summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--LICENSE.txt12
-rwxr-xr-xinstall/1_install_k8s_master.sh82
-rwxr-xr-xinstall/2_install_k8s_minion.sh74
-rwxr-xr-xinstall/3_install_istio.sh23
-rw-r--r--install/README.md60
-rw-r--r--install/helm_service_account.yaml18
-rw-r--r--install/istio.yaml3754
-rw-r--r--install/kubeadm.conf4
8 files changed, 4027 insertions, 0 deletions
diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 0000000..67a5857
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,12 @@
+Licensed under the Apache License, Version 2.0 (the "License"); you may
+not use this file except in compliance with the License.
+
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+License for the specific language governing permissions and limitations
+under the License. \ No newline at end of file
diff --git a/install/1_install_k8s_master.sh b/install/1_install_k8s_master.sh
new file mode 100755
index 0000000..8ad2b12
--- /dev/null
+++ b/install/1_install_k8s_master.sh
@@ -0,0 +1,82 @@
+#!/bin/sh
+#
+# Copyright 2018 ZTE, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+echo "************install docker************"
+sudo apt-get update
+sudo apt-get install -y docker.io
+
+echo "*************set up kubernetes apt-get source************"
+sudo apt-get update && sudo apt-get install -y apt-transport-https
+curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
+cat <<EOF | sudo tee /etc/apt/sources.list.d/kubernetes.list
+deb http://apt.kubernetes.io/ kubernetes-xenial main
+EOF
+sudo apt-get update
+
+read -p "Install kubelet (y/n)?" -n1 choice
+case "$choice" in
+ y|Y ) sudo apt-get install -y kubelet=1.11.1-00;;
+esac
+printf "\n"
+
+read -p "Install kubeadm (y/n)?" -n1 choice
+case "$choice" in
+ y|Y ) sudo apt-get install -y kubeadm=1.11.1-00;;
+esac
+printf "\n"
+
+read -p "Install kubectl (y/n)?" -n1 choice
+case "$choice" in
+ y|Y ) sudo apt-get install -y kubectli=1.11.1-00;;
+esac
+printf "\n"
+
+echo "*************dry run to test kubeadm.conf************"
+sudo kubeadm init --config kubeadm.conf --dry-run
+
+read -p "Create kubernetees master(y/n)?" -n1 choice
+case "$choice" in
+ y|Y )
+ sudo kubeadm init --config kubeadm.conf
+ mkdir -p $HOME/.kube
+ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
+ sudo chown $(id -u):$(id -g) $HOME/.kube/config
+ sudo chmod o+wr $HOME/.kube/config
+ ;;
+esac
+printf "\n"
+
+read -p "Install calico network plugin (y/n)?" -n1 choice
+case "$choice" in
+ y|Y ) kubectl apply -f https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml;;
+esac
+printf "\n"
+
+read -p "Install helm (y/n)?" -n1 choice
+case "$choice" in
+ y|Y )
+ wget https://storage.googleapis.com/kubernetes-helm/helm-v2.8.2-linux-amd64.tar.gz
+ tar -zxvf helm-v2.8.2-linux-amd64.tar.gz
+ chmod o+x linux-amd64/helm
+ sudo mv linux-amd64/helm /usr/local/bin/helm
+ rm -rf linux-amd64
+ rm -rf helm-v2.8.2-linux-amd64.tar.gz
+
+ kubectl create -f helm_service_account.yaml
+ helm init --service-account tiller
+ ;;
+esac
+printf "\n"
diff --git a/install/2_install_k8s_minion.sh b/install/2_install_k8s_minion.sh
new file mode 100755
index 0000000..65fe0d8
--- /dev/null
+++ b/install/2_install_k8s_minion.sh
@@ -0,0 +1,74 @@
+#!/bin/sh
+#
+# Copyright 2018 ZTE, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+echo "************install docker************"
+sudo apt-get update
+sudo apt-get install -y docker.io
+
+echo "*************set up kubernetes apt-get source************"
+sudo apt-get update && sudo apt-get install -y apt-transport-https
+curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
+cat <<EOF | sudo tee /etc/apt/sources.list.d/kubernetes.list
+deb http://apt.kubernetes.io/ kubernetes-xenial main
+EOF
+sudo apt-get update
+
+read -p "Install kubelet (y/n)?" -n1 choice
+case "$choice" in
+ y|Y ) sudo apt-get install -y kubelet=1.11.1-00;;
+esac
+printf "\n"
+
+read -p "Install kubeadm (y/n)?" -n1 choice
+case "$choice" in
+ y|Y ) sudo apt-get install -y kubeadm=1.11.1-00;;
+esac
+printf "\n"
+
+read -p "Install kubectl (y/n)?" -n1 choice
+case "$choice" in
+ y|Y ) sudo apt-get install -y kubectl=1.11.1-00;;
+esac
+printf "\n"
+
+read -p "Install helm (y/n)?" -n1 choice
+case "$choice" in
+ y|Y )
+ wget https://storage.googleapis.com/kubernetes-helm/helm-v2.8.2-linux-amd64.tar.gz
+ tar -zxvf helm-v2.8.2-linux-amd64.tar.gz
+ chmod o+x linux-amd64/helm
+ sudo mv linux-amd64/helm /usr/local/bin/helm
+ rm -rf linux-amd64
+ rm -rf helm-v2.8.2-linux-amd64.tar.gz
+ ;;
+esac
+printf "\n"
+
+cat << EOF
+########################################################################################################################
+1. You can now join this machines by running "kubeadmin join" command as root:
+Please note that this is just an example, please refer to the output of the "kubeamin init" when cteating the k8s master for the exact comand to use in your k8s cluter!!!
