Skip to content

S
system-charts
Unverified Commit d67dd3f9 by Denise Committed by GitHub
Options

Merge pull request #145 from cbron/istio-1.4.3

Istio 1.4.3
parents c8153ba4 289fc752
Showing with 240 additions and 58 deletions
charts/rancher-istio/1.4.2/Chart.yaml charts/rancher-istio/1.4.3/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: Helm chart for all istio components
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
......@@ -14,4 +14,4 @@ name: rancher-istio
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2-0'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/certmanager/Chart.yaml charts/rancher-istio/1.4.3/charts/certmanager/Chart.yaml
......@@ -3,4 +3,4 @@ appVersion: 0.6.2
description: A Helm chart for Kubernetes
name: certmanager
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/galley/Chart.yaml charts/rancher-istio/1.4.3/charts/galley/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: Helm chart for galley deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
......@@ -10,4 +10,4 @@ name: galley
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/gateways/Chart.yaml charts/rancher-istio/1.4.3/charts/gateways/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: Helm chart for deploying Istio gateways
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
......@@ -12,4 +12,4 @@ name: gateways
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/gateways/templates/deployment.yaml charts/rancher-istio/1.4.3/charts/gateways/templates/deployment.yaml
......@@ -257,7 +257,7 @@ spec:
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $key }}
- name: ISTIO_META_OWNER
value: kubernetes://api/apps/v1/namespaces/{{ $spec.namespace | default $.Release.Namespace }}/deployments/{{ $key }}
value: kubernetes://apis/apps/v1/namespaces/{{ $spec.namespace | default $.Release.Namespace }}/deployments/{{ $key }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
......
charts/rancher-istio/1.4.2/charts/grafana/Chart.yaml charts/rancher-istio/1.4.3/charts/grafana/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: A Helm chart for Kubernetes
name: grafana
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/grafana/templates/create-custom-resources-job.yaml charts/rancher-istio/1.4.3/charts/grafana/templates/create-custom-resources-job.yaml
......@@ -75,6 +75,8 @@ spec:
chart: {{ template "grafana.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-grafana-post-install-account
containers:
......
charts/rancher-istio/1.4.2/charts/istiocoredns/Chart.yaml charts/rancher-istio/1.4.3/charts/istiocoredns/Chart.yaml
......@@ -3,4 +3,4 @@ appVersion: "0.1"
description: Istio CoreDNS provides DNS resolution for services in multicluster setups.
name: istiocoredns
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/kiali/templates/deployment.yaml charts/rancher-istio/1.4.3/charts/kiali/templates/deployment.yaml
......@@ -71,6 +71,9 @@ spec:
mountPath: "/kiali-cert"
- name: kiali-secret
mountPath: "/kiali-secret"
- name: kiali-console
subPath: env.js
mountPath: /opt/kiali/console/env.js
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
......@@ -78,6 +81,12 @@ spec:
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumes:
- name: kiali-console
configMap:
name: kiali-console
items:
- key: env.js
path: env.js
- name: kiali-configuration
configMap:
name: kiali
......
charts/rancher-istio/1.4.3/charts/kiali/templates/kiali-console-configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: kiali-console
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
env.js: |
window.WEB_ROOT='/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/istio-system/services/http:kiali:20001/proxy';
\ No newline at end of file
charts/rancher-istio/1.4.2/charts/mixer/Chart.yaml charts/rancher-istio/1.4.3/charts/mixer/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: Helm chart for mixer deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
......@@ -10,4 +10,4 @@ name: mixer
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/nodeagent/Chart.yaml charts/rancher-istio/1.4.3/charts/nodeagent/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: Helm chart for nodeagent deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
......@@ -10,4 +10,4 @@ name: nodeagent
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/pilot/Chart.yaml charts/rancher-istio/1.4.3/charts/pilot/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: Helm chart for pilot deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
......@@ -10,4 +10,4 @@ name: pilot
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/pilot/templates/clusterrole.yaml charts/rancher-istio/1.4.3/charts/pilot/templates/clusterrole.yaml
......@@ -33,7 +33,7 @@ rules:
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"]
resources: ["endpoints", "pods", "services", "namespaces", "nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
......
