diff options
Diffstat (limited to 'vnfs/DAaaS/deploy/00-init/istio')
14 files changed, 22 insertions, 1659 deletions
diff --git a/vnfs/DAaaS/deploy/00-init/istio/README.md b/vnfs/DAaaS/deploy/00-init/istio/README.md index 74b0e5f7..8fcba4f8 100644 --- a/vnfs/DAaaS/deploy/00-init/istio/README.md +++ b/vnfs/DAaaS/deploy/00-init/istio/README.md @@ -1,24 +1,20 @@ -/* - * Copyright 2019 Intel Corporation, Inc - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +#/* +# * Copyright 2019 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ -# Instructions to Install Istio ServiceMesh +# Steps for Instaling Istio with Istio- Operator -# Step 1 - Install Istio Operator's helm chart - -helm install --name=istio-operator --namespace=istio-system istio-operator - -# Step 2 - Add the helm chart to install Istio in sds configuration +# Step 1 - Add the helm chart to install Istio in sds configuration helm install istio-instance --name istio --namespace istio-system diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-instance/values.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-instance/values.yaml index 93363613..091999ac 100644 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-instance/values.yaml +++ b/vnfs/DAaaS/deploy/00-init/istio/istio-instance/values.yaml @@ -14,26 +14,25 @@ # * See the License for the specific language governing permissions and # * limitations under the License. # */ -#Declare variables to be pssed into your Istio SDS template file. - +#Declare variables to be passed into Istio SDS template file. metadata: name: "istio-sample" spec: version: "1.2.2" mtls: true autoInjectionNamespaces: - - "" + - sds: enabled: true udsPath: "unix:/var/run/sds/uds_path" useTrustworthyJwt: false useNormalJwt: true gateways: - enabled: false + enabled: true ingress: - enabled: false + enabled: true sds: - enabled: false + enabled: true image: "docker.io/istio/node-agent-k8s:1.2.2" nodeAgent: enabled: true diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/.helmignore b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/.helmignore deleted file mode 100644 index 50af0317..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/Chart.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/Chart.yaml deleted file mode 100644 index 1da83af4..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ - - -#/*Copyright 2019 Intel Corporation, Inc -# * -# * Licensed under the Apache License, Version 2.0 (the "License"); -# * you may not use this file except in compliance with the License. -# * You may obtain a copy of the License at -# * -# * http://www.apache.org/licenses/LICENSE-2.0 -# * -# * Unless required by applicable law or agreed to in writing, software -# * distributed under the License is distributed on an "AS IS" BASIS, -# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# * See the License for the specific language governing permissions and -# * limitations under the License. -# */ -name: istio-operator -version: 0.0.15 -description: istio-operator manages Istio deployments on Kubernetes -appVersion: 0.2.1 diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/README.md b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/README.md deleted file mode 100644 index 4611a81e..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/README.md +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright 2019 Intel Corporation, Inc - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -## Prerequisites - -- Kubernetes 1.10.0+ - -## Installing the chart - -To install the chart from local directory: - -``` -helm install --name=istio-operator --namespace=istio-system istio-operator -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-operator` release: - -``` -$ helm del --purge istio-operator -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the Banzaicloud Istio Operator chart and their default values. - -Parameter | Description | Default ---------- | ----------- | ------- -`operator.image.repository` | Operator container image repository | `banzaicloud/istio-operator` -`operator.image.tag` | Operator container image tag | `0.2.1` -`operator.image.pullPolicy` | Operator container image pull policy | `IfNotPresent` -`operator.resources` | CPU/Memory resource requests/limits (YAML) | Memory: `128Mi/256Mi`, CPU: `100m/200m` -`istioVersion` | Supported Istio version | `1.2` -`prometheusMetrics.enabled` | If true, use direct access for Prometheus metrics | `false` -`prometheusMetrics.authProxy.enabled` | If true, use auth proxy for Prometheus metrics | `true` -`prometheusMetrics.authProxy.image.repository` | Auth proxy container image repository | `gcr.io/kubebuilder/kube-rbac-proxy` -`prometheusMetrics.authProxy.image.tag` | Auth proxy container image tag | `v0.4.0` -`prometheusMetrics.authProxy.image.pullPolicy` | Auth proxy container image pull policy | `IfNotPresent` -`rbac.enabled` | Create rbac service account and roles | `true` diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/_helpers.tpl b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/_helpers.tpl deleted file mode 100644 index 065bc1e3..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "istio-operator.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "istio-operator.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "istio-operator.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-rbac.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-rbac.yaml deleted file mode 100644 index 8a047e03..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-rbac.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if and .Values.rbac.enabled .