+ kubeadm join 10.12.6.108:6443 --token 43utwe.inl7h8dxn26p26iv --discovery-token-ca-cert-hash sha256:54cc1bcf72218de70c6b98edf4d486f79fb6d921a92ac5b7d10c76dbf96d006f
+
+2. If you would like to get kubectl talk to your k8s master, you need to copy the dministrator kubeconfig file from your master to your workstation like this:
+
+scp root@<master ip>:/etc/kubernetes/admin.conf .
+kubectl --kubeconfig ./admin.conf get nodes
+
+or you can manually copy the content of this file to ~/.kube/conf if scp can't be used due to security reason.
+########################################################################################################################
+
+EOF
diff --git a/install/3_install_istio.sh b/install/3_install_istio.sh
new file mode 100755
index 0000000..7166db7
--- /dev/null
+++ b/install/3_install_istio.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Copyright 2018 ZTE, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+wget https://github.com/istio/istio/releases/download/0.8.0/istio-0.8.0-linux.tar.gz
+tar -zxvf istio-0.8.0-linux.tar.gz
+rm -rf istio-0.8.0-linux.tar.gz
+sudo cp istio-0.8.0/bin/istioctl /usr/bin/
+rm -rf istio-0.8.0
+
+kubectl apply -f istio.yaml
diff --git a/install/README.md b/install/README.md
new file mode 100644
index 0000000..f858c53
--- /dev/null
+++ b/install/README.md
@@ -0,0 +1,60 @@
+# Scripts to Install Docker, Kubernetes, Helm and Istio on Ubuntu
+
+## Create k8s master node via kubeadmin
+`1_install_k8s_master.sh`
+
+## Create k8s work node via kubeadmin
+`2_install_k8s_minion.sh`
+
+## Install Istio via helm
+`3_install_istio.sh`
+
+## Lable the namespaces in which you want to enable auto sidecar injection
+`kubectl label namespace default istio-injection=enabled`
+
+## Notice
+Sidecar auto injection is disabled, so the sidecar injector will not inject the sidecar into pods by default. Add the sidecar.istio.io/inject annotation with value true to the pod template spec to enable injection.
+
+The following example uses the sidecar.istio.io/inject annotation to enable sidecar injection.
+```
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: ignored
+spec:
+ template:
+ metadata:
+ annotations:
+ sidecar.istio.io/inject: "true"
+ spec:
+ containers:
+ - name: ignored
+ image: tutum/curl
+ command: ["/bin/sleep","infinity"]
+```
+
+You can enable sidecar auto injection by setting the injection policy to 'enabled' at line 835 of istio.yaml.