charts/rancher-istio/1.4.2/charts/prometheus/Chart.yaml charts/rancher-istio/1.4.3/charts/prometheus/Chart.yaml
......@@ -3,4 +3,4 @@ appVersion: 2.8.0
description: A Helm chart for Kubernetes
name: prometheus
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/security/Chart.yaml charts/rancher-istio/1.4.3/charts/security/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: Helm chart for istio authentication
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
......@@ -10,4 +10,4 @@ name: security
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/security/templates/create-custom-resources-job.yaml charts/rancher-istio/1.4.3/charts/security/templates/create-custom-resources-job.yaml
......@@ -79,6 +79,8 @@ spec:
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-security-post-install-account
containers:
......
charts/rancher-istio/1.4.2/charts/sidecarInjectorWebhook/Chart.yaml charts/rancher-istio/1.4.3/charts/sidecarInjectorWebhook/Chart.yaml
apiVersion: v1
appVersion: 1.4.2
appVersion: 1.4.3
description: Helm chart for sidecar injector webhook deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
......@@ -10,4 +10,4 @@ name: sidecarInjectorWebhook
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/charts/tracing/Chart.yaml charts/rancher-istio/1.4.3/charts/tracing/Chart.yaml
......@@ -3,4 +3,4 @@ appVersion: 1.5.1
description: A Helm chart for Kubernetes
name: tracing
tillerVersion: '>=2.7.2'
version: 1.4.2
version: 1.4.3
charts/rancher-istio/1.4.2/files/injection-template.yaml charts/rancher-istio/1.4.3/files/injection-template.yaml
......@@ -43,14 +43,18 @@ initContainers:
resources: {}
{{- end }}
securityContext:
runAsUser: 0
runAsNonRoot: false
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
add:
- NET_ADMIN
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
- NET_RAW
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
restartPolicy: Always
{{- end }}
{{ end -}}
......@@ -65,9 +69,17 @@ initContainers:
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
runAsUser: 0
runAsNonRoot: false
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
{{- end }}
containers:
......@@ -156,6 +168,10 @@ containers:
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
......@@ -164,9 +180,13 @@ containers:
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
......@@ -280,21 +300,22 @@ containers:
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
{{- if ne .Values.global.proxy.enableCoreDump true }}
readOnlyRootFilesystem: true
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
add:
- NET_ADMIN
runAsGroup: 1337
{{ else -}}
{{ if .Values.global.sds.enabled }}
runAsGroup: 1337
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
runAsGroup: 1337
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
resources:
......
charts/rancher-istio/1.4.2/questions.yaml charts/rancher-istio/1.4.3/questions.yaml
labels:
rancher.istio.v1.4.2: 1.4.2
rancher.istio.v1.4.3: 1.4.3
rancher_min_version: 2.3.0-rc1
charts/rancher-istio/1.4.2/requirements.yaml charts/rancher-istio/1.4.3/requirements.yaml
dependencies:
- name: sidecarInjectorWebhook
version: 1.4.2
version: 1.4.3
condition: sidecarInjectorWebhook.enabled
- name: security
version: 1.4.2
version: 1.4.3
condition: security.enabled
- name: gateways
version: 1.4.2
version: 1.4.3
condition: gateways.enabled
- name: mixer
version: 1.4.2
version: 1.4.3
condition: or mixer.policy.enabled mixer.telemetry.enabled
- name: nodeagent
version: 1.4.2
version: 1.4.3
condition: nodeagent.enabled
- name: pilot
version: 1.4.2
version: 1.4.3
condition: pilot.enabled
- name: grafana
version: 1.4.2
version: 1.4.3
condition: grafana.enabled
- name: prometheus
version: 1.4.2
version: 1.4.3
condition: prometheus.enabled
- name: tracing
version: 1.4.2
version: 1.4.3
condition: tracing.enabled
- name: galley
version: 1.4.2
version: 1.4.3
condition: galley.enabled
- name: kiali
version: 1.4.2
version: 1.4.3
condition: kiali.enabled
- name: istiocoredns
version: 1.4.2
version: 1.4.3
condition: istiocoredns.enabled
- name: certmanager
version: 1.4.2
version: 1.4.3
condition: certmanager.enabled
charts/rancher-istio/1.4.2/values.yaml charts/rancher-istio/1.4.3/values.yaml
......@@ -138,7 +138,7 @@ global:
