From 933d6fdced55639b75a7f6e283b6700b7ac2d95b Mon Sep 17 00:00:00 2001 From: Pramod Date: Mon, 14 Oct 2019 17:47:21 -0700 Subject: Adding Istio installtion helm charts Issue-ID: ONAPARC-521 Signed-off-by: Pramod Change-Id: I1f74190664d59465319bff77d65282a2437ade4d --- vnfs/DAaaS/README.md | 12 +- vnfs/DAaaS/deploy/00-init/gloo/.helmignore | 28 - vnfs/DAaaS/deploy/00-init/gloo/Chart.yaml | 8 - .../deploy/00-init/gloo/templates/0-namespace.yaml | 10 - .../gloo/templates/10-ingress-deployment.yaml | 40 - .../00-init/gloo/templates/100-gloo-crds.yaml | 111 -- .../gloo/templates/101-knative-crds-0.5.1.yaml | 343 ----- .../templates/11-ingress-proxy-deployment.yaml | 65 - .../gloo/templates/12-ingress-proxy-configmap.yaml | 52 - .../gloo/templates/13-ingress-proxy-service.yaml | 23 - .../14-clusteringress-proxy-deployment.yaml | 58 - .../15-clusteringress-proxy-configmap.yaml | 49 - .../templates/16-clusteringress-proxy-service.yaml | 21 - .../gloo/templates/17-knative-no-istio-0.5.1.yaml | 982 ------------ .../deploy/00-init/gloo/templates/18-settings.yaml | 30 - .../20-namespace-clusterrole-gateway.yaml | 29 - .../21-namespace-clusterrole-ingress.yaml | 29 - .../22-namespace-clusterrole-knative.yaml | 29 - .../23-namespace-clusterrolebinding-gateway.yaml | 22 - .../24-namespace-clusterrolebinding-ingress.yaml | 22 - .../25-namespace-clusterrolebinding-knative.yaml | 21 - .../00-init/gloo/templates/3-gloo-deployment.yaml | 57 - .../00-init/gloo/templates/4-gloo-service.yaml | 18 - .../gloo/templates/5-discovery-deployment.yaml | 46 - .../gloo/templates/6-gateway-deployment.yaml | 47 - .../gloo/templates/7-gateway-proxy-deployment.yaml | 67 - .../gloo/templates/8-gateway-proxy-service.yaml | 35 - .../gloo/templates/9-gateway-proxy-configmap.yaml | 54 - vnfs/DAaaS/deploy/00-init/gloo/values-ingress.yaml | 74 - vnfs/DAaaS/deploy/00-init/gloo/values-knative.yaml | 72 - vnfs/DAaaS/deploy/00-init/gloo/values.yaml | 56 - .../deploy/00-init/istio-operator/.helmignore | 22 + .../DAaaS/deploy/00-init/istio-operator/Chart.yaml | 20 + vnfs/DAaaS/deploy/00-init/istio-operator/README.md | 55 + .../00-init/istio-operator/templates/_helpers.tpl | 32 + .../istio-operator/templates/authproxy-rbac.yaml | 54 + .../templates/authproxy-service.yaml | 30 + .../templates/operator-istio-1.2-crd.yaml | 676 +++++++++ .../istio-operator/templates/operator-rbac.yaml | 315 ++++ .../templates/operator-remoteistio-1.2-crd.yaml | 268 ++++ .../istio-operator/templates/operator-service.yaml | 33 + .../templates/operator-statefulset.yaml | 87 ++ .../deploy/00-init/istio-operator/values.yaml | 40 + vnfs/DAaaS/deploy/00-init/istio/README.md | 38 +- .../00-init/istio/istio-instance/values.yaml | 11 +- .../00-init/istio/istio-operator/.helmignore | 22 - .../deploy/00-init/istio/istio-operator/Chart.yaml | 20 - .../deploy/00-init/istio/istio-operator/README.md | 55 - .../istio/istio-operator/templates/_helpers.tpl | 32 - .../istio-operator/templates/authproxy-rbac.yaml | 54 - .../templates/authproxy-service.yaml | 30 - .../templates/operator-istio-1.2-crd.yaml | 676 --------- .../istio-operator/templates/operator-rbac.yaml | 315 ---- .../templates/operator-remoteistio-1.2-crd.yaml | 268 ---- .../istio-operator/templates/operator-service.yaml | 33 - .../templates/operator-statefulset.yaml | 87 -- .../00-init/istio/istio-operator/values.yaml | 40 - vnfs/DAaaS/deploy/00-init/keycloak/.helmignore | 22 + vnfs/DAaaS/deploy/00-init/keycloak/Chart.yaml | 5 + vnfs/DAaaS/deploy/00-init/keycloak/README.md | 32 + .../DAaaS/deploy/00-init/keycloak/istio-realm.json | 1593 ++++++++++++++++++++ .../00-init/keycloak/templates/Deployment.yaml | 41 + .../deploy/00-init/keycloak/templates/Service.yaml | 27 + vnfs/DAaaS/deploy/00-init/keycloak/values.yaml | 71 + vnfs/DAaaS/deploy/00-init/metallb/README.md | 5 +- 65 files changed, 3455 insertions(+), 4164 deletions(-) delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/.helmignore delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/Chart.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/0-namespace.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/10-ingress-deployment.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/100-gloo-crds.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/101-knative-crds-0.5.1.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/11-ingress-proxy-deployment.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/12-ingress-proxy-configmap.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/13-ingress-proxy-service.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/14-clusteringress-proxy-deployment.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/15-clusteringress-proxy-configmap.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/16-clusteringress-proxy-service.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/17-knative-no-istio-0.5.1.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/18-settings.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/20-namespace-clusterrole-gateway.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/21-namespace-clusterrole-ingress.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/22-namespace-clusterrole-knative.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/23-namespace-clusterrolebinding-gateway.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/24-namespace-clusterrolebinding-ingress.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/25-namespace-clusterrolebinding-knative.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/3-gloo-deployment.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/4-gloo-service.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/5-discovery-deployment.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/6-gateway-deployment.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/7-gateway-proxy-deployment.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/8-gateway-proxy-service.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/templates/9-gateway-proxy-configmap.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/values-ingress.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/values-knative.yaml delete mode 100755 vnfs/DAaaS/deploy/00-init/gloo/values.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/.helmignore create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/Chart.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/README.md create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/templates/_helpers.tpl create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/templates/authproxy-rbac.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/templates/authproxy-service.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-istio-1.2-crd.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-rbac.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-remoteistio-1.2-crd.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-service.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-statefulset.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/istio-operator/values.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/.helmignore delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/Chart.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/README.md delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/_helpers.tpl delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-rbac.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-service.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-istio-1.2-crd.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-remoteistio-1.2-crd.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-service.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-statefulset.yaml delete mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/values.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/keycloak/.helmignore create mode 100644 vnfs/DAaaS/deploy/00-init/keycloak/Chart.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/keycloak/README.md create mode 100644 vnfs/DAaaS/deploy/00-init/keycloak/istio-realm.json create mode 100644 vnfs/DAaaS/deploy/00-init/keycloak/templates/Deployment.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/keycloak/templates/Service.yaml create mode 100644 vnfs/DAaaS/deploy/00-init/keycloak/values.yaml (limited to 'vnfs/DAaaS') diff --git a/vnfs/DAaaS/README.md b/vnfs/DAaaS/README.md index 60c237b6..93e4ce97 100644 --- a/vnfs/DAaaS/README.md +++ b/vnfs/DAaaS/README.md @@ -24,16 +24,18 @@ DA_WORKING_DIR=$PWD/demo/vnfs/DAaaS/deploy ## Download the Istio Installation repo ```bash -cd DA_WORKING_DIR/00-init -helm install --name=istio-operator --namespace=istio-system istio-operator -helm install istio-instance --name istio --namespace istio-system +cd $DA_WORKING_DIR/00-init +helm install --name=istio-operator istio-operator --namespace=istio-system +cd $DA_WORKING_DIR/00-init/istio +helm install --name istio istio-instance --namespace istio-system ``` ## Install Metallb to act as a Loadbalancer ```bash -cd DA_WORKING_DIR/00-init +cd $DA_WORKING_DIR/00-init NOTE: Update the IP Address Ranges before you Install Metallb -helm install --name metallb -f values.yaml metallb +NOTE: If you are using a single IP, use /32 format +helm install --name metallb metallb --namespace metallb-system ``` ## Install Rook-Ceph for Persistent Storage diff --git a/vnfs/DAaaS/deploy/00-init/gloo/.helmignore b/vnfs/DAaaS/deploy/00-init/gloo/.helmignore deleted file mode 100755 index 08c5989a..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/.helmignore +++ /dev/null @@ -1,28 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj - -# template files -*-template.yaml - -# generator files -*.go -generate/ diff --git a/vnfs/DAaaS/deploy/00-init/gloo/Chart.yaml b/vnfs/DAaaS/deploy/00-init/gloo/Chart.yaml deleted file mode 100755 index 4f5e9315..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -description: Gloo Helm chart for Kubernetes -home: https://gloo.solo.io/ -icon: https://raw.githubusercontent.com/solo-io/gloo/master/docs/img/Gloo-01.png -name: gloo -sources: -- https://github.com/solo-io/gloo -version: 0.13.18 diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/0-namespace.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/0-namespace.yaml deleted file mode 100755 index 92a37f9d..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/0-namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.namespace.create -}} -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Release.Namespace }} - labels: - app: gloo - annotations: - "helm.sh/hook": pre-install -{{- end}} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/10-ingress-deployment.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/10-ingress-deployment.yaml deleted file mode 100755 index 7314b4e3..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/10-ingress-deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if or (.Values.ingress.enabled) (.Values.settings.integrations.knative.enabled) }} -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: gloo - gloo: ingress - name: ingress - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.ingress.deployment.replicas }} - selector: - matchLabels: - gloo: ingress - template: - metadata: - labels: - gloo: ingress - spec: - containers: - - image: "{{ .Values.ingress.deployment.image.repository }}:{{ .Values.ingress.deployment.image.tag }}" - imagePullPolicy: {{ .Values.ingress.deployment.image.pullPolicy }} - name: ingress - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace -{{- if .Values.settings.integrations.knative.enabled }} - - name: "ENABLE_KNATIVE_INGRESS" - value: "true" -{{- end }} - -{{- if not (.Values.ingress.enabled) }} - - name: "DISABLE_KUBE_INGRESS" - value: "true" -{{- end }} - - -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/100-gloo-crds.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/100-gloo-crds.yaml deleted file mode 100755 index 2c111170..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/100-gloo-crds.yaml +++ /dev/null @@ -1,111 +0,0 @@ -{{- if .Values.crds.create }} -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: settings.gloo.solo.io - annotations: - "helm.sh/hook": crd-install - labels: - gloo: settings -spec: - group: gloo.solo.io - names: - kind: Settings - listKind: SettingsList - plural: settings - shortNames: - - st - scope: Namespaced - version: v1 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: gateways.gateway.solo.io - annotations: - "helm.sh/hook": crd-install -spec: - group: gateway.solo.io - names: - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - version: v1 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: virtualservices.gateway.solo.io - annotations: - "helm.sh/hook": crd-install -spec: - group: gateway.solo.io - names: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - version: v1 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: proxies.gloo.solo.io - annotations: - "helm.sh/hook": crd-install -spec: - group: gloo.solo.io - names: - kind: Proxy - listKind: ProxyList - plural: proxies - shortNames: - - px - singular: proxy - scope: Namespaced - version: v1 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: upstreams.gloo.solo.io - annotations: - "helm.sh/hook": crd-install -spec: - group: gloo.solo.io - names: - kind: Upstream - listKind: UpstreamList - plural: upstreams - shortNames: - - us - singular: upstream - scope: Namespaced - version: v1 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: upstreamgroups.gloo.solo.io - annotations: - "helm.sh/hook": crd-install -spec: - group: gloo.solo.io - names: - kind: UpstreamGroup - listKind: UpstreamGroupList - plural: upstreamgroups - shortNames: - - ug - singular: upstreamgroup - scope: Namespaced - version: v1 ---- -{{- end}} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/101-knative-crds-0.5.1.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/101-knative-crds-0.5.1.yaml deleted file mode 100755 index 3c9987ef..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/101-knative-crds-0.5.1.yaml +++ /dev/null @@ -1,343 +0,0 @@ -{{- if .Values.settings.integrations.knative.enabled }} - ---- -# ↓ required as knative dependency on istio crds is hard-coded right now ↓ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: virtualservices.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - singular: virtualservice - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 - -# ↑ required as knative dependency on istio crds is hard-coded right now ↑ - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - serving.knative.dev/release: devel - name: certificates.networking.internal.knative.dev -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=="Ready")].reason - name: Reason - type: string - group: networking.internal.knative.dev - names: - categories: - - all - - knative-internal - - networking - kind: Certificate - plural: certificates - shortNames: - - kcert - singular: certificate - scope: Namespaced - subresources: - status: {} - version: v1alpha1 - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - serving.knative.dev/release: devel - name: clusteringresses.networking.internal.knative.dev -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[?(@.type=='Ready')].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].reason - name: Reason - type: string - group: networking.internal.knative.dev - names: - categories: - - all - - knative-internal - - networking - kind: ClusterIngress - plural: clusteringresses - singular: clusteringress - scope: Cluster - subresources: - status: {} - version: v1alpha1 - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - serving.knative.dev/release: devel - name: configurations.serving.knative.dev -spec: - additionalPrinterColumns: - - JSONPath: .status.latestCreatedRevisionName - name: LatestCreated - type: string - - JSONPath: .status.latestReadyRevisionName - name: LatestReady - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].reason - name: Reason - type: string - group: serving.knative.dev - names: - categories: - - all - - knative - - serving - kind: Configuration - plural: configurations - shortNames: - - config - - cfg - singular: configuration - scope: Namespaced - subresources: - status: {} - version: v1alpha1 - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - name: images.caching.internal.knative.dev -spec: - group: caching.internal.knative.dev - names: - categories: - - all - - knative-internal - - caching - kind: Image - plural: images - shortNames: - - img - singular: image - scope: Namespaced - subresources: - status: {} - version: v1alpha1 - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - serving.knative.dev/release: devel - name: podautoscalers.autoscaling.internal.knative.dev -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[?(@.type=='Ready')].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].reason - name: Reason - type: string - group: autoscaling.internal.knative.dev - names: - categories: - - all - - knative-internal - - autoscaling - kind: PodAutoscaler - plural: podautoscalers - shortNames: - - kpa - singular: podautoscaler - scope: Namespaced - subresources: - status: {} - version: v1alpha1 - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - serving.knative.dev/release: devel - name: revisions.serving.knative.dev -spec: - additionalPrinterColumns: - - JSONPath: .status.serviceName - name: Service Name - type: string - - JSONPath: .metadata.labels['serving\.knative\.dev/configurationGeneration'] - name: Generation - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].reason - name: Reason - type: string - group: serving.knative.dev - names: - categories: - - all - - knative - - serving - kind: Revision - plural: revisions - shortNames: - - rev - singular: revision - scope: Namespaced - subresources: - status: {} - version: v1alpha1 - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - serving.knative.dev/release: devel - name: routes.serving.knative.dev -spec: - additionalPrinterColumns: - - JSONPath: .status.domain - name: Domain - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].reason - name: Reason - type: string - group: serving.knative.dev - names: - categories: - - all - - knative - - serving - kind: Route - plural: routes - shortNames: - - rt - singular: route - scope: Namespaced - subresources: - status: {} - version: v1alpha1 - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - serving.knative.dev/release: devel - name: services.serving.knative.dev -spec: - additionalPrinterColumns: - - JSONPath: .status.domain - name: Domain - type: string - - JSONPath: .status.latestCreatedRevisionName - name: LatestCreated - type: string - - JSONPath: .status.latestReadyRevisionName - name: LatestReady - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=='Ready')].reason - name: Reason - type: string - group: serving.knative.dev - names: - categories: - - all - - knative - - serving - kind: Service - plural: services - shortNames: - - kservice - - ksvc - singular: service - scope: Namespaced - subresources: - status: {} - version: v1alpha1 - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/hook": crd-install - labels: - knative.dev/crd-install: "true" - serving.knative.dev/release: devel - name: serverlessservices.networking.internal.knative.dev -spec: - group: networking.internal.knative.dev - names: - categories: - - all - - knative-internal - - networking - kind: ServerlessService - plural: serverlessservices - shortNames: - - sks - singular: serverlessservice - scope: Namespaced - subresources: - status: {} - version: v1alpha1 - -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/11-ingress-proxy-deployment.