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "istio-operator.fullname" . }}-authproxy - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: authproxy ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "{{ include "istio-operator.fullname" . }}-authproxy" - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: authproxy -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: "{{ include "istio-operator.fullname" . }}-authproxy" - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: authproxy -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "{{ include "istio-operator.fullname" . }}-authproxy" -subjects: -- kind: ServiceAccount - name: {{ include "istio-operator.fullname" . }}-authproxy - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-service.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-service.yaml deleted file mode 100644 index aad8a2be..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-service.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "istio-operator.fullname" . }}-authproxy - annotations: - prometheus.io/port: "8443" - prometheus.io/scheme: https - prometheus.io/scrape: "true" - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: authproxy -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: operator -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-istio-1.2-crd.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-istio-1.2-crd.yaml deleted file mode 100644 index b52ffc39..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-istio-1.2-crd.yaml +++ /dev/null @@ -1,676 +0,0 @@ -{{ if eq .Values.istioVersion 1.2 }} -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: istios.istio.banzaicloud.io - labels: - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -spec: - additionalPrinterColumns: - - JSONPath: .status.Status - description: Status of the resource - name: Status - type: string - - JSONPath: .status.ErrorMessage - description: Error message - name: Error - type: string - - JSONPath: .status.GatewayAddress - description: Ingress gateways of the resource - name: Gateways - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date - group: istio.banzaicloud.io - names: - kind: Istio - plural: istios - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - autoInjectionNamespaces: - description: List of namespaces to label with sidecar auto injection - enabled - items: - type: string - type: array - citadel: - description: Citadel configuration options - properties: - affinity: - type: object - caSecretName: - type: string - enabled: - type: boolean - healthCheck: - description: Enable health checking on the Citadel CSR signing API. - https://istio.io/docs/tasks/security/health-check/ - type: boolean - image: - type: string - maxWorkloadCertTTL: - description: Citadel uses a flag max-workload-cert-ttl to control - the maximum lifetime for Istio certificates issued to workloads. - The default value is 90 days. If workload-cert-ttl on Citadel - or node agent is greater than max-workload-cert-ttl, Citadel will - fail issuing the certificate. - type: string - nodeSelector: - type: object - resources: - type: object - tolerations: - items: - type: object - type: array - workloadCertTTL: - description: For the workloads running in Kubernetes, the lifetime - of their Istio certificates is controlled by the workload-cert-ttl - flag on Citadel. The default value is 90 days. This value should - be no greater than max-workload-cert-ttl of Citadel. - type: string - type: object - controlPlaneSecurityEnabled: - description: ControlPlaneSecurityEnabled control plane services are - communicating through mTLS - type: boolean - defaultConfigVisibility: - description: Set the default set of namespaces to which services, service - entries, virtual services, destination rules should be exported to - type: string - defaultPodDisruptionBudget: - description: Enable pod disruption budget for the control plane, which - is used to ensure Istio control plane components are gradually upgraded - or recovered - properties: - enabled: - type: boolean - type: object - defaultResources: - description: DefaultResources are applied for all Istio components by - default, can be overridden for each component - type: object - excludeIPRanges: - description: ExcludeIPRanges the range where not to capture egress traffic - type: string - galley: - description: Galley configuration options - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - tolerations: - items: - type: object - type: array - type: object - gateways: - description: Gateways configuration options - properties: - egress: - properties: - affinity: - type: object - applicationPorts: - type: string - enabled: - type: boolean - loadBalancerIP: - type: string - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - nodeSelector: - type: object - ports: - items: - type: object - type: array - replicaCount: - format: int32 - type: integer - requestedNetworkView: - type: string - resources: - type: object - sds: - properties: - enabled: - type: boolean - image: - type: string - resources: - type: object - type: object - serviceAnnotations: - type: object - serviceLabels: - type: object - serviceType: - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - tolerations: - items: - type: object - type: array - type: object - enabled: - type: boolean - ingress: - properties: - affinity: - type: object - applicationPorts: - type: string - enabled: - type: boolean - loadBalancerIP: - type: string - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - nodeSelector: - type: object - ports: - items: - type: object - type: array - replicaCount: - format: int32 - type: integer - requestedNetworkView: - type: string - resources: - type: object - sds: - properties: - enabled: - type: boolean - image: - type: string - resources: - type: object - type: object - serviceAnnotations: - type: object - serviceLabels: - type: object - serviceType: - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - tolerations: - items: - type: object - type: array - type: object - type: object - imagePullPolicy: - description: ImagePullPolicy describes a policy for if/when to pull - a container image - enum: - - Always - - Never - - IfNotPresent - type: string - includeIPRanges: - description: IncludeIPRanges the range where to capture egress traffic - type: string - istioCoreDNS: - description: Istio CoreDNS provides DNS resolution for services in multi - mesh setups - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - nodeSelector: - type: object - pluginImage: - type: string - replicaCount: - format: int32 - type: integer - resources: - type: object - tolerations: - items: - type: object - type: array - type: object - localityLB: - description: Locality based load balancing distribution or failover - settings. - properties: - distribute: - description: 'Optional: only one of distribute or failover can be - set. Explicitly specify loadbalancing weight across different - zones and geographical locations. Refer to [Locality weighted - load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) - If empty, the locality weight is set according to the endpoints - number within it.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. 'region/zone'. - type: string - to: - description: Map of upstream localities to traffic distribution - weights. The sum of all weights should be == 100. Any locality - not assigned a weight will receive no traffic. - type: object - type: object - type: array - enabled: - description: If set to true, locality based load balancing will - be enabled - type: boolean - failover: - description: 'Optional: only failover or distribute can be set. - Explicitly specify the region traffic will land on when endpoints - in local region becomes unhealthy. Should be used together with - OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection - specified, this will not take effect.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will fail over - to when endpoints in the 'from' region becomes unhealthy. - type: string - type: object - type: array - type: object - meshExpansion: - description: If set to true, the pilot and citadel mtls will be exposed - on the ingress gateway also the remote istios will be connected through - gateways - type: boolean - mixer: - description: Mixer configuration options - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - multiClusterSupport: - description: Turn it on if you use mixer that supports multi cluster - telemetry - type: boolean - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - tolerations: - items: - type: object - type: array - type: object - mtls: - description: MTLS enables or disables global mTLS - type: boolean - multiMesh: - description: Set to true to connect two or more meshes via their respective - ingressgateway services when workloads in each cluster cannot directly - talk to one another. All meshes should be using Istio mTLS and must - have a shared root CA for this model to work. - type: boolean - nodeAgent: - description: NodeAgent configuration options - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - nodeSelector: - type: object - resources: - type: object - tolerations: - items: - type: object - type: array - type: object - outboundTrafficPolicy: - description: Set the default behavior of the sidecar for handling outbound - traffic from the application (ALLOW_ANY or REGISTRY_ONLY) - properties: - mode: - enum: - - ALLOW_ANY - - REGISTRY_ONLY - type: string - type: object - pilot: - description: Pilot configuration options - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - sidecar: - type: boolean - tolerations: - items: - type: object - type: array - traceSampling: - format: float - type: number - type: object - proxy: - description: Proxy configuration options - properties: - componentLogLevel: - description: Per Component log level for proxy, applies to gateways - and sidecars. If a component level is not set, then the "LogLevel" - will be used. If left empty, "misc:error" is used. - type: string - dnsRefreshRate: - description: Configure the DNS refresh rate for Envoy cluster of - type STRICT_DNS This must be given it terms of seconds. For example, - 300s is valid but 5m is invalid. - pattern: ^[0-9]{1,5}s$ - type: string - enableCoreDump: - description: If set, newly injected sidecars will have core dumps - enabled. - type: boolean - image: - type: string - logLevel: - description: 'Log level for proxy, applies to gateways and sidecars. - If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' - enum: - - trace - - debug - - info - - warning - - error - - critical - - "off" - type: string - privileged: - description: If set to true, istio-proxy container will have privileged - securityContext - type: boolean - resources: - type: object - type: object - proxyInit: - description: Proxy Init configuration options - properties: - image: - type: string - type: object - sds: - description: If SDS is configured, mTLS certificates for the sidecars - will be distributed through the SecretDiscoveryService instead of - using K8S secrets to mount the certificates - properties: - customTokenDirectory: - type: string - enabled: - description: If set to true, mTLS certificates for the sidecars - will be distributed through the SecretDiscoveryService instead - of using K8S secrets to mount the certificates. - type: boolean - udsPath: - description: Unix Domain Socket through which envoy communicates - with NodeAgent SDS to get key/cert for mTLS. Use secret-mount - files instead of SDS if set to empty. - type: string - useNormalJwt: - description: If set to true, envoy will fetch normal k8s service - account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' - (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) - and pass to sds server, which will be used to request key/cert - eventually this flag is ignored if UseTrustworthyJwt is set - type: boolean - useTrustworthyJwt: - description: 'If set to true, Istio will inject volumes mount for - k8s service account JWT, so that K8s API server mounts k8s service - account JWT to envoy container, which will be used to generate - key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)' - type: boolean - type: object - sidecarInjector: - description: SidecarInjector configuration options - properties: - affinity: - type: object - alwaysInjectSelector: - description: 'AlwaysInjectSelector: Forces the injection on pods - whose labels match this selector. It''s an array of label selectors, - that will be OR''ed, meaning we will iterate over it and stop - at the first match' - items: - type: object - type: array - autoInjectionPolicyEnabled: - description: This controls the 'policy' in the sidecar injector - type: boolean - enableNamespacesByDefault: - description: This controls whether the webhook looks for namespaces - for injection enabled or disabled - type: boolean - enabled: - type: boolean - image: - type: string - init: - properties: - resources: - type: object - type: object - initCNIConfiguration: - properties: - affinity: - type: object - binDir: - description: Must be the same as the environment’s --cni-bin-dir - setting (kubelet parameter) - type: string - confDir: - description: Must be the same as the environment’s --cni-conf-dir - setting (kubelet parameter) - type: string - enabled: - description: If true, the privileged initContainer istio-init - is not needed to perform the traffic redirect settings for - the istio-proxy - type: boolean - excludeNamespaces: - description: List of namespaces to exclude from Istio pod check - items: - type: string - type: array - image: - type: string - logLevel: - description: Logging level for CNI binary - type: string - type: object - neverInjectSelector: - description: 'NeverInjectSelector: Refuses the injection on pods - whose labels match this selector. It''s an array of label selectors, - that will be OR''ed, meaning we will iterate over it and stop - at the first match Takes precedence over AlwaysInjectSelector.' - items: - type: object - type: array - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - rewriteAppHTTPProbe: - description: If true, sidecar injector will rewrite PodSpec for - liveness health check to redirect request to sidecar. This makes - liveness check work even when mTLS is enabled. - type: boolean - tolerations: - items: - type: object - type: array - type: object - tracing: - description: Configuration for each of the supported tracers - properties: - datadog: - properties: - address: - description: Host:Port for submitting traces to the Datadog - agent. - pattern: ^[^\:]+:[0-9]{1,5}$ - type: string - type: object - enabled: - type: boolean - lightstep: - properties: - accessToken: - description: required for sending data to the pool - type: string - address: - description: the <host>:<port> of the satellite pool - pattern: ^[^\:]+:[0-9]{1,5}$ - type: string - cacertPath: - description: the path to the file containing the cacert to use - when verifying TLS. If secure is true, this is required. If - a value is specified then a secret called "lightstep.cacert" - must be created in the destination namespace with the key - matching the base of the provided cacertPath and the value - being the cacert itself. - type: string - secure: - description: specifies whether data should be sent with TLS - type: boolean - type: object - tracer: - enum: - - zipkin - - lightstep - - datadog - type: string - zipkin: - properties: - address: - description: Host:Port for reporting trace data in zipkin format. - If not specified, will default to zipkin service (port 9411) - in the same namespace as the other istio components. - pattern: ^[^\:]+:[0-9]{1,5}$ - type: string - type: object - type: object - useMCP: - description: Use the Mesh Control Protocol (MCP) for configuring Mixer - and Pilot. Requires galley. - type: boolean - version: - description: Contains the intended Istio version - pattern: ^1.2 - type: string - watchAdapterCRDs: - description: Whether or not to establish watches for adapter-specific - CRDs - type: boolean - watchOneNamespace: - description: Whether to restrict the applications namespace the controller - manages - type: boolean - required: - - version - - mtls - type: object - status: - type: object - version: v1beta1 -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml deleted file mode 100644 index d506ee41..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml +++ /dev/null @@ -1,315 +0,0 @@ -{{- if .Values.rbac.