+```
+ 822 apiVersion: v1
+ 823 kind: ConfigMap
+ 824 metadata:
+ 825 name: istio-sidecar-injector
+ 826 namespace: istio-system
+ 827 labels:
+ 828 app: istio
+ 829 chart: istio-0.8.0
+ 830 release: RELEASE-NAME
+ 831 heritage: Tiller
+ 832 istio: sidecar-injector
+ 833 data:
+ 834 config: |-
+ 835 policy: disabled
+ 836 template: |-
+ 837 initContainers:
+ 838 - name: istio-init
+ 839 image: docker.io/istio/proxy_init:0.8.0
+```
+
+For more information on Istio integration, refer to:
+
+ - [Manage ONAP Microservices with Istio Service Mesh](https://wiki.onap.org/display/DW/Manage+ONAP+Microservices+with+Istio+Service+Mesh)
diff --git a/install/helm_service_account.yaml b/install/helm_service_account.yaml
new file mode 100644
index 0000000..c5ae63a
--- /dev/null
+++ b/install/helm_service_account.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tiller
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: tiller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cluster-admin
+subjects:
+ - kind: ServiceAccount
+ name: tiller
+ namespace: kube-system
diff --git a/install/istio.yaml b/install/istio.yaml
new file mode 100644
index 0000000..500940d
--- /dev/null
+++ b/install/istio.yaml
@@ -0,0 +1,3754 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: istio-system
+---
+# Source: istio/charts/mixer/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-statsd-prom-bridge
+ namespace: istio-system
+ labels:
+ app: istio-statsd-prom-bridge
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: mixer
+data:
+ mapping.conf: |-
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-mixer-custom-resources
+ namespace: istio-system
+ labels:
+ app: istio-mixer
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: mixer
+data:
+ custom-resources.yaml: |-
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: attributemanifest
+ metadata:
+ name: istioproxy
+ namespace: istio-system
+ spec:
+ attributes:
+ origin.ip:
+ valueType: IP_ADDRESS
+ origin.uid:
+ valueType: STRING
+ origin.user:
+ valueType: STRING
+ request.headers:
+ valueType: STRING_MAP
+ request.id:
+ valueType: STRING
+ request.host:
+ valueType: STRING
+ request.method:
+ valueType: STRING
+ request.path:
+ valueType: STRING
+ request.reason:
+ valueType: STRING
+ request.referer:
+ valueType: STRING
+ request.scheme:
+ valueType: STRING
+ request.total_size:
+ valueType: INT64
+ request.size:
+ valueType: INT64
+ request.time:
+ valueType: TIMESTAMP
+ request.useragent:
+ valueType: STRING
+ response.code:
+ valueType: INT64
+ response.duration:
+ valueType: DURATION
+ response.headers:
+ valueType: STRING_MAP
+ response.total_size:
+ valueType: INT64
+ response.size:
+ valueType: INT64
+ response.time:
+ valueType: TIMESTAMP
+ source.uid:
+ valueType: STRING
+ source.user:
+ valueType: STRING
+ destination.uid:
+ valueType: STRING
+ connection.id:
+ valueType: STRING
+ connection.received.bytes:
+ valueType: INT64
+ connection.received.bytes_total:
+ valueType: INT64
+ connection.sent.bytes:
+ valueType: INT64
+ connection.sent.bytes_total:
+ valueType: INT64
+ connection.duration:
+ valueType: DURATION
+ connection.mtls:
+ valueType: BOOL
+ context.protocol:
+ valueType: STRING
+ context.timestamp:
+ valueType: TIMESTAMP
+ context.time:
+ valueType: TIMESTAMP
+ api.service:
+ valueType: STRING
+ api.version:
+ valueType: STRING
+ api.operation:
+ valueType: STRING
+ api.protocol:
+ valueType: STRING
+ request.auth.principal:
+ valueType: STRING
+ request.auth.audiences:
+ valueType: STRING
+ request.auth.presenter:
+ valueType: STRING
+ request.auth.claims:
+ valueType: STRING_MAP
+ request.auth.raw_claims:
+ valueType: STRING
+ request.api_key:
+ valueType: STRING
+
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: attributemanifest
+ metadata:
+ name: kubernetes
+ namespace: istio-system
+ spec:
+ attributes:
+ source.ip:
+ valueType: IP_ADDRESS
+ source.labels:
+ valueType: STRING_MAP
+ source.name:
+ valueType: STRING
+ source.namespace:
+ valueType: STRING
+ source.service:
+ valueType: STRING
+ source.serviceAccount:
+ valueType: STRING
+ destination.ip:
+ valueType: IP_ADDRESS
+ destination.labels:
+ valueType: STRING_MAP
+ destination.name:
+ valueType: STRING
+ destination.namespace:
+ valueType: STRING
+ destination.service:
+ valueType: STRING
+ destination.serviceAccount:
+ valueType: STRING
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: stdio
+ metadata:
+ name: handler
+ namespace: istio-system
+ spec:
+ outputAsJson: true
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: logentry
+ metadata:
+ name: accesslog
+ namespace: istio-system
+ spec:
+ severity: '"Info"'
+ timestamp: request.time
+ variables:
+ originIp: origin.ip | ip("0.0.0.0")
+ sourceIp: source.ip | ip("0.0.0.0")
+ sourceService: source.service | ""
+ sourceUser: source.user | source.uid | ""
+ sourceNamespace: source.namespace | ""