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/11-ingress-proxy-deployment.yaml deleted file mode 100755 index 5dc131e5..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/11-ingress-proxy-deployment.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if .Values.ingress.enabled }} -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: gloo - gloo: ingress-proxy - name: ingress-proxy - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.ingressProxy.deployment.replicas }} - selector: - matchLabels: - gloo: ingress-proxy - template: - metadata: - labels: - gloo: ingress-proxy -{{- with .Values.ingressProxy.deployment.extraAnnotations }} - annotations: -{{toYaml . | indent 8}}{{- end }} - spec: - containers: - - args: ["--disable-hot-restart"] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: "{{ .Values.ingressProxy.deployment.image.repository }}:{{ .Values.ingressProxy.deployment.image.tag }}" - imagePullPolicy: {{ .Values.ingressProxy.deployment.image.pullPolicy }} - name: ingress-proxy - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - ports: - - containerPort: {{ .Values.ingressProxy.deployment.httpPort }} - name: http - protocol: TCP - - containerPort: {{ .Values.ingressProxy.deployment.httpsPort }} - name: https - protocol: TCP -{{- with .Values.ingressProxy.deployment.extraPorts }} -{{toYaml . | indent 8}}{{- end }} - volumeMounts: - - mountPath: /etc/envoy - name: envoy-config - {{- if .Values.ingressProxy.deployment.image.pullSecret }} - imagePullSecrets: - - name: {{ .Values.ingressProxy.deployment.image.pullSecret }}{{end}} - volumes: - - configMap: - name: ingress-envoy-config - name: envoy-config - -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/12-ingress-proxy-configmap.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/12-ingress-proxy-configmap.yaml deleted file mode 100755 index 8938a477..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/12-ingress-proxy-configmap.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{- if .Values.ingress.enabled }} -# configmap -apiVersion: v1 -kind: ConfigMap -metadata: - name: ingress-envoy-config - namespace: {{ .Release.Namespace }} - labels: - app: gloo - gloo: gateway-proxy -data: -{{ if (empty .Values.ingressProxy.configMap.data) }} - envoy.yaml: | - node: - cluster: ingress - id: "{{ "{{" }}.PodName{{ "}}" }}.{{ "{{" }}.PodNamespace{{ "}}" }}" - metadata: - # this line must match ! - role: "{{ "{{" }}.PodNamespace{{ "}}" }}~ingress-proxy" - static_resources: - clusters: - - name: xds_cluster - connect_timeout: 5.000s - load_assignment: - cluster_name: xds_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: gloo - port_value: {{ .Values.gloo.deployment.xdsPort }} - http2_protocol_options: {} - type: STRICT_DNS - dynamic_resources: - ads_config: - api_type: GRPC - grpc_services: - - envoy_grpc: {cluster_name: xds_cluster} - cds_config: - ads: {} - lds_config: - ads: {} - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 -{{- else}}{{ toYaml .Values.ingressProxy.configMap.data | indent 2}}{{- end}} - -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/13-ingress-proxy-service.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/13-ingress-proxy-service.yaml deleted file mode 100755 index 583e8bcd..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/13-ingress-proxy-service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.ingress.enabled }} -apiVersion: v1 -kind: Service -metadata: - labels: - app: gloo - gloo: ingress-proxy - name: ingress-proxy - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: {{ .Values.ingressProxy.deployment.httpPort }} - protocol: TCP - name: http - - port: {{ .Values.ingressProxy.deployment.httpsPort }} - protocol: TCP - name: https - selector: - gloo: ingress-proxy - type: LoadBalancer - - -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/14-clusteringress-proxy-deployment.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/14-clusteringress-proxy-deployment.yaml deleted file mode 100755 index fb7874eb..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/14-clusteringress-proxy-deployment.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.settings.integrations.knative.enabled }} - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: gloo - gloo: clusteringress-proxy - name: clusteringress-proxy - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.settings.integrations.knative.proxy.replicas }} - selector: - matchLabels: - gloo: clusteringress-proxy - template: - metadata: - labels: - gloo: clusteringress-proxy - spec: - containers: - - args: ["--disable-hot-restart"] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: {{ .Values.settings.integrations.knative.proxy.image.repository }}:{{ .Values.settings.integrations.knative.proxy.image.tag }} - imagePullPolicy: {{ .Values.settings.integrations.knative.proxy.image.pullPolicy }} - name: clusteringress-proxy - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - ports: - - containerPort: {{ .Values.settings.integrations.knative.proxy.httpPort }} - name: http - protocol: TCP - - containerPort: {{ .Values.settings.integrations.knative.proxy.httpsPort }} - name: https - protocol: TCP - volumeMounts: - - mountPath: /etc/envoy - name: envoy-config - volumes: - - configMap: - name: clusteringress-envoy-config - name: envoy-config - -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/15-clusteringress-proxy-configmap.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/15-clusteringress-proxy-configmap.yaml deleted file mode 100755 index 85a6421f..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/15-clusteringress-proxy-configmap.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if .Values.settings.integrations.knative.enabled }} -# configmap -apiVersion: v1 -kind: ConfigMap -metadata: - name: clusteringress-envoy-config - namespace: {{ .Release.Namespace }} - labels: - app: gloo - gloo: clusteringress-proxy -data: - envoy.yaml: | - node: - cluster: clusteringress - id: "{{ "{{" }}.PodName{{ "}}" }}.{{ "{{" }}.PodNamespace{{ "}}" }}" - metadata: - # this line must match ! - role: "{{ "{{" }}.PodNamespace{{ "}}" }}~clusteringress-proxy" - static_resources: - clusters: - - name: xds_cluster - connect_timeout: 5.000s - load_assignment: - cluster_name: xds_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: gloo - port_value: {{ .Values.gloo.deployment.xdsPort }} - http2_protocol_options: {} - type: STRICT_DNS - dynamic_resources: - ads_config: - api_type: GRPC - grpc_services: - - envoy_grpc: {cluster_name: xds_cluster} - cds_config: - ads: {} - lds_config: - ads: {} - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/16-clusteringress-proxy-service.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/16-clusteringress-proxy-service.yaml deleted file mode 100755 index 7e25bee9..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/16-clusteringress-proxy-service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.settings.integrations.knative.enabled }} -apiVersion: v1 -kind: Service -metadata: - labels: - app: gloo - gloo: clusteringress-proxy - name: clusteringress-proxy - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: {{ .Values.settings.integrations.knative.proxy.httpPort }} - protocol: TCP - name: http - - port: {{ .Values.settings.integrations.knative.proxy.httpsPort }} - protocol: TCP - name: https - selector: - gloo: clusteringress-proxy - type: LoadBalancer -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/17-knative-no-istio-0.5.1.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/17-knative-no-istio-0.5.1.yaml deleted file mode 100755 index a73cf1f2..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/17-knative-no-istio-0.5.1.yaml +++ /dev/null @@ -1,982 +0,0 @@ -{{- if .Values.settings.integrations.knative.enabled }} -apiVersion: v1 -kind: Namespace -metadata: - labels: - app: gloo - istio-injection: enabled - serving.knative.dev/release: devel - name: knative-serving - ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - serving.knative.dev/controller: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - serving.knative.dev/release: devel - name: knative-serving-admin -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - serving.knative.dev/controller: "true" - serving.knative.dev/release: devel - name: knative-serving-core -rules: - - apiGroups: - - "" - resources: - - pods - - namespaces - - secrets - - configmaps - - endpoints - - services - - events - - serviceaccounts - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - extensions - resources: - - ingresses - - deployments - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - apps - resources: - - deployments - - deployments/scale - - statefulsets - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - serving.knative.dev - resources: - - configurations - - routes - - revisions - - services - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - serving.knative.dev - resources: - - configurations/status - - routes/status - - revisions/status - - services/status - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - autoscaling.internal.knative.dev - resources: - - podautoscalers - - podautoscalers/status - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - caching.internal.knative.dev - resources: - - images - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - - apiGroups: - - networking.internal.knative.dev - resources: - - clusteringresses - - clusteringresses/status - - serverlessservices - - serverlessservices/status - verbs: - - get - - list - - create - - update - - delete - - deletecollection - - patch - - watch - - apiGroups: - - networking.istio.io - resources: - - virtualservices - verbs: - - get - - list - - create - - update - - delete - - patch - - watch - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - serving.knative.dev/release: devel - name: controller - namespace: knative-serving - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - serving.knative.dev/release: devel - name: knative-serving-controller-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: knative-serving-admin -subjects: - - kind: ServiceAccount - name: controller - namespace: knative-serving - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: activator - serving.knative.dev/release: devel - name: activator-service - namespace: knative-serving -spec: - ports: - - name: http - nodePort: null - port: 80 - protocol: TCP - targetPort: 8080 - - name: http2 - port: 81 - protocol: TCP - targetPort: 8081 - - name: metrics - nodePort: null - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - app: activator - type: ClusterIP - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: controller - serving.knative.dev/release: devel - name: controller - namespace: knative-serving -spec: - ports: - - name: metrics - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - app: controller - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - role: webhook - serving.knative.dev/release: devel - name: webhook - namespace: knative-serving -spec: - ports: - - port: 443 - targetPort: 443 - selector: - role: webhook - ---- -apiVersion: caching.internal.knative.dev/v1alpha1 -kind: Image -metadata: - labels: - serving.knative.dev/release: devel - name: queue-proxy - namespace: knative-serving -spec: - image: gcr.io/knative-releases/github.com/knative/serving/cmd/queue@sha256:b5c759e4ea6f36ae4498c1ec794653920345b9ad7492731fb1d6087e3b95dc43 - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - serving.knative.dev/release: devel - name: activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - role: activator - template: - metadata: - annotations: - sidecar.istio.io/inject: "true" - labels: - app: activator - role: activator - serving.knative.dev/release: devel - spec: - containers: - - args: - - -logtostderr=false - - -stderrthreshold=FATAL - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - image: gcr.io/knative-releases/github.com/knative/serving/cmd/activator@sha256:60630ac88d8cb67debd1e2ab1ecd6ec3ff6cbab2336dda8e7ae1c01ebead76c0 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - name: activator - ports: - - containerPort: 8080 - name: http1-port - - containerPort: 8081 - name: h2c-port - - containerPort: 9090 - name: metrics-port - readinessProbe: - httpGet: - path: /healthz - port: 8080 - resources: - limits: - cpu: 200m - memory: 600Mi - requests: - cpu: 20m - memory: 60Mi - volumeMounts: - - mountPath: /etc/config-logging - name: config-logging - - mountPath: /etc/config-observability - name: config-observability - serviceAccountName: controller - volumes: - - configMap: - name: config-logging - name: config-logging - - configMap: - name: config-observability - name: config-observability - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: autoscaler - serving.knative.dev/release: devel - name: autoscaler - namespace: knative-serving -spec: - ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 - - name: metrics - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - app: autoscaler - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - serving.knative.dev/release: devel - name: autoscaler - namespace: knative-serving -spec: - replicas: 1 - selector: - matchLabels: - app: autoscaler - template: - metadata: - annotations: - sidecar.istio.io/inject: "true" - labels: - app: autoscaler - spec: - containers: - - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - image: gcr.io/knative-releases/github.com/knative/serving/cmd/autoscaler@sha256:442f99e3a55653b19137b44c1d00f681b594d322cb39c1297820eb717e2134ba - name: autoscaler - ports: - - containerPort: 8080 - name: websocket - - containerPort: 9090 - name: metrics - resources: - limits: - cpu: 300m - memory: 400Mi - requests: - cpu: 30m - memory: 40Mi - volumeMounts: - - mountPath: /etc/config-autoscaler - name: config-autoscaler - - mountPath: /etc/config-logging - name: config-logging - - mountPath: /etc/config-observability - name: config-observability - serviceAccountName: controller - volumes: - - configMap: - name: config-autoscaler - name: config-autoscaler - - configMap: - name: config-logging - name: config-logging - - configMap: - name: config-observability - name: config-observability - ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this block and unindented to actually change the configuration. - - # The Revision ContainerConcurrency field specifies the maximum number - # of requests the Container can handle at once. Container concurrency - # target percentage is how much of that maximum to use in a stable - # state. E.g. if a Revision specifies ContainerConcurrency of 10, then - # the Autoscaler will try to maintain 7 concurrent connections per pod - # on average. A value of 0.7 is chosen because the Autoscaler panics - # when concurrency exceeds 2x the desired set point. So we will panic - # before we reach the limit. - container-concurrency-target-percentage: "1.0" - - # The container concurrency target default is what the Autoscaler will - # try to maintain when the Revision specifies unlimited concurrency. - # Even when specifying unlimited concurrency, the autoscaler will - # horizontally scale the application based on this target concurrency. - # - # A value of 100 is chosen because it's enough to allow vertical pod - # autoscaling to tune resource requests. E.g. maintaining 1 concurrent - # "hello world" request doesn't consume enough resources to allow VPA - # to achieve efficient resource usage (VPA CPU minimum is 300m). - container-concurrency-target-default: "100" - - # When operating in a stable mode, the autoscaler operates on the - # average concurrency over the stable window. - stable-window: "60s" - - # When observed average concurrency during the panic window reaches 2x - # the target concurrency, the autoscaler enters panic mode. When - # operating in panic mode, the autoscaler operates on the average - # concurrency over the panic window. - panic-window: "6s" - - # Max scale up rate limits the rate at which the autoscaler will - # increase pod count. It is the maximum ratio of desired pods versus - # observed pods. - max-scale-up-rate: "10" - - # Scale to zero feature flag - enable-scale-to-zero: "true" - - # Tick interval is the time between autoscaling calculations. - tick-interval: "2s" - - # Dynamic parameters (take effect when config map is updated): - - # Scale to zero grace period is the time an inactive revision is left - # running before it is scaled to zero (min: 30s). - scale-to-zero-grace-period: "30s" -kind: ConfigMap -metadata: - labels: - serving.knative.dev/release: devel - name: config-autoscaler - namespace: knative-serving - ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this block and unindented to actually change the configuration. - - # List of repositories for which tag to digest resolving should be skipped - registriesSkippingTagResolving: "ko.local,dev.local" - queueSidecarImage: gcr.io/knative-releases/github.com/knative/serving/cmd/queue@sha256:b5c759e4ea6f36ae4498c1ec794653920345b9ad7492731fb1d6087e3b95dc43 -kind: ConfigMap -metadata: - labels: - serving.knative.dev/release: devel - name: config-controller - namespace: knative-serving - ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this block and unindented to actually change the configuration. - - # revision-timeout-seconds contains the default number of - # seconds to use for the revision's per-request timeout, if - # none is specified. - revision-timeout-seconds: "300" # 5 minutes - - # revision-cpu-request contains the cpu allocation to assign - # to revisions by default. - revision-cpu-request: "400m" # 0.4 