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "istio-operator.fullname" . }}-operator - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "istio-operator.fullname" . }}-operator - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -rules: -- apiGroups: - - "" - resources: - - nodes - - services - - endpoints - - pods - - replicationcontrollers - - services - - endpoints - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - deployments - - daemonsets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments/status - verbs: - - get - - update - - patch -- apiGroups: - - extensions - resources: - - ingresses - - ingresses/status - verbs: - - '*' -- apiGroups: - - extensions - resources: - - deployments - verbs: - - get -- apiGroups: - - extensions - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - extensions - resources: - - replicasets - verbs: - - get - - list - - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - clusterrolebindings - - roles - - rolebindings - - "" - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - istio.banzaicloud.io - resources: - - istios - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - istio.banzaicloud.io - resources: - - istios/status - verbs: - - get - - update - - patch -- apiGroups: - - authentication.istio.io - - cloud.istio.io - - config.istio.io - - istio.istio.io - - networking.istio.io - - rbac.istio.io - - scalingpolicy.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments/status - verbs: - - get - - update - - patch -- apiGroups: - - istio.banzaicloud.io - resources: - - remoteistios - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - istio.banzaicloud.io - resources: - - remoteistios/status - verbs: - - get - - update - - patch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - istio.banzaicloud.io - resources: - - istios - verbs: - - get - - list - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "istio-operator.fullname" . }}-operator - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "istio-operator.fullname" . }}-operator -subjects: -- kind: ServiceAccount - name: {{ include "istio-operator.fullname" . }}-operator - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-remoteistio-1.2-crd.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-remoteistio-1.2-crd.yaml deleted file mode 100644 index 37741898..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-remoteistio-1.2-crd.yaml +++ /dev/null @@ -1,268 +0,0 @@ -{{ if eq .Values.istioVersion 1.2 }} -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: remoteistios.istio.banzaicloud.io - labels: - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -spec: - additionalPrinterColumns: - - JSONPath: .status.Status - description: Status of the resource - name: Status - type: string - - JSONPath: .status.ErrorMessage - description: Error message - name: Error - type: string - - JSONPath: .status.GatewayAddress - description: Ingress gateways of the resource - name: Gateways - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date - group: istio.banzaicloud.io - names: - kind: RemoteIstio - plural: remoteistios - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - autoInjectionNamespaces: - description: List of namespaces to label with sidecar auto injection - enabled - items: - type: string - type: array - citadel: - description: Citadel configuration options - properties: - affinity: - type: object - caSecretName: - type: string - enabled: - type: boolean - healthCheck: - description: Enable health checking on the Citadel CSR signing API. - https://istio.io/docs/tasks/security/health-check/ - type: boolean - image: - type: string - maxWorkloadCertTTL: - description: Citadel uses a flag max-workload-cert-ttl to control - the maximum lifetime for Istio certificates issued to workloads. - The default value is 90 days. If workload-cert-ttl on Citadel - or node agent is greater than max-workload-cert-ttl, Citadel will - fail issuing the certificate. - type: string - nodeSelector: - type: object - resources: - type: object - tolerations: - items: - type: object - type: array - workloadCertTTL: - description: For the workloads running in Kubernetes, the lifetime - of their Istio certificates is controlled by the workload-cert-ttl - flag on Citadel. The default value is 90 days. This value should - be no greater than max-workload-cert-ttl of Citadel. - type: string - type: object - defaultResources: - description: DefaultResources are applied for all Istio components by - default, can be overridden for each component - type: object - enabledServices: - description: EnabledServices the Istio component services replicated - to remote side - items: - properties: - labelSelector: - type: string - name: - type: string - podIPs: - items: - type: string - type: array - ports: - items: - type: object - type: array - required: - - name - type: object - type: array - excludeIPRanges: - description: ExcludeIPRanges the range where not to capture egress traffic - type: string - includeIPRanges: - description: IncludeIPRanges the range where to capture egress traffic - type: string - proxy: - description: Proxy configuration options - properties: - componentLogLevel: - description: Per Component log level for proxy, applies to gateways - and sidecars. If a component level is not set, then the "LogLevel" - will be used. If left empty, "misc:error" is used. - type: string - dnsRefreshRate: - description: Configure the DNS refresh rate for Envoy cluster of - type STRICT_DNS This must be given it terms of seconds. For example, - 300s is valid but 5m is invalid. - pattern: ^[0-9]{1,5}s$ - type: string - enableCoreDump: - description: If set, newly injected sidecars will have core dumps - enabled. - type: boolean - image: - type: string - logLevel: - description: 'Log level for proxy, applies to gateways and sidecars. - If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' - enum: - - trace - - debug - - info - - warning - - error - - critical - - "off" - type: string - privileged: - description: If set to true, istio-proxy container will have privileged - securityContext - type: boolean - resources: - type: object - type: object - proxyInit: - description: Proxy Init configuration options - properties: - image: - type: string - type: object - sidecarInjector: - description: SidecarInjector configuration options - properties: - affinity: - type: object - alwaysInjectSelector: - description: 'AlwaysInjectSelector: Forces the injection on pods - whose labels match this selector. It''s an array of label selectors, - that will be OR''ed, meaning we will iterate over it and stop - at the first match' - items: - type: object - type: array - autoInjectionPolicyEnabled: - description: This controls the 'policy' in the sidecar injector - type: boolean - enableNamespacesByDefault: - description: This controls whether the webhook looks for namespaces - for injection enabled or disabled - type: boolean - enabled: - type: boolean - image: - type: string - init: - properties: - resources: - type: object - type: object - initCNIConfiguration: - properties: - affinity: - type: object - binDir: - description: Must be the same as the environment’s --cni-bin-dir - setting (kubelet parameter) - type: string - confDir: - description: Must be the same as the environment’s --cni-conf-dir - setting (kubelet parameter) - type: string - enabled: - description: If true, the privileged initContainer istio-init - is not needed to perform the traffic redirect settings for - the istio-proxy - type: boolean - excludeNamespaces: - description: List of namespaces to exclude from Istio pod check - items: - type: string - type: array - image: - type: string - logLevel: - description: Logging level for CNI binary - type: string - type: object - neverInjectSelector: - description: 'NeverInjectSelector: Refuses the injection on pods - whose labels match this selector. It''s an array of label selectors, - that will be OR''ed, meaning we will iterate over it and stop - at the first match Takes precedence over AlwaysInjectSelector.' - items: - type: object - type: array - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - rewriteAppHTTPProbe: - description: If true, sidecar injector will rewrite PodSpec for - liveness health check to redirect request to sidecar. This makes - liveness check work even when mTLS is enabled. - type: boolean - tolerations: - items: - type: object - type: array - type: object - required: - - enabledServices - type: object - status: - type: object - version: v1beta1 -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-service.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-service.yaml deleted file mode 100644 index 04ffc835..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-service.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ include "istio-operator.fullname" . }}-operator" - {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8080" - prometheus.io/scheme: http - {{- end }} - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -spec: - selector: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: operator - ports: - - name: https - port: 443 - {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} - - name: metrics - port: 8080 - {{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-statefulset.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-statefulset.yaml deleted file mode 100644 index 9e90ee80..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-statefulset.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ include "istio-operator.fullname" . }}-operator" - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -spec: - selector: - matchLabels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: operator - serviceName: {{ include "istio-operator.fullname" . }}-operator - template: - metadata: - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: operator - spec: - {{- if .Values.rbac.enabled }} - serviceAccountName: {{ include "istio-operator.fullname" . }}-operator - {{- end }} - terminationGracePeriodSeconds: 60 - containers: - {{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} - - name: kube-rbac-proxy - image: "{{ .Values.prometheusMetrics.authProxy.image.repository }}:{{ .Values.prometheusMetrics.authProxy.image.tag }}" - imagePullPolicy: {{ .Values.prometheusMetrics.authProxy.image.pullPolicy }} - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https - {{- end }} - - command: - - /manager - image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}" - imagePullPolicy: {{ .Values.operator.image.pullPolicy }} - name: manager - args: - {{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} - - "--metrics-addr=127.0.0.1:8080" - {{- end }} - - "--watch-created-resources-events=false" - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - containerPort: 443 - name: webhook-server - protocol: TCP - {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} - - containerPort: 8080 - name: metrics - protocol: TCP - {{- end }} - resources: -{{ toYaml .Values.operator.resources | indent 10 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/values.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/values.yaml deleted file mode 100644 index cb937c11..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/values.yaml +++ /dev/null @@ -1,40 +0,0 @@ - - -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -operator: - image: - repository: banzaicloud/istio-operator - tag: 0.2.1 - pullPolicy: IfNotPresent - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - -istioVersion: 1.2 - -## Prometheus Metrics -prometheusMetrics: - enabled: false -# Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. - authProxy: - enabled: false - -## Role Based Access -## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ -## -rbac: - enabled: true - -nameOverride: "" -fullnameOverride: "" - -nodeSelector: {} -tolerations: [] -affinity: {} |