+ destinationIp: destination.ip | ip("0.0.0.0")
+ destinationService: destination.service | ""
+ destinationNamespace: destination.namespace | ""
+ apiName: api.service | ""
+ apiVersion: api.version | ""
+ apiClaims: request.headers["sec-istio-auth-userinfo"]| ""
+ apiKey: request.api_key | request.headers["x-api-key"] | ""
+ requestOperation: api.operation | ""
+ protocol: request.scheme | "http"
+ method: request.method | ""
+ url: request.path | ""
+ responseCode: response.code | 0
+ responseSize: response.size | 0
+ requestSize: request.size | 0
+ latency: response.duration | "0ms"
+ connectionMtls: connection.mtls | false
+ userAgent: request.useragent | ""
+ responseTimestamp: response.time
+ receivedBytes: request.total_size | connection.received.bytes | 0
+ sentBytes: response.total_size | connection.sent.bytes | 0
+ referer: request.referer | ""
+ monitored_resource_type: '"UNSPECIFIED"'
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: rule
+ metadata:
+ name: stdio
+ namespace: istio-system
+ spec:
+ match: "true" # If omitted match is true.
+ actions:
+ - handler: handler.stdio
+ instances:
+ - accesslog.logentry
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: metric
+ metadata:
+ name: requestcount
+ namespace: istio-system
+ spec:
+ value: "1"
+ dimensions:
+ source_service: source.service | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_service: destination.service | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ response_code: response.code | 200
+ connection_mtls: connection.mtls | false
+ monitored_resource_type: '"UNSPECIFIED"'
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: metric
+ metadata:
+ name: requestduration
+ namespace: istio-system
+ spec:
+ value: response.duration | "0ms"
+ dimensions:
+ source_service: source.service | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_service: destination.service | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ response_code: response.code | 200
+ connection_mtls: connection.mtls | false
+ monitored_resource_type: '"UNSPECIFIED"'
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: metric
+ metadata:
+ name: requestsize
+ namespace: istio-system
+ spec:
+ value: request.size | 0
+ dimensions:
+ source_service: source.service | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_service: destination.service | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ response_code: response.code | 200
+ connection_mtls: connection.mtls | false
+ monitored_resource_type: '"UNSPECIFIED"'
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: metric
+ metadata:
+ name: responsesize
+ namespace: istio-system
+ spec:
+ value: response.size | 0
+ dimensions:
+ source_service: source.service | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_service: destination.service | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ response_code: response.code | 200
+ connection_mtls: connection.mtls | false
+ monitored_resource_type: '"UNSPECIFIED"'
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: metric
+ metadata:
+ name: tcpbytesent
+ namespace: istio-system
+ labels:
+ istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
+ spec:
+ value: connection.sent.bytes | 0
+ dimensions:
+ source_service: source.service | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_service: destination.service | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ connection_mtls: connection.mtls | false
+ monitored_resource_type: '"UNSPECIFIED"'
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: metric
+ metadata:
+ name: tcpbytereceived
+ namespace: istio-system
+ labels:
+ istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
+ spec:
+ value: connection.received.bytes | 0
+ dimensions:
+ source_service: source.service | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_service: destination.service | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ connection_mtls: connection.mtls | false
+ monitored_resource_type: '"UNSPECIFIED"'
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: prometheus
+ metadata:
+ name: handler
+ namespace: istio-system
+ spec:
+ metrics:
+ - name: request_count
+ instance_name: requestcount.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - source_service
+ - source_version
+ - destination_service
+ - destination_version
+ - response_code
+ - connection_mtls
+ - name: request_duration
+ instance_name: requestduration.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - source_service
+ - source_version
+ - destination_service
+ - destination_version
+ - response_code
+ - connection_mtls
+ buckets:
+ explicit_buckets:
+ bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
+ - name: request_size
+ instance_name: requestsize.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - source_service
+ - source_version
+ - destination_service
+ - destination_version
+ - response_code
+ - connection_mtls
+ buckets:
+ exponentialBuckets:
+ numFiniteBuckets: 8
+ scale: 1
+ growthFactor: 10
+ - name: response_size
+ instance_name: responsesize.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - source_service
+ - source_version
+ - destination_service
+ - destination_version
+ - response_code
+ - connection_mtls
+ buckets:
+ exponentialBuckets:
+ numFiniteBuckets: 8
+ scale: 1
+ growthFactor: 10
+ - name: tcp_bytes_sent
+ instance_name: tcpbytesent.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - source_service
+ - source_version
+ - destination_service
+ - destination_version
+ - connection_mtls
+ - name: tcp_bytes_received
+ instance_name: tcpbytereceived.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - source_service
+ - source_version
+ - destination_service
+ - destination_version
+ - connection_mtls
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: rule
+ metadata:
+ name: promhttp
+ namespace: istio-system
+ labels:
+ istio-protocol: http
+ spec:
+ actions:
+ - handler: handler.prometheus
+ instances:
+ - requestcount.metric
+ - requestduration.metric
+ - requestsize.metric
+ - responsesize.metric
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: rule
+ metadata:
+ name: promtcp
+ namespace: istio-system
+ labels:
+ istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP
+ spec:
+ actions:
+ - handler: handler.prometheus
+ instances:
+ - tcpbytesent.metric
+ - tcpbytereceived.metric
+ ---
+
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: kubernetesenv
+ metadata:
+ name: handler
+ namespace: istio-system
+ spec:
+ # when running from mixer root, use the following config after adding a
+ # symbolic link to a kubernetes config file via:
+ #
+ # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
+ #
+ # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
+
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: rule
+ metadata:
+ name: kubeattrgenrulerule
+ namespace: istio-system
+ spec:
+ actions:
+ - handler: handler.kubernetesenv
+ instances:
+ - attributes.kubernetes
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: rule
+ metadata:
+ name: tcpkubeattrgenrulerule
+ namespace: istio-system
+ spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: handler.kubernetesenv
+ instances:
+ - attributes.kubernetes
+ ---
+ apiVersion: "config.istio.io/v1alpha2"
+ kind: kubernetes
+ metadata:
+ name: attributes
+ namespace: istio-system
+ spec:
+ # Pass the required attribute data to the adapter
+ source_uid: source.uid | ""
+ source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
+ destination_uid: destination.uid | ""
+ origin_uid: '""'
+ origin_ip: ip("0.0.0.0") # default to unspecified ip addr
+ attribute_bindings:
+ # Fill the new attributes from the adapter produced output.
+ # $out refers to an instance of OutputTemplate message
+ source.ip: $out.source_pod_ip | ip("0.0.0.0")
+ source.labels: $out.source_labels | emptyStringMap()
+ source.namespace: $out.source_namespace | "default"
+ source.service: $out.source_service | "unknown"
+ source.serviceAccount: $out.source_service_account_name | "unknown"
+ destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
+ destination.labels: $out.destination_labels | emptyStringMap()
+ destination.namespace: $out.destination_namespace | "default"
+ destination.service: $out.destination_service | "unknown"
+ destination.serviceAccount: $out.destination_service_account_name | "unknown"
+ ---
+ # Configuration needed by Mixer.
+ # Mixer cluster is delivered via CDS
+ # Specify mixer cluster settings
+ apiVersion: networking.istio.io/v1alpha3
+ kind: DestinationRule
+ metadata:
+ name: istio-policy
+ namespace: istio-system
+ spec:
+ host: istio-policy.istio-system.svc.cluster.local
+ trafficPolicy:
+ connectionPool:
+ http:
+ http2MaxRequests: 10000
+ maxRequestsPerConnection: 10000
+ ---
+ apiVersion: networking.istio.io/v1alpha3
+ kind: DestinationRule
+ metadata:
+ name: istio-telemetry
+ namespace: istio-system
+ spec:
+ host: istio-telemetry.istio-system.svc.cluster.local
+ trafficPolicy:
+ connectionPool:
+ http:
+ http2MaxRequests: 10000
+ maxRequestsPerConnection: 10000
+ ---
+
+
+---
+# Source: istio/charts/prometheus/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: prometheus
+ namespace: istio-system
+ labels:
+ app: prometheus
+ chart: prometheus-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+data:
+ prometheus.yml: |-
+ global:
+ scrape_interval: 15s
+ scrape_configs:
+
+ - job_name: 'istio-mesh'
+ # Override the global default and scrape targets from this job every 5 seconds.
+ scrape_interval: 5s
+
+ kubernetes_sd_configs:
+ - role: endpoints
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-system;istio-telemetry;prometheus
+
+ - job_name: 'envoy'
+ # Override the global default and scrape targets from this job every 5 seconds.