of a CPU (aka 400 milli-CPU) -kind: ConfigMap -metadata: - labels: - serving.knative.dev/release: devel - name: config-defaults - namespace: knative-serving - ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this block and unindented to actually change the configuration. - - # Default value for domain. - # Although it will match all routes, it is the least-specific rule so it - # will only be used if no other domain matches. - example.com: | - - # These are example settings of domain. - # example.org will be used for routes having app=nonprofit. - example.org: | - selector: - app: nonprofit - - # Routes having domain suffix of 'svc.cluster.local' will not be exposed - # through Ingress. You can define your own label selector to assign that - # domain suffix to your Route here, or you can set the label - # "serving.knative.dev/visibility=cluster-local" - # to achieve the same effect. This shows how to make routes having - # the label app=secret only exposed to the local cluster. - svc.cluster.local: | - selector: - app: secret -kind: ConfigMap -metadata: - labels: - serving.knative.dev/release: devel - name: config-domain - namespace: knative-serving - ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this block and unindented to actually change the configuration. - - # Delay after revision creation before considering it for GC - stale-revision-create-delay: "24h" - - # Duration since a route has been pointed at a revision before it should be GC'd - # This minus lastpinned-debounce be longer than the controller resync period (10 hours) - stale-revision-timeout: "15h" - - # Minimum number of generations of revisions to keep before considering for GC - stale-revision-minimum-generations: "1" - - # To avoid constant updates, we allow an existing annotation to be stale by this - # amount before we update the timestamp - stale-revision-lastpinned-debounce: "5h" -kind: ConfigMap -metadata: - labels: - serving.knative.dev/release: devel - name: config-gc - namespace: knative-serving - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - networking.knative.dev/ingress-provider: istio - serving.knative.dev/release: devel - name: config-istio - namespace: knative-serving - ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this block and unindented to actually change the configuration. - - # Common configuration for all Knative codebase - zap-logger-config: | - { - "level": "info", - "development": false, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "", - "callerEncoder": "" - } - } - - # Log level overrides - # For all components except the autoscaler and queue proxy, - # changes are be picked up immediately. - # For autoscaler and queue proxy, changes require recreation of the pods. - loglevel.controller: "info" - loglevel.autoscaler: "info" - loglevel.queueproxy: "info" - loglevel.webhook: "info" - loglevel.activator: "info" -kind: ConfigMap -metadata: - labels: - serving.knative.dev/release: devel - name: config-logging - namespace: knative-serving - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - serving.knative.dev/release: devel - name: config-network - namespace: knative-serving - ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this block and unindented to actually change the configuration. - - # logging.enable-var-log-collection defaults to false. - # A fluentd sidecar will be set up to collect var log if - # this flag is true. - logging.enable-var-log-collection: false - - # logging.fluentd-sidecar-image provides the fluentd sidecar image - # to inject as a sidecar to collect logs from /var/log. - # Must be presented if logging.enable-var-log-collection is true. - logging.fluentd-sidecar-image: k8s.gcr.io/fluentd-elasticsearch:v2.0.4 - - # logging.fluentd-sidecar-output-config provides the configuration - # for the fluentd sidecar, which will be placed into a configmap and - # mounted into the fluentd sidecar image. - logging.fluentd-sidecar-output-config: | - # Parse json log before sending to Elastic Search - - @type parser - key_name log - - @type multi_format - - format json - time_key fluentd-time # fluentd-time is reserved for structured logs - time_format %Y-%m-%dT%H:%M:%S.%NZ - - - format none - message_key log - - - - # Send to Elastic Search - - @id elasticsearch - @type elasticsearch - @log_level info - include_tag_key true - # Elasticsearch service is in monitoring namespace. - host elasticsearch-logging.knative-monitoring - port 9200 - logstash_format true - - @type file - path /var/log/fluentd-buffers/kubernetes.system.buffer - flush_mode interval - retry_type exponential_backoff - flush_thread_count 2 - flush_interval 5s - retry_forever - retry_max_interval 30 - chunk_limit_size 2M - queue_limit_length 8 - overflow_action block - - - - # logging.revision-url-template provides a template to use for producing the - # logging URL that is injected into the status of each Revision. - # This value is what you might use the the Knative monitoring bundle, and provides - # access to Kibana after setting up kubectl proxy. - logging.revision-url-template: | - http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase)))) - - # If non-empty, this enables queue proxy writing request logs to stdout. - # The value determines the shape of the request logs and it must be a valid go text/template. - # It is important to keep this as a single line. Multiple lines are parsed as separate entities - # by most collection agents and will split the request logs into multiple records. - # - # The following fields and functions are available to the template: - # - # Request: An http.Request (see https://golang.org/pkg/net/http/#Request) - # representing an HTTP request received by the server. - # - # Response: - # struct { - # Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) - # Size int // An int representing the size of the response. - # Latency float64 // A float64 representing the latency of the response in seconds. - # } - # - # Revision: - # struct { - # Name string // Knative revision name - # Namespace string // Knative revision namespace - # Service string // Knative service name - # Configuration string // Knative configuration name - # PodName string // Name of the pod hosting the revision - # PodIP string // IP of the pod hosting the revision - # } - # - logging.request-log-template: '{"httpRequest": {"requestMethod": "{{ "{{" }}.Request.Method{{ "{{" }}", "requestUrl": "{{ "{{" }}js .Request.RequestURI{{ "{{" }}", "requestSize": "{{ "{{" }}.Request.ContentLength{{ "{{" }}", "status": {{ "{{" }}.Response.Code{{ "{{" }}, "responseSize": "{{ "{{" }}.Response.Size{{ "{{" }}", "userAgent": "{{ "{{" }}js .Request.UserAgent{{ "{{" }}", "remoteIp": "{{ "{{" }}js .Request.RemoteAddr{{ "{{" }}", "serverIp": "{{ "{{" }}.Revision.PodIP{{ "{{" }}", "referer": "{{ "{{" }}js .Request.Referer{{ "{{" }}", "latency": "{{ "{{" }}.Response.Latency{{ "{{" }}s", "protocol": "{{ "{{" }}.Request.Proto{{ "{{" }}"}, "traceId": "{{ "{{" }}index .Request.Header "X-B3-Traceid"{{ "{{" }}"}' - - # metrics.backend-destination field specifies the system metrics destination. - # It supports either prometheus (the default) or stackdriver. - # Note: Using stackdriver will incur additional charges - metrics.backend-destination: prometheus - - # metrics.request-metrics-backend-destination specifies the request metrics - # destination. If non-empty, it enables queue proxy to send request metrics. - # Currently supported values: prometheus, stackdriver. - metrics.request-metrics-backend-destination: prometheus - - # metrics.stackdriver-project-id field specifies the stackdriver project ID. This - # field is optional. When running on GCE, application default credentials will be - # used if this field is not provided. - metrics.stackdriver-project-id: "" - - # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to - # Stackdriver using "global" resource type and custom metric type if the - # metrics are not supported by "knative_revision" resource type. Setting this - # flag to "true" could cause extra Stackdriver charge. - # If metrics.backend-destination is not Stackdriver, this is ignored. - metrics.allow-stackdriver-custom-metrics: "false" -kind: ConfigMap -metadata: - labels: - serving.knative.dev/release: devel - name: config-observability - namespace: knative-serving - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - serving.knative.dev/release: devel - name: controller - namespace: knative-serving -spec: - replicas: 1 - selector: - matchLabels: - app: controller - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: controller - spec: - containers: - - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - image: gcr.io/knative-releases/github.com/knative/serving/cmd/controller@sha256:25af5f3adad8b65db3126e0d6e90aa36835c124c24d9d72ffbdd7ee739a7f571 - name: controller - ports: - - containerPort: 9090 - name: metrics - resources: - limits: - cpu: 1000m - memory: 1000Mi - requests: - cpu: 100m - memory: 100Mi - volumeMounts: - - mountPath: /etc/config-logging - name: config-logging - serviceAccountName: controller - volumes: - - configMap: - name: config-logging - name: config-logging - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - serving.knative.dev/release: devel - name: webhook - namespace: knative-serving -spec: - replicas: 1 - selector: - matchLabels: - app: webhook - role: webhook - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: webhook - role: webhook - spec: - containers: - - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - image: gcr.io/knative-releases/github.com/knative/serving/cmd/webhook@sha256:d1ba3e2c0d739084ff508629db001619cea9cc8780685e85dd910363774eaef6 - name: webhook - resources: - limits: - cpu: 200m - memory: 200Mi - requests: - cpu: 20m - memory: 20Mi - volumeMounts: - - mountPath: /etc/config-logging - name: config-logging - serviceAccountName: controller - volumes: - - configMap: - name: config-logging - name: config-logging - -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/18-settings.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/18-settings.yaml deleted file mode 100755 index a2eec087..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/18-settings.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{ if .Values.settings.create }} - -apiVersion: gloo.solo.io/v1 -kind: Settings -metadata: - name: default - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-install -spec: - bindAddr: 0.0.0.0:{{ .Values.gloo.deployment.xdsPort }} - discoveryNamespace: {{ .Values.settings.writeNamespace }} - kubernetesArtifactSource: {} - kubernetesConfigSource: {} - kubernetesSecretSource: {} - refreshRate: 60s - -{{- if .Values.settings.extensions }} - extensions: -{{- toYaml .Values.settings.extensions | nindent 4 }} -{{- end }} - -{{- with .Values.settings.watchNamespaces }} - watchNamespaces: - {{- range . }} - - {{ . }} - {{- end }} -{{- end }} - -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/20-namespace-clusterrole-gateway.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/20-namespace-clusterrole-gateway.yaml deleted file mode 100755 index 35fb5eb0..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/20-namespace-clusterrole-gateway.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.rbac.create }} - -{{- if .Values.gateway.enabled }} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-role-gateway - labels: - app: gloo - gloo: rbac -rules: -- apiGroups: [""] - resources: ["pods", "services", "secrets", "endpoints", "configmaps"] - verbs: ["*"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "create"] -- apiGroups: ["gloo.solo.io"] - resources: ["settings", "upstreams","upstreamgroups", "proxies","virtualservices"] - verbs: ["*"] -- apiGroups: ["gateway.solo.io"] - resources: ["virtualservices", "gateways"] - verbs: ["*"] -{{- end -}} - -{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/21-namespace-clusterrole-ingress.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/21-namespace-clusterrole-ingress.yaml deleted file mode 100755 index 15215b9f..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/21-namespace-clusterrole-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.rbac.create }} - -{{- if .Values.ingress.enabled }} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-role-ingress - labels: - app: gloo - gloo: rbac -rules: -- apiGroups: [""] - resources: ["pods", "services", "secrets", "endpoints", "configmaps"] - verbs: ["*"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "create"] -- apiGroups: ["gloo.solo.io"] - resources: ["settings", "upstreams","upstreamgroups", "proxies","virtualservices"] - verbs: ["*"] -- apiGroups: ["extensions", ""] - resources: ["ingresses"] - verbs: ["*"] -{{- end -}} - -{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/22-namespace-clusterrole-knative.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/22-namespace-clusterrole-knative.yaml deleted file mode 100755 index 1bd2b95d..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/22-namespace-clusterrole-knative.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.rbac.create }} - -{{- if .Values.settings.integrations.knative.enabled }} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-role-knative - labels: - app: gloo - gloo: rbac -rules: -- apiGroups: [""] - resources: ["pods", "services", "secrets", "endpoints", "configmaps"] - verbs: ["*"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "create"] -- apiGroups: ["gloo.solo.io"] - resources: ["settings", "upstreams","upstreamgroups", "proxies","virtualservices"] - verbs: ["*"] -- apiGroups: ["networking.internal.knative.dev"] - resources: ["clusteringresses"] - verbs: ["get", "list", "watch"] -{{- end -}} - -{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/23-namespace-clusterrolebinding-gateway.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/23-namespace-clusterrolebinding-gateway.yaml deleted file mode 100755 index 62198913..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/23-namespace-clusterrolebinding-gateway.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.rbac.create }} - -{{- if .Values.gateway.enabled }} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-role-binding-gateway-{{ .Release.Namespace }} - labels: - app: gloo - gloo: rbac -subjects: -- kind: ServiceAccount - name: default - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: gloo-role-gateway - apiGroup: rbac.authorization.k8s.io - -{{- end -}} - -{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/24-namespace-clusterrolebinding-ingress.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/24-namespace-clusterrolebinding-ingress.yaml deleted file mode 100755 index 7ef5cbae..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/24-namespace-clusterrolebinding-ingress.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.rbac.create }} - -{{- if .Values.ingress.enabled }} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-role-binding-ingress-{{ .Release.Namespace }} - labels: - app: gloo - gloo: rbac -subjects: -- kind: ServiceAccount - name: default - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: gloo-role-ingress - apiGroup: rbac.authorization.k8s.io - -{{- end -}} - -{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/25-namespace-clusterrolebinding-knative.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/25-namespace-clusterrolebinding-knative.yaml deleted file mode 100755 index 5f05de96..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/25-namespace-clusterrolebinding-knative.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.rbac.create }} - -{{- if .Values.settings.integrations.knative.enabled }} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gloo-role-binding-knative-{{ .Release.Namespace }} - labels: - app: gloo - gloo: rbac -subjects: -- kind: ServiceAccount - name: default - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: gloo-role-knative - apiGroup: rbac.authorization.k8s.io -{{- end -}} - -{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/3-gloo-deployment.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/3-gloo-deployment.yaml deleted file mode 100755 index b3d8423f..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/3-gloo-deployment.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: gloo - gloo: gloo - name: gloo - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.gloo.deployment.replicas }} - selector: - matchLabels: - gloo: gloo - template: - metadata: - labels: - gloo: gloo - {{- if .Values.gloo.deployment.stats }} - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "9091" - prometheus.io/scrape: "true" - {{- end}} - spec: - containers: - - image: "{{ .Values.gloo.deployment.image.repository }}:{{ .Values.gloo.deployment.image.tag }}" - imagePullPolicy: {{ .Values.gloo.deployment.image.pullPolicy }} - name: gloo - resources: - requests: - cpu: 1 - memory: 256Mi - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 10101 - capabilities: - drop: - - ALL - ports: - - containerPort: {{ .Values.gloo.deployment.xdsPort }} - name: grpc - protocol: TCP - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.gloo.deployment.stats }} - - name: START_STATS_SERVER - value: "true" - {{- end}} - {{- if .Values.gloo.deployment.image.pullSecret }} - imagePullSecrets: - - name: {{ .Values.gloo.deployment.image.pullSecret }}{{end}} - diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/4-gloo-service.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/4-gloo-service.yaml deleted file mode 100755 index ab49ea3f..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/4-gloo-service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: gloo - gloo: gloo - name: gloo - namespace: {{ .Release.Namespace }} -spec: -{{ if .Values.gloo.deployment.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.gloo.deployment.externalTrafficPolicy }} -{{- end }} - ports: - - name: grpc - port: {{ .Values.gloo.deployment.xdsPort }} - protocol: TCP - selector: - gloo: gloo diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/5-discovery-deployment.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/5-discovery-deployment.yaml deleted file mode 100755 index 1a44e922..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/5-discovery-deployment.