hub: docker.io/rancher
# Default tag for Istio images.
tag: 1.4.2
tag: 1.4.3
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
......
scripts/istio/deployment.yaml 0 → 100755
apiVersion: apps/v1
kind: Deployment
metadata:
name: kiali
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: kiali
template:
metadata:
name: kiali
labels:
app: kiali
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/scrape: "true"
prometheus.io/port: "9090"
kiali.io/runtimes: go,kiali
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: kiali-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- image: "{{ .Values.hub }}/{{ .Values.image }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
name: kiali
command:
- "/opt/kiali/kiali"
- "-config"
- "/kiali-configuration/config.yaml"
- "-v"
- "3"
readinessProbe:
httpGet:
path: {{ .Values.contextPath }}/healthz
port: 20001
scheme: {{ if .Values.security.enabled }} 'HTTPS' {{ else }} 'HTTP' {{ end }}
initialDelaySeconds: 5
periodSeconds: 30
livenessProbe:
httpGet:
path: {{ .Values.contextPath }}/healthz
port: 20001
scheme: {{ if .Values.security.enabled }} 'HTTPS' {{ else }} 'HTTP' {{ end }}
initialDelaySeconds: 5
periodSeconds: 30
env:
- name: ACTIVE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: kiali-configuration
mountPath: "/kiali-configuration"
- name: kiali-cert
mountPath: "/kiali-cert"
- name: kiali-secret
mountPath: "/kiali-secret"
- name: kiali-console
subPath: env.js
mountPath: /opt/kiali/console/env.js
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumes:
- name: kiali-console
configMap:
name: kiali-console
items:
- key: env.js
path: env.js
- name: kiali-configuration
configMap:
name: kiali
- name: kiali-cert
secret:
secretName: istio.kiali-service-account
{{- if not .Values.security.enabled }}
optional: true
{{- end }}
- name: kiali-secret
secret:
secretName: {{ .Values.dashboard.secretName }}
optional: true
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
scripts/istio/kiali-console-configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: kiali-console
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
env.js: |
window.WEB_ROOT='/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/istio-system/services/http:kiali:20001/proxy';
\ No newline at end of file
scripts/update-istio-release
......@@ -55,9 +55,16 @@ EOF
# Replace the name of the chart
sed -i 's/name: istio/name: rancher-istio/g' charts/rancher-istio/${1}/Chart.yaml
# Update kiali
cp ./scripts/istio/deployment.yaml charts/rancher-istio/${1}/charts/kiali/templates/
cp ./scripts/istio/kiali-console-configmap.yaml charts/rancher-istio/${1}/charts/kiali/templates/
# Replace istio kubectl images
sed -i 's/"{{ .Values.global.hub }}\/kubectl:{{ .Values.global.tag }}"/"{{ .Values.global.hub }}\/istio-kubectl:{{ .Values.global.tag }}"/g' charts/rancher-istio/${1}/charts/security/templates/*.yaml
# Istio-values.yaml is rancher specific customization yaml
cat ./scripts/istio/istio-values.yaml > charts/rancher-istio/${1}/values.yaml
cat ./scripts/istio/istio-service-rbac.yaml > charts/rancher-istio/${1}/templates/istio-service-rbac.yaml
# Replace tag
sed -i 's/tag: 1.4.2/tag: '"${1}"'/g' charts/rancher-istio/${1}/values.yaml
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment