 +55,16 @@ EOF
 # Replace the name of the chart
 sed -i 's/name: istio/name: rancher-istio/g' charts/rancher-istio/${1}/Chart.yaml
 
+# Update kiali
+cp ./scripts/istio/deployment.yaml charts/rancher-istio/${1}/charts/kiali/templates/
+cp ./scripts/istio/kiali-console-configmap.yaml charts/rancher-istio/${1}/charts/kiali/templates/
+
 # Replace istio kubectl images
 sed -i 's/"{{ .Values.global.hub }}\/kubectl:{{ .Values.global.tag }}"/"{{ .Values.global.hub }}\/istio-kubectl:{{ .Values.global.tag }}"/g' charts/rancher-istio/${1}/charts/security/templates/*.yaml
 
 # Istio-values.yaml is rancher specific customization yaml
 cat ./scripts/istio/istio-values.yaml > charts/rancher-istio/${1}/values.yaml
 cat ./scripts/istio/istio-service-rbac.yaml > charts/rancher-istio/${1}/templates/istio-service-rbac.yaml
+
+# Replace tag
+sed -i 's/tag: 1.4.2/tag: '"${1}"'/g' charts/rancher-istio/${1}/values.yaml
\ No newline at end of file