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: gloo - gloo: discovery - name: discovery - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.discovery.deployment.replicas }} - selector: - matchLabels: - gloo: discovery - template: - metadata: - labels: - gloo: discovery - {{- if .Values.discovery.deployment.stats }} - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "9091" - prometheus.io/scrape: "true" - {{- end}} - spec: - containers: - - image: "{{ .Values.discovery.deployment.image.repository }}:{{ .Values.discovery.deployment.image.tag }}" - imagePullPolicy: {{ .Values.discovery.deployment.image.pullPolicy }} - name: discovery - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 10101 - capabilities: - drop: - - ALL - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.discovery.deployment.stats }} - - name: START_STATS_SERVER - value: "true" - {{- end}} - diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/6-gateway-deployment.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/6-gateway-deployment.yaml deleted file mode 100755 index 0a32241e..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/6-gateway-deployment.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if .Values.gateway.enabled }} -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: gloo - gloo: gateway - name: gateway - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.gateway.deployment.replicas }} - selector: - matchLabels: - gloo: gateway - template: - metadata: - labels: - gloo: gateway - {{- if .Values.gateway.deployment.stats }} - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "9091" - prometheus.io/scrape: "true" - {{- end}} - spec: - containers: - - image: "{{ .Values.gateway.deployment.image.repository }}:{{ .Values.gateway.deployment.image.tag }}" - imagePullPolicy: {{ .Values.gateway.deployment.image.pullPolicy }} - name: gateway - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 10101 - capabilities: - drop: - - ALL - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.gateway.deployment.stats }} - - name: START_STATS_SERVER - value: "true" - {{- end}} -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/7-gateway-proxy-deployment.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/7-gateway-proxy-deployment.yaml deleted file mode 100755 index bb54e8f3..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/7-gateway-proxy-deployment.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if .Values.gateway.enabled }} -{{- range $key, $spec := .Values.gatewayProxies }} ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: gloo - gloo: {{ $key }} - name: {{ $key }} - namespace: {{ $.Release.Namespace }} -spec: - replicas: {{ $spec.deployment.replicas }} - selector: - matchLabels: - gloo: {{ $key }} - template: - metadata: - labels: - gloo: {{ $key }} -{{- with $spec.deployment.extraAnnotations }} - annotations: -{{toYaml . | indent 8}}{{- end }} - spec: - containers: - - args: ["--disable-hot-restart"] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: {{ $spec.deployment.image.repository }}:{{ $spec.deployment.image.tag }} - imagePullPolicy: {{ $spec.deployment.image.pullPolicy }} - name: gateway-proxy - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - ports: - - containerPort: {{ $spec.deployment.httpPort }} - name: http - protocol: TCP - - containerPort: {{ $spec.deployment.httpsPort }} - name: https - protocol: TCP -{{- with $spec.deployment.extraPorts }} -{{toYaml . | indent 8}}{{- end }} - volumeMounts: - - mountPath: /etc/envoy - name: envoy-config - {{- if $spec.deployment.image.pullSecret }} - imagePullSecrets: - - name: {{ $spec.deployment.image.pullSecret }}{{end}} - volumes: - - configMap: - name: {{ $key }}-envoy-config - name: envoy-config -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/8-gateway-proxy-service.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/8-gateway-proxy-service.yaml deleted file mode 100755 index f0b7d347..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/8-gateway-proxy-service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if .Values.gateway.enabled }} -{{- range $key, $spec := .Values.gatewayProxies }} ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: gloo - gloo: {{ $key }} - name: {{ $key }} - namespace: {{ $.Release.Namespace }} - {{- with $spec.service.extraAnnotations }} - annotations: -{{toYaml . | indent 8}}{{- end }} -spec: - ports: - - port: {{ $spec.service.httpPort }} - targetPort: {{ $spec.deployment.httpPort }} - protocol: TCP - name: http - - port: {{ $spec.service.httpsPort }} - targetPort: {{ $spec.deployment.httpsPort }} - protocol: TCP - name: https - selector: - gloo: {{ $key }} - type: {{ $spec.service.type }} - {{- if and (eq $spec.service.type "ClusterIP") $spec.service.clusterIP }} - clusterIP: {{ $spec.service.clusterIP }} - {{- end }} - {{- if and (eq $spec.service.type "LoadBalancer") $spec.service.loadBalancerIP }} - loadBalancerIP: {{ $spec.service.loadBalancerIP }} - {{- end }} -{{- end }} -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/gloo/templates/9-gateway-proxy-configmap.yaml b/vnfs/DAaaS/deploy/00-init/gloo/templates/9-gateway-proxy-configmap.yaml deleted file mode 100755 index 03c5a920..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/templates/9-gateway-proxy-configmap.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if .Values.gateway.enabled }} -{{- range $key, $spec := .Values.gatewayProxies }} ---- -# config_map -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $key }}-envoy-config - namespace: {{ $.Release.Namespace }} - labels: - app: gloo - gloo: {{ $key }} -data: -{{ if (empty $spec.configMap.data) }} - envoy.yaml: | - node: - cluster: gateway - id: "{{ "{{" }}.PodName{{ "}}" }}.{{ "{{" }}.PodNamespace{{ "}}" }}" - metadata: - # this line must match ! - role: "{{ "{{" }}.PodNamespace{{ "}}" }}~gateway-proxy" - static_resources: - clusters: - - name: gloo.{{ $.Release.Namespace }}.svc.cluster.local:{{ $.Values.gloo.deployment.xdsPort }} - connect_timeout: 5.000s - load_assignment: - cluster_name: gloo.{{ $.Release.Namespace }}.svc.cluster.local:{{ $.Values.gloo.deployment.xdsPort }} - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: gloo.{{ $.Release.Namespace }}.svc.cluster.local - port_value: {{ $.Values.gloo.deployment.xdsPort }} - http2_protocol_options: {} - type: STRICT_DNS - dynamic_resources: - ads_config: - api_type: GRPC - grpc_services: - - envoy_grpc: {cluster_name: gloo.{{ $.Release.Namespace }}.svc.cluster.local:{{ $.Values.gloo.deployment.xdsPort }}} - cds_config: - ads: {} - lds_config: - ads: {} - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 -{{- else}}{{ toYaml $spec.configMap.data | indent 2}}{{- end}} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/gloo/values-ingress.yaml b/vnfs/DAaaS/deploy/00-init/gloo/values-ingress.yaml deleted file mode 100755 index 98dd42ae..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/values-ingress.yaml +++ /dev/null @@ -1,74 +0,0 @@ -crds: - create: true -discovery: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/discovery - tag: 0.13.18 - replicas: 1 - stats: false -gateway: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/gateway - tag: "" - replicas: 1 - stats: false - enabled: false -gatewayProxies: - gateway-proxy: - configMap: - data: null - deployment: - httpPort: "8080" - httpsPort: "8443" - image: - pullPolicy: Always - repository: quay.io/solo-io/gloo-envoy-wrapper - tag: "" - replicas: 1 - stats: false - service: - httpPort: "80" - httpsPort: "443" - type: LoadBalancer -gloo: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/gloo - tag: 0.13.18 - replicas: 1 - stats: false - xdsPort: "9977" -ingress: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/ingress - tag: 0.13.18 - replicas: 1 - stats: false - enabled: true -ingressProxy: - configMap: {} - deployment: - httpPort: "80" - httpsPort: "443" - image: - pullPolicy: Always - repository: quay.io/solo-io/gloo-envoy-wrapper - tag: 0.13.18 - replicas: 1 - stats: false -namespace: - create: false -rbac: - create: true -settings: - integrations: - knative: - enabled: false - writeNamespace: gloo-system diff --git a/vnfs/DAaaS/deploy/00-init/gloo/values-knative.yaml b/vnfs/DAaaS/deploy/00-init/gloo/values-knative.yaml deleted file mode 100755 index c53ca1a9..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/values-knative.yaml +++ /dev/null @@ -1,72 +0,0 @@ -crds: - create: true -discovery: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/discovery - tag: 0.13.18 - replicas: 1 - stats: false -gateway: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/gateway - tag: "" - replicas: 1 - stats: false - enabled: false -gatewayProxies: - gateway-proxy: - configMap: - data: null - deployment: - httpPort: "8080" - httpsPort: "8443" - image: - pullPolicy: Always - repository: quay.io/solo-io/gloo-envoy-wrapper - tag: "" - replicas: 1 - stats: false - service: - httpPort: "80" - httpsPort: "443" - type: LoadBalancer -gloo: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/gloo - tag: 0.13.18 - replicas: 1 - stats: false - xdsPort: "9977" -ingress: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/ingress - tag: 0.13.18 - replicas: 1 - stats: false - enabled: false -namespace: - create: false -rbac: - create: true -settings: - integrations: - knative: - enabled: true - proxy: - httpPort: "80" - httpsPort: "443" - image: - pullPolicy: Always - repository: quay.io/solo-io/gloo-envoy-wrapper - tag: 0.13.18 - replicas: 1 - stats: false - writeNamespace: gloo-system diff --git a/vnfs/DAaaS/deploy/00-init/gloo/values.yaml b/vnfs/DAaaS/deploy/00-init/gloo/values.yaml deleted file mode 100755 index daeab0c3..00000000 --- a/vnfs/DAaaS/deploy/00-init/gloo/values.yaml +++ /dev/null @@ -1,56 +0,0 @@ -crds: - create: true -discovery: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/discovery - tag: 0.13.18 - replicas: 1 - stats: false -gateway: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/gateway - tag: 0.13.18 - replicas: 1 - stats: false - enabled: true -gatewayProxies: - gateway-proxy: - configMap: - data: null - deployment: - httpPort: "8080" - httpsPort: "8443" - image: - pullPolicy: Always - repository: quay.io/solo-io/gloo-envoy-wrapper - tag: 0.13.18 - replicas: 1 - stats: false - service: - httpPort: "80" - httpsPort: "443" - type: LoadBalancer -gloo: - deployment: - image: - pullPolicy: Always - repository: quay.io/solo-io/gloo - tag: 0.13.18 - replicas: 1 - stats: false - xdsPort: "9977" -ingress: - enabled: false -namespace: - create: false -rbac: - create: true -settings: - integrations: - knative: - enabled: false - writeNamespace: gloo-system diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/.helmignore b/vnfs/DAaaS/deploy/00-init/istio-operator/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/Chart.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/Chart.yaml new file mode 100644 index 00000000..1da83af4 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/Chart.yaml @@ -0,0 +1,20 @@ + + +#/*Copyright 2019 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ +name: istio-operator +version: 0.0.15 +description: istio-operator manages Istio deployments on Kubernetes +appVersion: 0.2.1 diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/README.md b/vnfs/DAaaS/deploy/00-init/istio-operator/README.md new file mode 100644 index 00000000..4611a81e --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/README.md @@ -0,0 +1,55 @@ +/* + * Copyright 2019 Intel Corporation, Inc + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +## Prerequisites + +- Kubernetes 1.10.0+ + +## Installing the chart + +To install the chart from local directory: + +``` +helm install --name=istio-operator --namespace=istio-system istio-operator +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-operator` release: + +``` +$ helm del --purge istio-operator +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the Banzaicloud Istio Operator chart and their default values. + +Parameter | Description | Default +--------- | ----------- | ------- +`operator.image.repository` | Operator container image repository | `banzaicloud/istio-operator` +`operator.image.tag` | Operator container image tag | `0.2.1` +`operator.image.pullPolicy` | Operator container image pull policy | `IfNotPresent` +`operator.resources` | CPU/Memory resource requests/limits (YAML) | Memory: `128Mi/256Mi`, CPU: `100m/200m` +`istioVersion` | Supported Istio version | `1.2` +`prometheusMetrics.enabled` | If true, use direct access for Prometheus metrics | `false` +`prometheusMetrics.authProxy.enabled` | If true, use auth proxy for Prometheus metrics | `true` +`prometheusMetrics.authProxy.image.repository` | Auth proxy container image repository | `gcr.io/kubebuilder/kube-rbac-proxy` +`prometheusMetrics.authProxy.image.tag` | Auth proxy container image tag | `v0.4.0` +`prometheusMetrics.authProxy.image.pullPolicy` | Auth proxy container image pull policy | `IfNotPresent` +`rbac.enabled` | Create rbac service account and roles | `true` diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/templates/_helpers.tpl b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/_helpers.tpl new file mode 100644 index 00000000..065bc1e3 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio-operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/templates/authproxy-rbac.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/authproxy-rbac.yaml new file mode 100644 index 00000000..8a047e03 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/authproxy-rbac.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.rbac.enabled .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "istio-operator.fullname" . }}-authproxy + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: authproxy +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "{{ include "istio-operator.fullname" . }}-authproxy" + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: authproxy +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "{{ include "istio-operator.fullname" . }}-authproxy" + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: authproxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "{{ include "istio-operator.fullname" . }}-authproxy" +subjects: +- kind: ServiceAccount + name: {{ include "istio-operator.fullname" . }}-authproxy + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/templates/authproxy-service.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/authproxy-service.yaml new file mode 100644 index 00000000..aad8a2be --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/authproxy-service.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "istio-operator.fullname" . }}-authproxy + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: authproxy +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator +{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-istio-1.2-crd.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-istio-1.2-crd.yaml new file mode 100644 index 00000000..b52ffc39 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-istio-1.2-crd.yaml @@ -0,0 +1,676 @@ +{{ if eq .Values.istioVersion 1.2 }} +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istios.istio.banzaicloud.io + labels: + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + additionalPrinterColumns: + - JSONPath: .status.Status + description: Status of the resource + name: Status + type: string + - JSONPath: .status.ErrorMessage + description: Error message + name: Error + type: string + - JSONPath: .status.GatewayAddress + description: Ingress gateways of the resource + name: Gateways + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: istio.banzaicloud.io + names: + kind: Istio + plural: istios + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + autoInjectionNamespaces: + description: List of namespaces to label with sidecar auto injection + enabled + items: + type: string + type: array + citadel: + description: Citadel configuration options + properties: + affinity: + type: object + caSecretName: + type: string + enabled: + type: boolean + healthCheck: + description: Enable health checking on the Citadel CSR signing API. + https://istio.io/docs/tasks/security/health-check/ + type: boolean + image: + type: string + maxWorkloadCertTTL: + description: Citadel uses a flag max-workload-cert-ttl to control + the maximum lifetime for Istio certificates issued to workloads. + The default value is 90 days. If workload-cert-ttl on Citadel + or node agent is greater than max-workload-cert-ttl, Citadel will + fail issuing the certificate. + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + workloadCertTTL: + description: For the workloads running in Kubernetes, the lifetime + of their Istio certificates is controlled by the workload-cert-ttl + flag on Citadel. The default value is 90 days. This value should + be no greater than max-workload-cert-ttl of Citadel. + type: string + type: object + controlPlaneSecurityEnabled: + description: ControlPlaneSecurityEnabled control plane services are + communicating through mTLS + type: boolean + defaultConfigVisibility: + description: Set the default set of namespaces to which services, service + entries, virtual services, destination rules should be exported to + type: string + defaultPodDisruptionBudget: + description: Enable pod disruption budget for the control plane, which + is used to ensure Istio control plane components are gradually upgraded + or recovered + properties: + enabled: + type: boolean + type: object + defaultResources: + description: DefaultResources are applied for all Istio components by + default, can be overridden for each component + type: object + excludeIPRanges: + description: ExcludeIPRanges the range where not to capture egress traffic + type: string + galley: + description: Galley configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + gateways: + description: Gateways configuration options + properties: + egress: + properties: + affinity: + type: object + applicationPorts: + type: string + enabled: + type: boolean + loadBalancerIP: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + ports: + items: + type: object + type: array + replicaCount: + format: int32 + type: integer + requestedNetworkView: + type: string + resources: + type: object + sds: + properties: + enabled: + type: boolean + image: + type: string + resources: + type: object + type: object + serviceAnnotations: + type: object + serviceLabels: + type: object + serviceType: + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + items: + type: object + type: array + type: object + enabled: + type: boolean + ingress: + properties: + affinity: + type: object + applicationPorts: + type: string + enabled: + type: boolean + loadBalancerIP: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + ports: + items: + type: object + type: array + replicaCount: + format: int32 + type: integer + requestedNetworkView: + type: string + resources: + type: object + sds: + properties: + enabled: + type: boolean + image: + type: string + resources: + type: object + type: object + serviceAnnotations: + type: object + serviceLabels: + type: object + serviceType: + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + items: + type: object + type: array + type: object + type: object + imagePullPolicy: + description: ImagePullPolicy describes a policy for if/when to pull + a container image + enum: + - Always + - Never + - IfNotPresent + type: string + includeIPRanges: + description: IncludeIPRanges the range where to capture egress traffic + type: string + istioCoreDNS: + description: Istio CoreDNS provides DNS resolution for services in multi + mesh setups + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + pluginImage: + type: string + replicaCount: + format: int32 + type: integer + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + localityLB: + description: Locality based load balancing distribution or failover + settings. + properties: + distribute: + description: 'Optional: only one of distribute or failover can be + set. Explicitly specify loadbalancing weight across different + zones and geographical locations. Refer to [Locality weighted + load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) + If empty, the locality weight is set according to the endpoints + number within it.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. 'region/zone'. + type: string + to: + description: Map of upstream localities to traffic distribution + weights. The sum of all weights should be == 100. Any locality + not assigned a weight will receive no traffic. + type: object + type: object + type: array + enabled: + description: If set to true, locality based load balancing will + be enabled + type: boolean + failover: + description: 'Optional: only failover or distribute can be set. + Explicitly specify the region traffic will land on when endpoints + in local region becomes unhealthy. Should be used together with + OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection + specified, this will not take effect.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over + to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + type: object + meshExpansion: + description: If set to true, the pilot and citadel mtls will be exposed + on the ingress gateway also the remote istios will be connected through + gateways + type: boolean + mixer: + description: Mixer configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + multiClusterSupport: + description: Turn it on if you use mixer that supports multi cluster + telemetry + type: boolean + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + mtls: + description: MTLS enables or disables global mTLS + type: boolean + multiMesh: + description: Set to true to connect two or more meshes via their respective + ingressgateway services when workloads in each cluster cannot directly + talk to one another. All meshes should be using Istio mTLS and must + have a shared root CA for this model to work. + type: boolean + nodeAgent: + description: NodeAgent configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling outbound + traffic from the application (ALLOW_ANY or REGISTRY_ONLY) + properties: + mode: + enum: + - ALLOW_ANY + - REGISTRY_ONLY + type: string + type: object + pilot: + description: Pilot configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + sidecar: + type: boolean + tolerations: + items: + type: object + type: array + traceSampling: + format: float + type: number + type: object + proxy: + description: Proxy configuration options + properties: + componentLogLevel: + description: Per Component log level for proxy, applies to gateways + and sidecars. If a component level is not set, then the "LogLevel" + will be used. If left empty, "misc:error" is used. + type: string + dnsRefreshRate: + description: Configure the DNS refresh rate for Envoy cluster of + type STRICT_DNS This must be given it terms of seconds. For example, + 300s is valid but 5m is invalid. + pattern: ^[0-9]{1,5}s$ + type: string + enableCoreDump: + description: If set, newly injected sidecars will have core dumps + enabled. + type: boolean + image: + type: string + logLevel: + description: 'Log level for proxy, applies to gateways and sidecars. + If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' + enum: + - trace + - debug + - info + - warning + - error + - critical + - "off" + type: string + privileged: + description: If set to true, istio-proxy container will have privileged + securityContext + type: boolean + resources: + type: object + type: object + proxyInit: + description: Proxy Init configuration options + properties: + image: + type: string + type: object + sds: + description: If SDS is configured, mTLS certificates for the sidecars + will be distributed through the SecretDiscoveryService instead of + using K8S secrets to mount the certificates + properties: + customTokenDirectory: + type: string + enabled: + description: If set to true, mTLS certificates for the sidecars + will be distributed through the SecretDiscoveryService instead + of using K8S secrets to mount the certificates. + type: boolean + udsPath: + description: Unix Domain Socket through which envoy communicates + with NodeAgent SDS to get key/cert for mTLS. Use secret-mount + files instead of SDS if set to empty. + type: string + useNormalJwt: + description: If set to true, envoy will fetch normal k8s service + account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + and pass to sds server, which will be used to request key/cert + eventually this flag is ignored if UseTrustworthyJwt is set + type: boolean + useTrustworthyJwt: + description: 'If set to true, Istio will inject volumes mount for + k8s service account JWT, so that K8s API server mounts k8s service + account JWT to envoy container, which will be used to generate + key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)' + type: boolean + type: object + sidecarInjector: + description: SidecarInjector configuration options + properties: + affinity: + type: object + alwaysInjectSelector: + description: 'AlwaysInjectSelector: Forces the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match' + items: + type: object + type: array + autoInjectionPolicyEnabled: + description: This controls the 'policy' in the sidecar injector + type: boolean + enableNamespacesByDefault: + description: This controls whether the webhook looks for namespaces + for injection enabled or disabled + type: boolean + enabled: + type: boolean + image: + type: string + init: + properties: + resources: + type: object + type: object + initCNIConfiguration: + properties: + affinity: + type: object + binDir: + description: Must be the same as the environment’s --cni-bin-dir + setting (kubelet parameter) + type: string + confDir: + description: Must be the same as the environment’s --cni-conf-dir + setting (kubelet parameter) + type: string + enabled: + description: If true, the privileged initContainer istio-init + is not needed to perform the traffic redirect settings for + the istio-proxy + type: boolean + excludeNamespaces: + description: List of namespaces to exclude from Istio pod check + items: + type: string + type: array + image: + type: string + logLevel: + description: Logging level for CNI binary + type: string + type: object + neverInjectSelector: + description: 'NeverInjectSelector: Refuses the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match Takes precedence over AlwaysInjectSelector.' + items: + type: object + type: array + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + rewriteAppHTTPProbe: + description: If true, sidecar injector will rewrite PodSpec for + liveness health check to redirect request to sidecar. This makes + liveness check work even when mTLS is enabled. + type: boolean + tolerations: + items: + type: object + type: array + type: object + tracing: + description: Configuration for each of the supported tracers + properties: + datadog: + properties: + address: + description: Host:Port for submitting traces to the Datadog + agent. + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + type: object + enabled: + type: boolean + lightstep: + properties: + accessToken: + description: required for sending data to the pool + type: string + address: + description: the : of the satellite pool + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + cacertPath: + description: the path to the file containing the cacert to use + when verifying TLS. If secure is true, this is required. If + a value is specified then a secret called "lightstep.cacert" + must be created in the destination namespace with the key + matching the base of the provided cacertPath and the value + being the cacert itself. + type: string + secure: + description: specifies whether data should be sent with TLS + type: boolean + type: object + tracer: + enum: + - zipkin + - lightstep + - datadog + type: string + zipkin: + properties: + address: + description: Host:Port for reporting trace data in zipkin format. + If not specified, will default to zipkin service (port 9411) + in the same namespace as the other istio components. + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + type: object + type: object + useMCP: + description: Use the Mesh Control Protocol (MCP) for configuring Mixer + and Pilot. Requires galley. + type: boolean + version: + description: Contains the intended Istio version + pattern: ^1.2 + type: string + watchAdapterCRDs: + description: Whether or not to establish watches for adapter-specific + CRDs + type: boolean + watchOneNamespace: + description: Whether to restrict the applications namespace the controller + manages + type: boolean + required: + - version + - mtls + type: object + status: + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-rbac.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-rbac.yaml new file mode 100644 index 00000000..d506ee41 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-rbac.yaml @@ -0,0 +1,315 @@ +{{- if .Values.rbac.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +rules: +- apiGroups: + - "" + resources: + - nodes + - services + - endpoints + - pods + - replicationcontrollers + - services + - endpoints + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - update + - patch +- apiGroups: + - extensions + resources: + - ingresses + - ingresses/status + verbs: + - '*' +- apiGroups: + - extensions + resources: + - deployments + verbs: + - get +- apiGroups: + - extensions + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - extensions + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + - "" + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - istio.banzaicloud.io + resources: + - istios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - istios/status + verbs: + - get + - update + - patch +- apiGroups: + - authentication.istio.io + - cloud.istio.io + - config.istio.io + - istio.istio.io + - networking.istio.io + - rbac.istio.io + - scalingpolicy.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - update + - patch +- apiGroups: + - istio.banzaicloud.io + resources: + - remoteistios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - remoteistios/status + verbs: + - get + - update + - patch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - istios + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "istio-operator.fullname" . }}-operator +subjects: +- kind: ServiceAccount + name: {{ include "istio-operator.fullname" . }}-operator + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-remoteistio-1.2-crd.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-remoteistio-1.2-crd.yaml new file mode 100644 index 00000000..37741898 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-remoteistio-1.2-crd.yaml @@ -0,0 +1,268 @@ +{{ if eq .Values.istioVersion 1.2 }} +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: remoteistios.istio.banzaicloud.io + labels: + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + additionalPrinterColumns: + - JSONPath: .status.Status + description: Status of the resource + name: Status + type: string + - JSONPath: .status.ErrorMessage + description: Error message + name: Error + type: string + - JSONPath: .status.GatewayAddress + description: Ingress gateways of the resource + name: Gateways + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: istio.banzaicloud.io + names: + kind: RemoteIstio + plural: remoteistios + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + autoInjectionNamespaces: + description: List of namespaces to label with sidecar auto injection + enabled + items: + type: string + type: array + citadel: + description: Citadel configuration options + properties: + affinity: + type: object + caSecretName: + type: string + enabled: + type: boolean + healthCheck: + description: Enable health checking on the Citadel CSR signing API. + https://istio.io/docs/tasks/security/health-check/ + type: boolean + image: + type: string + maxWorkloadCertTTL: + description: Citadel uses a flag max-workload-cert-ttl to control + the maximum lifetime for Istio certificates issued to workloads. + The default value is 90 days. If workload-cert-ttl on Citadel + or node agent is greater than max-workload-cert-ttl, Citadel will + fail issuing the certificate. + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + workloadCertTTL: + description: For the workloads running in Kubernetes, the lifetime + of their Istio certificates is controlled by the workload-cert-ttl + flag on Citadel. The default value is 90 days. This value should + be no greater than max-workload-cert-ttl of Citadel. + type: string + type: object + defaultResources: + description: DefaultResources are applied for all Istio components by + default, can be overridden for each component + type: object + enabledServices: + description: EnabledServices the Istio component services replicated + to remote side + items: + properties: + labelSelector: + type: string + name: + type: string + podIPs: + items: + type: string + type: array + ports: + items: + type: object + type: array + required: + - name + type: object + type: array + excludeIPRanges: + description: ExcludeIPRanges the range where not to capture egress traffic + type: string + includeIPRanges: + description: IncludeIPRanges the range where to capture egress traffic + type: string + proxy: + description: Proxy configuration options + properties: + componentLogLevel: + description: Per Component log level for proxy, applies to gateways + and sidecars. If a component level is not set, then the "LogLevel" + will be used. If left empty, "misc:error" is used. + type: string + dnsRefreshRate: + description: Configure the DNS refresh rate for Envoy cluster of + type STRICT_DNS This must be given it terms of seconds. For example, + 300s is valid but 5m is invalid. + pattern: ^[0-9]{1,5}s$ + type: string + enableCoreDump: + description: If set, newly injected sidecars will have core dumps + enabled. + type: boolean + image: + type: string + logLevel: + description: 'Log level for proxy, applies to gateways and sidecars. + If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' + enum: + - trace + - debug + - info + - warning + - error + - critical + - "off" + type: string + privileged: + description: If set to true, istio-proxy container will have privileged + securityContext + type: boolean + resources: + type: object + type: object + proxyInit: + description: Proxy Init configuration options + properties: + image: + type: string + type: object + sidecarInjector: + description: SidecarInjector configuration options + properties: + affinity: + type: object + alwaysInjectSelector: + description: 'AlwaysInjectSelector: Forces the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match' + items: + type: object + type: array + autoInjectionPolicyEnabled: + description: This controls the 'policy' in the sidecar injector + type: boolean + enableNamespacesByDefault: + description: This controls whether the webhook looks for namespaces + for injection enabled or disabled + type: boolean + enabled: + type: boolean + image: + type: string + init: + properties: + resources: + type: object + type: object + initCNIConfiguration: + properties: + affinity: + type: object + binDir: + description: Must be the same as the environment’s --cni-bin-dir + setting (kubelet parameter) + type: string + confDir: + description: Must be the same as the environment’s --cni-conf-dir + setting (kubelet parameter) + type: string + enabled: + description: If true, the privileged initContainer istio-init + is not needed to perform the traffic redirect settings for + the istio-proxy + type: boolean + excludeNamespaces: + description: List of namespaces to exclude from Istio pod check + items: + type: string + type: array + image: + type: string + logLevel: + description: Logging level for CNI binary + type: string + type: object + neverInjectSelector: + description: 'NeverInjectSelector: Refuses the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match Takes precedence over AlwaysInjectSelector.' + items: + type: object + type: array + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + rewriteAppHTTPProbe: + description: If true, sidecar injector will rewrite PodSpec for + liveness health check to redirect request to sidecar. This makes + liveness check work even when mTLS is enabled. + type: boolean + tolerations: + items: + type: object + type: array + type: object + required: + - enabledServices + type: object + status: + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-service.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-service.yaml new file mode 100644 index 00000000..04ffc835 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ include "istio-operator.fullname" . }}-operator" + {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/scheme: http + {{- end }} + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + selector: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator + ports: + - name: https + port: 443 + {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} + - name: metrics + port: 8080 + {{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-statefulset.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-statefulset.yaml new file mode 100644 index 00000000..9e90ee80 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-statefulset.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ include "istio-operator.fullname" . }}-operator" + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + selector: + matchLabels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator + serviceName: {{ include "istio-operator.fullname" . }}-operator + template: + metadata: + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator + spec: + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ include "istio-operator.fullname" . }}-operator + {{- end }} + terminationGracePeriodSeconds: 60 + containers: + {{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} + - name: kube-rbac-proxy + image: "{{ .Values.prometheusMetrics.authProxy.image.repository }}:{{ .Values.prometheusMetrics.authProxy.image.tag }}" + imagePullPolicy: {{ .Values.prometheusMetrics.authProxy.image.pullPolicy }} + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + {{- end }} + - command: + - /manager + image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}" + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + name: manager + args: + {{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} + - "--metrics-addr=127.0.0.1:8080" + {{- end }} + - "--watch-created-resources-events=false" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: 443 + name: webhook-server + protocol: TCP + {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} + - containerPort: 8080 + name: metrics + protocol: TCP + {{- end }} + resources: +{{ toYaml .Values.operator.resources | indent 10 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio-operator/values.yaml b/vnfs/DAaaS/deploy/00-init/istio-operator/values.yaml new file mode 100644 index 00000000..cb937c11 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio-operator/values.yaml @@ -0,0 +1,40 @@ + + +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +operator: + image: + repository: banzaicloud/istio-operator + tag: 0.2.1 + pullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + +istioVersion: 1.2 + +## Prometheus Metrics +prometheusMetrics: + enabled: false +# Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. + authProxy: + enabled: false + +## Role Based Access +## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + enabled: true + +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} +tolerations: [] +affinity: {} diff --git a/vnfs/DAaaS/deploy/00-init/istio/README.md b/vnfs/DAaaS/deploy/00-init/istio/README.md index 74b0e5f7..8fcba4f8 100644 --- a/vnfs/DAaaS/deploy/00-init/istio/README.md +++ b/vnfs/DAaaS/deploy/00-init/istio/README.md @@ -1,24 +1,20 @@ -/* - * Copyright 2019 Intel Corporation, Inc - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +#/* +# * Copyright 2019 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ -# Instructions to Install Istio ServiceMesh +# Steps for Instaling Istio with Istio- Operator -# Step 1 - Install Istio Operator's helm chart - -helm install --name=istio-operator --namespace=istio-system istio-operator - -# Step 2 - Add the helm chart to install Istio in sds configuration +# Step 1 - Add the helm chart to install Istio in sds configuration helm install istio-instance --name istio --namespace istio-system diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-instance/values.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-instance/values.yaml index 93363613..091999ac 100644 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-instance/values.yaml +++ b/vnfs/DAaaS/deploy/00-init/istio/istio-instance/values.yaml @@ -14,26 +14,25 @@ # * See the License for the specific language governing permissions and # * limitations under the License. # */ -#Declare variables to be pssed into your Istio SDS template file. - +#Declare variables to be passed into Istio SDS template file. metadata: name: "istio-sample" spec: version: "1.2.2" mtls: true autoInjectionNamespaces: - - "" + - sds: enabled: true udsPath: "unix:/var/run/sds/uds_path" useTrustworthyJwt: false useNormalJwt: true gateways: - enabled: false + enabled: true ingress: - enabled: false + enabled: true sds: - enabled: false + enabled: true image: "docker.io/istio/node-agent-k8s:1.2.2" nodeAgent: enabled: true diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/.helmignore b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/.helmignore deleted file mode 100644 index 50af0317..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/Chart.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/Chart.yaml deleted file mode 100644 index 1da83af4..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ - - -#/*Copyright 2019 Intel Corporation, Inc -# * -# * Licensed under the Apache License, Version 2.0 (the "License"); -# * you may not use this file except in compliance with the License. -# * You may obtain a copy of the License at -# * -# * http://www.apache.org/licenses/LICENSE-2.0 -# * -# * Unless required by applicable law or agreed to in writing, software -# * distributed under the License is distributed on an "AS IS" BASIS, -# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# * See the License for the specific language governing permissions and -# * limitations under the License. -# */ -name: istio-operator -version: 0.0.15 -description: istio-operator manages Istio deployments on Kubernetes -appVersion: 0.2.1 diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/README.md b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/README.md deleted file mode 100644 index 4611a81e..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/README.md +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright 2019 Intel Corporation, Inc - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -## Prerequisites - -- Kubernetes 1.10.0+ - -## Installing the chart - -To install the chart from local directory: - -``` -helm install --name=istio-operator --namespace=istio-system istio-operator -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-operator` release: - -``` -$ helm del --purge istio-operator -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the Banzaicloud Istio Operator chart and their default values. - -Parameter | Description | Default ---------- | ----------- | ------- -`operator.image.repository` | Operator container image repository | `banzaicloud/istio-operator` -`operator.image.tag` | Operator container image tag | `0.2.1` -`operator.image.pullPolicy` | Operator container image pull policy | `IfNotPresent` -`operator.resources` | CPU/Memory resource requests/limits (YAML) | Memory: `128Mi/256Mi`, CPU: `100m/200m` -`istioVersion` | Supported Istio version | `1.2` -`prometheusMetrics.enabled` | If true, use direct access for Prometheus metrics | `false` -`prometheusMetrics.authProxy.enabled` | If true, use auth proxy for Prometheus metrics | `true` -`prometheusMetrics.authProxy.image.repository` | Auth proxy container image repository | `gcr.io/kubebuilder/kube-rbac-proxy` -`prometheusMetrics.authProxy.image.tag` | Auth proxy container image tag | `v0.4.0` -`prometheusMetrics.authProxy.image.pullPolicy` | Auth proxy container image pull policy | `IfNotPresent` -`rbac.enabled` | Create rbac service account and roles | `true` diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/_helpers.tpl b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/_helpers.tpl deleted file mode 100644 index 065bc1e3..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "istio-operator.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "istio-operator.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "istio-operator.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-rbac.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-rbac.yaml deleted file mode 100644 index 8a047e03..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-rbac.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if and .Values.rbac.enabled .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "istio-operator.fullname" . }}-authproxy - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: authproxy ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "{{ include "istio-operator.fullname" . }}-authproxy" - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: authproxy -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: "{{ include "istio-operator.fullname" . }}-authproxy" - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: authproxy -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "{{ include "istio-operator.fullname" . }}-authproxy" -subjects: -- kind: ServiceAccount - name: {{ include "istio-operator.fullname" . }}-authproxy - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-service.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-service.yaml deleted file mode 100644 index aad8a2be..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/authproxy-service.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "istio-operator.fullname" . }}-authproxy - annotations: - prometheus.io/port: "8443" - prometheus.io/scheme: https - prometheus.io/scrape: "true" - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: authproxy -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: operator -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-istio-1.2-crd.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-istio-1.2-crd.yaml deleted file mode 100644 index b52ffc39..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-istio-1.2-crd.yaml +++ /dev/null @@ -1,676 +0,0 @@ -{{ if eq .Values.istioVersion 1.2 }} -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: istios.istio.banzaicloud.io - labels: - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -spec: - additionalPrinterColumns: - - JSONPath: .status.Status - description: Status of the resource - name: Status - type: string - - JSONPath: .status.ErrorMessage - description: Error message - name: Error - type: string - - JSONPath: .status.GatewayAddress - description: Ingress gateways of the resource - name: Gateways - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date - group: istio.banzaicloud.io - names: - kind: Istio - plural: istios - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - autoInjectionNamespaces: - description: List of namespaces to label with sidecar auto injection - enabled - items: - type: string - type: array - citadel: - description: Citadel configuration options - properties: - affinity: - type: object - caSecretName: - type: string - enabled: - type: boolean - healthCheck: - description: Enable health checking on the Citadel CSR signing API. - https://istio.io/docs/tasks/security/health-check/ - type: boolean - image: - type: string - maxWorkloadCertTTL: - description: Citadel uses a flag max-workload-cert-ttl to control - the maximum lifetime for Istio certificates issued to workloads. - The default value is 90 days. If workload-cert-ttl on Citadel - or node agent is greater than max-workload-cert-ttl, Citadel will - fail issuing the certificate. - type: string - nodeSelector: - type: object - resources: - type: object - tolerations: - items: - type: object - type: array - workloadCertTTL: - description: For the workloads running in Kubernetes, the lifetime - of their Istio certificates is controlled by the workload-cert-ttl - flag on Citadel. The default value is 90 days. This value should - be no greater than max-workload-cert-ttl of Citadel. - type: string - type: object - controlPlaneSecurityEnabled: - description: ControlPlaneSecurityEnabled control plane services are - communicating through mTLS - type: boolean - defaultConfigVisibility: - description: Set the default set of namespaces to which services, service - entries, virtual services, destination rules should be exported to - type: string - defaultPodDisruptionBudget: - description: Enable pod disruption budget for the control plane, which - is used to ensure Istio control plane components are gradually upgraded - or recovered - properties: - enabled: - type: boolean - type: object - defaultResources: - description: DefaultResources are applied for all Istio components by - default, can be overridden for each component - type: object - excludeIPRanges: - description: ExcludeIPRanges the range where not to capture egress traffic - type: string - galley: - description: Galley configuration options - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - tolerations: - items: - type: object - type: array - type: object - gateways: - description: Gateways configuration options - properties: - egress: - properties: - affinity: - type: object - applicationPorts: - type: string - enabled: - type: boolean - loadBalancerIP: - type: string - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - nodeSelector: - type: object - ports: - items: - type: object - type: array - replicaCount: - format: int32 - type: integer - requestedNetworkView: - type: string - resources: - type: object - sds: - properties: - enabled: - type: boolean - image: - type: string - resources: - type: object - type: object - serviceAnnotations: - type: object - serviceLabels: - type: object - serviceType: - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - tolerations: - items: - type: object - type: array - type: object - enabled: - type: boolean - ingress: - properties: - affinity: - type: object - applicationPorts: - type: string - enabled: - type: boolean - loadBalancerIP: - type: string - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - nodeSelector: - type: object - ports: - items: - type: object - type: array - replicaCount: - format: int32 - type: integer - requestedNetworkView: - type: string - resources: - type: object - sds: - properties: - enabled: - type: boolean - image: - type: string - resources: - type: object - type: object - serviceAnnotations: - type: object - serviceLabels: - type: object - serviceType: - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - tolerations: - items: - type: object - type: array - type: object - type: object - imagePullPolicy: - description: ImagePullPolicy describes a policy for if/when to pull - a container image - enum: - - Always - - Never - - IfNotPresent - type: string - includeIPRanges: - description: IncludeIPRanges the range where to capture egress traffic - type: string - istioCoreDNS: - description: Istio CoreDNS provides DNS resolution for services in multi - mesh setups - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - nodeSelector: - type: object - pluginImage: - type: string - replicaCount: - format: int32 - type: integer - resources: - type: object - tolerations: - items: - type: object - type: array - type: object - localityLB: - description: Locality based load balancing distribution or failover - settings. - properties: - distribute: - description: 'Optional: only one of distribute or failover can be - set. Explicitly specify loadbalancing weight across different - zones and geographical locations. Refer to [Locality weighted - load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) - If empty, the locality weight is set according to the endpoints - number within it.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. 'region/zone'. - type: string - to: - description: Map of upstream localities to traffic distribution - weights. The sum of all weights should be == 100. Any locality - not assigned a weight will receive no traffic. - type: object - type: object - type: array - enabled: - description: If set to true, locality based load balancing will - be enabled - type: boolean - failover: - description: 'Optional: only failover or distribute can be set. - Explicitly specify the region traffic will land on when endpoints - in local region becomes unhealthy. Should be used together with - OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection - specified, this will not take effect.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will fail over - to when endpoints in the 'from' region becomes unhealthy. - type: string - type: object - type: array - type: object - meshExpansion: - description: If set to true, the pilot and citadel mtls will be exposed - on the ingress gateway also the remote istios will be connected through - gateways - type: boolean - mixer: - description: Mixer configuration options - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - multiClusterSupport: - description: Turn it on if you use mixer that supports multi cluster - telemetry - type: boolean - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - tolerations: - items: - type: object - type: array - type: object - mtls: - description: MTLS enables or disables global mTLS - type: boolean - multiMesh: - description: Set to true to connect two or more meshes via their respective - ingressgateway services when workloads in each cluster cannot directly - talk to one another. All meshes should be using Istio mTLS and must - have a shared root CA for this model to work. - type: boolean - nodeAgent: - description: NodeAgent configuration options - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - nodeSelector: - type: object - resources: - type: object - tolerations: - items: - type: object - type: array - type: object - outboundTrafficPolicy: - description: Set the default behavior of the sidecar for handling outbound - traffic from the application (ALLOW_ANY or REGISTRY_ONLY) - properties: - mode: - enum: - - ALLOW_ANY - - REGISTRY_ONLY - type: string - type: object - pilot: - description: Pilot configuration options - properties: - affinity: - type: object - enabled: - type: boolean - image: - type: string - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - sidecar: - type: boolean - tolerations: - items: - type: object - type: array - traceSampling: - format: float - type: number - type: object - proxy: - description: Proxy configuration options - properties: - componentLogLevel: - description: Per Component log level for proxy, applies to gateways - and sidecars. If a component level is not set, then the "LogLevel" - will be used. If left empty, "misc:error" is used. - type: string - dnsRefreshRate: - description: Configure the DNS refresh rate for Envoy cluster of - type STRICT_DNS This must be given it terms of seconds. For example, - 300s is valid but 5m is invalid. - pattern: ^[0-9]{1,5}s$ - type: string - enableCoreDump: - description: If set, newly injected sidecars will have core dumps - enabled. - type: boolean - image: - type: string - logLevel: - description: 'Log level for proxy, applies to gateways and sidecars. - If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' - enum: - - trace - - debug - - info - - warning - - error - - critical - - "off" - type: string - privileged: - description: If set to true, istio-proxy container will have privileged - securityContext - type: boolean - resources: - type: object - type: object - proxyInit: - description: Proxy Init configuration options - properties: - image: - type: string - type: object - sds: - description: If SDS is configured, mTLS certificates for the sidecars - will be distributed through the SecretDiscoveryService instead of - using K8S secrets to mount the certificates - properties: - customTokenDirectory: - type: string - enabled: - description: If set to true, mTLS certificates for the sidecars - will be distributed through the SecretDiscoveryService instead - of using K8S secrets to mount the certificates. - type: boolean - udsPath: - description: Unix Domain Socket through which envoy communicates - with NodeAgent SDS to get key/cert for mTLS. Use secret-mount - files instead of SDS if set to empty. - type: string - useNormalJwt: - description: If set to true, envoy will fetch normal k8s service - account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' - (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) - and pass to sds server, which will be used to request key/cert - eventually this flag is ignored if UseTrustworthyJwt is set - type: boolean - useTrustworthyJwt: - description: 'If set to true, Istio will inject volumes mount for - k8s service account JWT, so that K8s API server mounts k8s service - account JWT to envoy container, which will be used to generate - key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)' - type: boolean - type: object - sidecarInjector: - description: SidecarInjector configuration options - properties: - affinity: - type: object - alwaysInjectSelector: - description: 'AlwaysInjectSelector: Forces the injection on pods - whose labels match this selector. It''s an array of label selectors, - that will be OR''ed, meaning we will iterate over it and stop - at the first match' - items: - type: object - type: array - autoInjectionPolicyEnabled: - description: This controls the 'policy' in the sidecar injector - type: boolean - enableNamespacesByDefault: - description: This controls whether the webhook looks for namespaces - for injection enabled or disabled - type: boolean - enabled: - type: boolean - image: - type: string - init: - properties: - resources: - type: object - type: object - initCNIConfiguration: - properties: - affinity: - type: object - binDir: - description: Must be the same as the environment’s --cni-bin-dir - setting (kubelet parameter) - type: string - confDir: - description: Must be the same as the environment’s --cni-conf-dir - setting (kubelet parameter) - type: string - enabled: - description: If true, the privileged initContainer istio-init - is not needed to perform the traffic redirect settings for - the istio-proxy - type: boolean - excludeNamespaces: - description: List of namespaces to exclude from Istio pod check - items: - type: string - type: array - image: - type: string - logLevel: - description: Logging level for CNI binary - type: string - type: object - neverInjectSelector: - description: 'NeverInjectSelector: Refuses the injection on pods - whose labels match this selector. It''s an array of label selectors, - that will be OR''ed, meaning we will iterate over it and stop - at the first match Takes precedence over AlwaysInjectSelector.' - items: - type: object - type: array - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - rewriteAppHTTPProbe: - description: If true, sidecar injector will rewrite PodSpec for - liveness health check to redirect request to sidecar. This makes - liveness check work even when mTLS is enabled. - type: boolean - tolerations: - items: - type: object - type: array - type: object - tracing: - description: Configuration for each of the supported tracers - properties: - datadog: - properties: - address: - description: Host:Port for submitting traces to the Datadog - agent. - pattern: ^[^\:]+:[0-9]{1,5}$ - type: string - type: object - enabled: - type: boolean - lightstep: - properties: - accessToken: - description: required for sending data to the pool - type: string - address: - description: the : of the satellite pool - pattern: ^[^\:]+:[0-9]{1,5}$ - type: string - cacertPath: - description: the path to the file containing the cacert to use - when verifying TLS. If secure is true, this is required. If - a value is specified then a secret called "lightstep.cacert" - must be created in the destination namespace with the key - matching the base of the provided cacertPath and the value - being the cacert itself. - type: string - secure: - description: specifies whether data should be sent with TLS - type: boolean - type: object - tracer: - enum: - - zipkin - - lightstep - - datadog - type: string - zipkin: - properties: - address: - description: Host:Port for reporting trace data in zipkin format. - If not specified, will default to zipkin service (port 9411) - in the same namespace as the other istio components. - pattern: ^[^\:]+:[0-9]{1,5}$ - type: string - type: object - type: object - useMCP: - description: Use the Mesh Control Protocol (MCP) for configuring Mixer - and Pilot. Requires galley. - type: boolean - version: - description: Contains the intended Istio version - pattern: ^1.2 - type: string - watchAdapterCRDs: - description: Whether or not to establish watches for adapter-specific - CRDs - type: boolean - watchOneNamespace: - description: Whether to restrict the applications namespace the controller - manages - type: boolean - required: - - version - - mtls - type: object - status: - type: object - version: v1beta1 -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml deleted file mode 100644 index d506ee41..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml +++ /dev/null @@ -1,315 +0,0 @@ -{{- if .Values.rbac.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "istio-operator.fullname" . }}-operator - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "istio-operator.fullname" . }}-operator - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -rules: -- apiGroups: - - "" - resources: - - nodes - - services - - endpoints - - pods - - replicationcontrollers - - services - - endpoints - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - deployments - - daemonsets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments/status - verbs: - - get - - update - - patch -- apiGroups: - - extensions - resources: - - ingresses - - ingresses/status - verbs: - - '*' -- apiGroups: - - extensions - resources: - - deployments - verbs: - - get -- apiGroups: - - extensions - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - extensions - resources: - - replicasets - verbs: - - get - - list - - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - clusterrolebindings - - roles - - rolebindings - - "" - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - istio.banzaicloud.io - resources: - - istios - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - istio.banzaicloud.io - resources: - - istios/status - verbs: - - get - - update - - patch -- apiGroups: - - authentication.istio.io - - cloud.istio.io - - config.istio.io - - istio.istio.io - - networking.istio.io - - rbac.istio.io - - scalingpolicy.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments/status - verbs: - - get - - update - - patch -- apiGroups: - - istio.banzaicloud.io - resources: - - remoteistios - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - istio.banzaicloud.io - resources: - - remoteistios/status - verbs: - - get - - update - - patch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - istio.banzaicloud.io - resources: - - istios - verbs: - - get - - list - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "istio-operator.fullname" . }}-operator - labels: - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "istio-operator.fullname" . }}-operator -subjects: -- kind: ServiceAccount - name: {{ include "istio-operator.fullname" . }}-operator - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-remoteistio-1.2-crd.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-remoteistio-1.2-crd.yaml deleted file mode 100644 index 37741898..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-remoteistio-1.2-crd.yaml +++ /dev/null @@ -1,268 +0,0 @@ -{{ if eq .Values.istioVersion 1.2 }} -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: remoteistios.istio.banzaicloud.io - labels: - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -spec: - additionalPrinterColumns: - - JSONPath: .status.Status - description: Status of the resource - name: Status - type: string - - JSONPath: .status.ErrorMessage - description: Error message - name: Error - type: string - - JSONPath: .status.GatewayAddress - description: Ingress gateways of the resource - name: Gateways - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date - group: istio.banzaicloud.io - names: - kind: RemoteIstio - plural: remoteistios - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - autoInjectionNamespaces: - description: List of namespaces to label with sidecar auto injection - enabled - items: - type: string - type: array - citadel: - description: Citadel configuration options - properties: - affinity: - type: object - caSecretName: - type: string - enabled: - type: boolean - healthCheck: - description: Enable health checking on the Citadel CSR signing API. - https://istio.io/docs/tasks/security/health-check/ - type: boolean - image: - type: string - maxWorkloadCertTTL: - description: Citadel uses a flag max-workload-cert-ttl to control - the maximum lifetime for Istio certificates issued to workloads. - The default value is 90 days. If workload-cert-ttl on Citadel - or node agent is greater than max-workload-cert-ttl, Citadel will - fail issuing the certificate. - type: string - nodeSelector: - type: object - resources: - type: object - tolerations: - items: - type: object - type: array - workloadCertTTL: - description: For the workloads running in Kubernetes, the lifetime - of their Istio certificates is controlled by the workload-cert-ttl - flag on Citadel. The default value is 90 days. This value should - be no greater than max-workload-cert-ttl of Citadel. - type: string - type: object - defaultResources: - description: DefaultResources are applied for all Istio components by - default, can be overridden for each component - type: object - enabledServices: - description: EnabledServices the Istio component services replicated - to remote side - items: - properties: - labelSelector: - type: string - name: - type: string - podIPs: - items: - type: string - type: array - ports: - items: - type: object - type: array - required: - - name - type: object - type: array - excludeIPRanges: - description: ExcludeIPRanges the range where not to capture egress traffic - type: string - includeIPRanges: - description: IncludeIPRanges the range where to capture egress traffic - type: string - proxy: - description: Proxy configuration options - properties: - componentLogLevel: - description: Per Component log level for proxy, applies to gateways - and sidecars. If a component level is not set, then the "LogLevel" - will be used. If left empty, "misc:error" is used. - type: string - dnsRefreshRate: - description: Configure the DNS refresh rate for Envoy cluster of - type STRICT_DNS This must be given it terms of seconds. For example, - 300s is valid but 5m is invalid. - pattern: ^[0-9]{1,5}s$ - type: string - enableCoreDump: - description: If set, newly injected sidecars will have core dumps - enabled. - type: boolean - image: - type: string - logLevel: - description: 'Log level for proxy, applies to gateways and sidecars. - If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' - enum: - - trace - - debug - - info - - warning - - error - - critical - - "off" - type: string - privileged: - description: If set to true, istio-proxy container will have privileged - securityContext - type: boolean - resources: - type: object - type: object - proxyInit: - description: Proxy Init configuration options - properties: - image: - type: string - type: object - sidecarInjector: - description: SidecarInjector configuration options - properties: - affinity: - type: object - alwaysInjectSelector: - description: 'AlwaysInjectSelector: Forces the injection on pods - whose labels match this selector. It''s an array of label selectors, - that will be OR''ed, meaning we will iterate over it and stop - at the first match' - items: - type: object - type: array - autoInjectionPolicyEnabled: - description: This controls the 'policy' in the sidecar injector - type: boolean - enableNamespacesByDefault: - description: This controls whether the webhook looks for namespaces - for injection enabled or disabled - type: boolean - enabled: - type: boolean - image: - type: string - init: - properties: - resources: - type: object - type: object - initCNIConfiguration: - properties: - affinity: - type: object - binDir: - description: Must be the same as the environment’s --cni-bin-dir - setting (kubelet parameter) - type: string - confDir: - description: Must be the same as the environment’s --cni-conf-dir - setting (kubelet parameter) - type: string - enabled: - description: If true, the privileged initContainer istio-init - is not needed to perform the traffic redirect settings for - the istio-proxy - type: boolean - excludeNamespaces: - description: List of namespaces to exclude from Istio pod check - items: - type: string - type: array - image: - type: string - logLevel: - description: Logging level for CNI binary - type: string - type: object - neverInjectSelector: - description: 'NeverInjectSelector: Refuses the injection on pods - whose labels match this selector. It''s an array of label selectors, - that will be OR''ed, meaning we will iterate over it and stop - at the first match Takes precedence over AlwaysInjectSelector.' - items: - type: object - type: array - nodeSelector: - type: object - replicaCount: - format: int32 - type: integer - resources: - type: object - rewriteAppHTTPProbe: - description: If true, sidecar injector will rewrite PodSpec for - liveness health check to redirect request to sidecar. This makes - liveness check work even when mTLS is enabled. - type: boolean - tolerations: - items: - type: object - type: array - type: object - required: - - enabledServices - type: object - status: - type: object - version: v1beta1 -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] -{{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-service.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-service.yaml deleted file mode 100644 index 04ffc835..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-service.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ include "istio-operator.fullname" . }}-operator" - {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8080" - prometheus.io/scheme: http - {{- end }} - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -spec: - selector: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: operator - ports: - - name: https - port: 443 - {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} - - name: metrics - port: 8080 - {{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-statefulset.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-statefulset.yaml deleted file mode 100644 index 9e90ee80..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-statefulset.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ include "istio-operator.fullname" . }}-operator" - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - helm.sh/chart: {{ include "istio-operator.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: operator -spec: - selector: - matchLabels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: operator - serviceName: {{ include "istio-operator.fullname" . }}-operator - template: - metadata: - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - app.kubernetes.io/name: {{ include "istio-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: operator - spec: - {{- if .Values.rbac.enabled }} - serviceAccountName: {{ include "istio-operator.fullname" . }}-operator - {{- end }} - terminationGracePeriodSeconds: 60 - containers: - {{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} - - name: kube-rbac-proxy - image: "{{ .Values.prometheusMetrics.authProxy.image.repository }}:{{ .Values.prometheusMetrics.authProxy.image.tag }}" - imagePullPolicy: {{ .Values.prometheusMetrics.authProxy.image.pullPolicy }} - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https - {{- end }} - - command: - - /manager - image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}" - imagePullPolicy: {{ .Values.operator.image.pullPolicy }} - name: manager - args: - {{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} - - "--metrics-addr=127.0.0.1:8080" - {{- end }} - - "--watch-created-resources-events=false" - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - containerPort: 443 - name: webhook-server - protocol: TCP - {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} - - containerPort: 8080 - name: metrics - protocol: TCP - {{- end }} - resources: -{{ toYaml .Values.operator.resources | indent 10 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/values.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/values.yaml deleted file mode 100644 index cb937c11..00000000 --- a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/values.yaml +++ /dev/null @@ -1,40 +0,0 @@ - - -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -operator: - image: - repository: banzaicloud/istio-operator - tag: 0.2.1 - pullPolicy: IfNotPresent - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - -istioVersion: 1.2 - -## Prometheus Metrics -prometheusMetrics: - enabled: false -# Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. - authProxy: - enabled: false - -## Role Based Access -## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ -## -rbac: - enabled: true - -nameOverride: "" -fullnameOverride: "" - -nodeSelector: {} -tolerations: [] -affinity: {} diff --git a/vnfs/DAaaS/deploy/00-init/keycloak/.helmignore b/vnfs/DAaaS/deploy/00-init/keycloak/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/keycloak/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/vnfs/DAaaS/deploy/00-init/keycloak/Chart.yaml b/vnfs/DAaaS/deploy/00-init/keycloak/Chart.yaml new file mode 100644 index 00000000..e4b3463d --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/keycloak/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: keycloak +version: 0.1.0 diff --git a/vnfs/DAaaS/deploy/00-init/keycloak/README.md b/vnfs/DAaaS/deploy/00-init/keycloak/README.md new file mode 100644 index 00000000..31fe78e8 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/keycloak/README.md @@ -0,0 +1,32 @@ +# Copyright (c) 2019 Intel Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +Installation +============ + +Installing the Chart +-------------------- + +NOTE : Do not install this chart in the namespace 'default' +---------------------------------------------------------- +NOTE : Do not install this chart with istio injection(or in a namespace that has istio-injection enabled), +---------------------------------------------------------------------------------------------------------- +Since this service needs to be run as a standalone for Authentication and Authorization purpose +----------------------------------------------------------------------------------------------- + +Install the helm Chart for ISTIO Keycloak + +```bash +$ helm install keycloak --namespace keycloak +``` diff --git a/vnfs/DAaaS/deploy/00-init/keycloak/istio-realm.json b/vnfs/DAaaS/deploy/00-init/keycloak/istio-realm.json new file mode 100644 index 00000000..b3802f49 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/keycloak/istio-realm.json @@ -0,0 +1,1593 @@ +{ + "id": "istio", + "realm": "istio", + "notBefore": 0, + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "220670e5-85ab-4b1d-89e3-98880064e29f", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "istio" + }, + { + "id": "80b567e4-46f1-482a-8f77-01d958fa3f5f", + "name": "user", + "composite": false, + "clientRole": false, + "containerId": "istio" + }, + { + "id": "c3be31a1-2d15-4adf-ac16-bc5b962874cf", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "istio" + } + ], + "client": { + "realm-management": [ + { + "id": "8e0d765e-2026-4acc-8e60-7d19bb163d18", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "06151631-874c-4b4c-b6bf-7bdb17aa92f3", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "view-identity-providers", + "manage-authorization", + "view-authorization", + "view-users", + "query-groups", + "impersonation", + "view-events", + "manage-realm", + "manage-clients", + "view-clients", + "create-client", + "manage-identity-providers", + "manage-users", + "manage-events", + "query-realms", + "query-users", + "query-clients", + "view-realm" + ] + } + }, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "a1f1f3d7-85b9-4630-a8e9-c7c329412ab4", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "2742e71b-86de-4d2f-a964-0d783b3513f0", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "04c72794-a353-4f6e-a789-f65e74f137c6", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "405fd875-7a6f-43e0-b4c2-17c587aa7d3a", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "b8ca521d-b36e-4ab6-9002-55a88853bfa1", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "b2bbaf09-2258-439e-9cc5-a31b229257f7", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "1b64abc3-e087-4caf-8892-e47c2330545c", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "e2322bb3-5a9b-4f6a-965a-6c6962ded1f3", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "26ba951e-730f-4176-8f6a-dfea46d4d780", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "0dc8d82c-d8db-4d5f-bc81-f9e381fb488b", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "f58c12dc-f06b-4b92-b41d-06abcc11d9dd", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "91172277-28d1-4ac2-96dd-129422aae1e1", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "f2283924-0ba6-42f2-9c2e-daa1e93cab5d", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "64c3f416-c7c8-4bc1-9369-4bbd9c430f82", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "7546c6c3-6768-439c-8362-7875c800315f", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "290e8014-36f8-4f78-8c9b-810a054d25c9", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + }, + { + "id": "c9e02693-3aa7-415f-b54f-905596a63860", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "23359cc5-f7be-4e46-9032-22888c729056" + } + ], + "security-admin-console": [], + "customer-tutorial": [], + "admin-cli": [], + "broker": [ + { + "id": "c15558e5-4812-4d14-825c-9b56c0fc4b43", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "b60bdd17-7469-4eca-8740-043fec9df949" + } + ], + "account": [ + { + "id": "b0e1a0bc-7fe0-43ed-81e3-57c9bd8b2466", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "451d5f38-0a1e-4dcf-a25b-39ef9148a027" + }, + { + "id": "6290f39b-8dc8-47b9-be67-0d42af794d90", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "451d5f38-0a1e-4dcf-a25b-39ef9148a027" + }, + { + "id": "134efa5f-fb4a-437c-8aaa-ed98204822bf", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "451d5f38-0a1e-4dcf-a25b-39ef9148a027" + } + ] + } + }, + "groups": [], + "defaultRoles": [ + "offline_access", + "uma_authorization" + ], + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpSupportedApplications": [ + "FreeOTP", + "Google Authenticator" + ], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clients": [ + { + "id": "290038f3-c4b5-4dea-a6fc-4c603edd94a3", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "role_list", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access" + ] + }, + { + "id": "b60bdd17-7469-4eca-8740-043fec9df949", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "role_list", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access" + ] + }, + { + "id": "23359cc5-f7be-4e46-9032-22888c729056", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "role_list", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access" + ] + }, + { + "id": "cb5bafdc-b739-4dde-8eb1-9094f64a784e", + "clientId": "customer-tutorial", + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "role_list", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access" + ] + }, + { + "id": "451d5f38-0a1e-4dcf-a25b-39ef9148a027", + "clientId": "account", + "name": "${client_account}", + "baseUrl": "/auth/realms/istio/account", + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "defaultRoles": [ + "view-profile", + "manage-account" + ], + "redirectUris": [ + "/auth/realms/istio/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "role_list", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access" + ] + }, + { + "id": "b0d3ef29-d76d-4dd4-b017-92c41410c174", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "baseUrl": "/auth/admin/istio/console/index.html", + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/auth/admin/istio/console/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "75302c7e-aed4-40d3-9875-d7d3f652d470", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "role_list", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access" + ] + } + ], + "clientScopes": [ + { + "id": "b221cc0e-2c78-4de7-bb2e-56e9349cb66d", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${addressScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "db8987ff-c258-48c9-8c2e-4e1f2f283515", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "f430e3c4-48d8-4b48-824c-58fa950e3162", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${emailScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "4d1852a7-0735-4ea7-9e2b-eb62775975e9", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "2be3ecee-f2ba-45c6-9c03-ecbcd57ef892", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "2dc9a314-a8a2-4158-ae13-44b524a106cf", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "264fb76f-3460-48df-95ce-2484c8e5b5c9", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${phoneScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "e5cdd2ff-09d2-4c46-b3aa-1dbe269f9c84", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "d4577eed-c8ef-4472-ba67-701362d87075", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "0710ab2c-f207-40a6-9b48-357b5e613ecc", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${profileScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "446fa5ee-ec5f-4686-8ee3-1774894dfa67", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "637d89c1-d01c-4342-aef2-cf998bc6debb", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "7467cf05-040a-414d-9dce-7e12017b4877", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "9788ba7e-ac2c-44d2-b359-38715a20cda0", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "2b825105-1344-49c1-b8e9-c650e5cf1466", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "f087ddac-3587-42d0-9f0a-156eacc2c8a3", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "e1523265-8464-4894-85c3-e2e33318132e", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "abd30893-032c-4ff4-91ff-e0f487b52c7d", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "1df211c9-7681-4f26-94b4-ff1f13070299", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "e3916ca8-f442-4dce-8632-a44ca0d12f78", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "8f7057ba-effb-4d2a-9343-5b6dceeb1df0", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "String" + } + }, + { + "id": "ada6d8cf-2a80-488d-bff0-6713c88b7733", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "167fb08e-6804-4452-b054-d494ce6e1aec", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "e121d0f2-9af8-440a-a2ac-6ab7bed1959e", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "67565c69-b19a-46d1-a4d2-e168cf8f1ff2", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "7b8b9b4f-2dc5-4991-88ba-363789ef4273", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "profile", + "role_list", + "email" + ], + "defaultOptionalClientScopes": [ + "phone", + "offline_access", + "address" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "xXSSProtection": "1; mode=block", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "a9df5509-a3e6-4298-b0dd-89283e43c98d", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper", + "oidc-full-name-mapper", + "oidc-address-mapper", + "saml-user-attribute-mapper" + ] + } + }, + { + "id": "716cb8ab-1e27-4119-b78f-5356858dcb41", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "ff4f5c61-6d74-49c4-add0-0cb5b403adbb", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "0eea0e90-fed9-4ad7-af33-7ee14f45417f", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "f5f9be1b-4248-462e-987a-c49080dc89d5", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "87b3d39d-27b5-45e9-8793-ca1e90633d5e", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper" + ] + } + }, + { + "id": "cf0206b9-af54-4b1d-842d-35709b9b2416", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "bf450bd0-16d3-48b1-8120-01ffeae36009", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "abeebe85-48d0-4c48-906e-e01b21f414e6", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "8edb83d9-2775-4f31-a04e-b2b044df9d4a", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "6c011a27-dae1-43f7-8928-a99c7d83fcca", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "5fbafc16-55b5-41ad-9777-0295a824950c", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "idp-email-verification", + "requirement": "ALTERNATIVE", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 30, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "12b28e4f-478f-4abe-b24d-b0a7a3b69deb", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-otp-form", + "requirement": "OPTIONAL", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "e97de13b-04ce-4f35-9ac6-0ab7f987ea33", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-spnego", + "requirement": "DISABLED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "identity-provider-redirector", + "requirement": "ALTERNATIVE", + "priority": 25, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 30, + "flowAlias": "forms", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "e6bb84d1-dd99-42bb-8d4e-76b76bb744ff", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-jwt", + "requirement": "ALTERNATIVE", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-secret-jwt", + "requirement": "ALTERNATIVE", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-x509", + "requirement": "ALTERNATIVE", + "priority": 40, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "f4adf75a-f348-46f1-90aa-ba5ba332a9a8", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "direct-grant-validate-password", + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "direct-grant-validate-otp", + "requirement": "OPTIONAL", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "117a5b7c-ed16-4a1a-a0a7-8fd1ff5429be", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "40991ed8-f811-4144-811c-3ef6934e33bb", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "requirement": "ALTERNATIVE", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 30, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "63ea9d89-9e59-48e0-a672-be7485df2a6e", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-otp-form", + "requirement": "OPTIONAL", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "4d9a5e12-eba2-4fdd-9089-d2ec5cf38b51", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "basic-auth", + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "basic-auth-otp", + "requirement": "DISABLED", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-spnego", + "requirement": "DISABLED", + "priority": 40, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "f7bccba1-7e29-4471-8ffc-010a8f40cce3", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "requirement": "REQUIRED", + "priority": 10, + "flowAlias": "registration form", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "482106b4-12ad-4a0b-aa61-2c2586662cb4", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-profile-action", + "requirement": "REQUIRED", + "priority": 40, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-password-action", + "requirement": "REQUIRED", + "priority": 50, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-recaptcha-action", + "requirement": "DISABLED", + "priority": 60, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "54f5e4d1-fc88-4d74-bbc8-5356c0049534", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-credential-email", + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-password", + "requirement": "REQUIRED", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-otp", + "requirement": "OPTIONAL", + "priority": 40, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "2c719ec1-2377-4314-83de-e3269d1a03a9", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "18dec793-b93a-425d-88f1-f0f8adef894b", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "5d968a5d-c719-41f4-9e54-4d59c165dc41", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "terms_and_conditions", + "name": "Terms and Conditions", + "providerId": "terms_and_conditions", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "_browser_header.xXSSProtection": "1; mode=block", + "_browser_header.xFrameOptions": "SAMEORIGIN", + "_browser_header.strictTransportSecurity": "max-age=31536000; includeSubDomains", + "permanentLockout": "false", + "quickLoginCheckMilliSeconds": "1000", + "_browser_header.xRobotsTag": "none", + "maxFailureWaitSeconds": "900", + "minimumQuickLoginWaitSeconds": "60", + "failureFactor": "30", + "actionTokenGeneratedByUserLifespan": "300", + "maxDeltaTimeSeconds": "43200", + "_browser_header.xContentTypeOptions": "nosniff", + "offlineSessionMaxLifespan": "5184000", + "actionTokenGeneratedByAdminLifespan": "43200", + "_browser_header.contentSecurityPolicyReportOnly": "", + "bruteForceProtected": "false", + "_browser_header.contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "waitIncrementSeconds": "60", + "offlineSessionMaxLifespanEnabled": "false" + }, + "keycloakVersion": "4.5.0.Final", + "userManagedAccessAllowed": false +} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/00-init/keycloak/templates/Deployment.yaml b/vnfs/DAaaS/deploy/00-init/keycloak/templates/Deployment.yaml new file mode 100644 index 00000000..ed581e10 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/keycloak/templates/Deployment.yaml @@ -0,0 +1,41 @@ +{{/* +# Copyright 2019 Intel Corporation, Inc +# + # Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.metadata.name }} + namespace: {{ .Values.metadata.namespace }} +spec: + replicas: {{ .Values.spec.replicas }} + selector: + matchLabels: + app: {{ .Values.spec.selector.matchLabels.app }} + template: + metadata: + labels: + app: {{ .Values.spec.template.metadata.labels.app }} + spec: + containers: + - name: keycloak + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: +{{ toYaml .Values.env | indent 8 }} + ports: +{{ toYaml .Values.ports | indent 8 }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 10 }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 10 }} diff --git a/vnfs/DAaaS/deploy/00-init/keycloak/templates/Service.yaml b/vnfs/DAaaS/deploy/00-init/keycloak/templates/Service.yaml new file mode 100644 index 00000000..cdf8acc2 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/keycloak/templates/Service.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright 2019 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.Service.metadata.name }} + labels: + app: {{ .Values.Service.metadata.labels.app }} +spec: + type: {{ .Values.Service.spec.type }} + ports: +{{ toYaml .Values.Service.spec.ports | indent 2 }} + selector: + app: {{ .Values.Service.spec.selector.app }} diff --git a/vnfs/DAaaS/deploy/00-init/keycloak/values.yaml b/vnfs/DAaaS/deploy/00-init/keycloak/values.yaml new file mode 100644 index 00000000..2915afc3 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/keycloak/values.yaml @@ -0,0 +1,71 @@ +#{{/* +# Copyright 2019 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#*/}} +metadata: + name: keycloak + namespace: keycloak +image: + repository: jboss/keycloak + tag: 6.0.1 + pullPolicy: IfNotPresent +spec: + replicas: 1 + selector: + matchLabels: + app: keycloak + template: + metadata: + labels: + app: keycloak + spec: + containers: + - name: keycloak +resources: {} +env: +- name: KEYCLOAK_USER + value: "admin" +- name: KEYCLOAK_PASSWORD + value: "admin" +- name: PROXY_ADDRESS_FORWARDING + value: "true" +readinessProbe: + httpGet: + path: /auth/realms/master + port: 8080 + failureThreshold: 10 + initialDelaySeconds: 30 +livenessProbe: + httpGet: + path: /auth/realms/master + port: 8080 + initialDelaySeconds: 60 +ports: +- name: http + containerPort: 8080 +- name: https + containerPort: 8443 + +Service: + metadata: + name: keycloak + labels: + app: keycloak + spec: + type: LoadBalancer + ports: + - name: http + port: 8080 + selector: + app: keycloak diff --git a/vnfs/DAaaS/deploy/00-init/metallb/README.md b/vnfs/DAaaS/deploy/00-init/metallb/README.md index 1edd5c11..8cd4d45c 100644 --- a/vnfs/DAaaS/deploy/00-init/metallb/README.md +++ b/vnfs/DAaaS/deploy/00-init/metallb/README.md @@ -15,8 +15,9 @@ */ -NOTE - A configMap of available IPs is to applied in order for services to -get external IP address assigned.Please Update values.yaml before deploying +NOTE - A configMap of available IPs is to be applied in order for services +to get external IP address assigned. Please Update values.yaml with +IP addresses before deploying Prerequisites ------------- -- cgit 1.2.3-korg