+ scrape_interval: 5s
+ # metrics_path defaults to '/metrics'
+ # scheme defaults to 'http'.
+
+ kubernetes_sd_configs:
+ - role: endpoints
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-system;istio-statsd-prom-bridge;statsd-prom
+
+ - job_name: 'istio-policy'
+ # Override the global default and scrape targets from this job every 5 seconds.
+ scrape_interval: 5s
+ # metrics_path defaults to '/metrics'
+ # scheme defaults to 'http'.
+
+ kubernetes_sd_configs:
+ - role: endpoints
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-system;istio-policy;http-monitoring
+
+ - job_name: 'istio-telemetry'
+ # Override the global default and scrape targets from this job every 5 seconds.
+ scrape_interval: 5s
+ # metrics_path defaults to '/metrics'
+ # scheme defaults to 'http'.
+
+ kubernetes_sd_configs:
+ - role: endpoints
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-system;istio-telemetry;http-monitoring
+
+ - job_name: 'pilot'
+ # Override the global default and scrape targets from this job every 5 seconds.
+ scrape_interval: 5s
+ # metrics_path defaults to '/metrics'
+ # scheme defaults to 'http'.
+
+ kubernetes_sd_configs:
+ - role: endpoints
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-system;istio-pilot;http-monitoring
+
+ # scrape config for API servers
+ - job_name: 'kubernetes-apiservers'
+ kubernetes_sd_configs:
+ - role: endpoints
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: default;kubernetes;https
+
+ # scrape config for nodes (kubelet)
+ - job_name: 'kubernetes-nodes'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics
+
+ # Scrape config for Kubelet cAdvisor.
+ #
+ # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
+ # (those whose names begin with 'container_') have been removed from the
+ # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
+ # retrieve those metrics.
+ #
+ # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
+ # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
+ # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
+ # the --cadvisor-port=0 Kubelet flag).
+ #
+ # This job is not necessary and should be removed in Kubernetes 1.6 and
+ # earlier versions, or it will cause the metrics to be scraped twice.
+ - job_name: 'kubernetes-cadvisor'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
+
+ # scrape config for service endpoints.
+ - job_name: 'kubernetes-service-endpoints'
+ kubernetes_sd_configs:
+ - role: endpoints
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
+ action: replace
+ target_label: __scheme__
+ regex: (https?)
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
+ action: replace
+ target_label: __address__
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ - action: labelmap
+ regex: __meta_kubernetes_service_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: kubernetes_namespace
+ - source_labels: [__meta_kubernetes_service_name]
+ action: replace
+ target_label: kubernetes_name
+
+ # Example scrape config for pods
+ - job_name: 'kubernetes-pods'
+ kubernetes_sd_configs:
+ - role: pod
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ - action: labelmap
+ regex: __meta_kubernetes_pod_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: pod_name
+
+---
+# Source: istio/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio
+ namespace: istio-system
+ labels:
+ app: istio
+ chart: istio-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+data:
+ mesh: |-
+ #
+ # Edit this list to avoid using mTLS to connect to these services.
+ # Typically, these are control services (e.g kubernetes API server) that don't have istio sidecar
+ # to transparently terminate mTLS authentication.
+ # mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"]
+
+ # Set the following variable to true to disable policy checks by the Mixer.
+ # Note that metrics will still be reported to the Mixer.
+ disablePolicyChecks: false
+ # Set enableTracing to false to disable request tracing.
+ enableTracing: true
+ #
+ # To disable the mixer completely (including metrics), comment out
+ # the following lines
+ mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004
+ mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004
+ # This is the ingress service name, update if you used a different name
+ ingressService: istio-ingress
+ #
+ # Along with discoveryRefreshDelay, this setting determines how
+ # frequently should Envoy fetch and update its internal configuration
+ # from istio Pilot. Lower refresh delay results in higher CPU
+ # utilization and potential performance loss in exchange for faster
+ # convergence. Tweak this value according to your setup.
+ rdsRefreshDelay: 10s
+ #
+ defaultConfig:
+ # NOTE: If you change any values in this section, make sure to make
+ # the same changes in start up args in istio-ingress pods.
+ # See rdsRefreshDelay for explanation about this setting.
+ discoveryRefreshDelay: 10s
+ #
+ # TCP connection timeout between Envoy & the application, and between Envoys.
+ connectTimeout: 10s
+ #
+ ### ADVANCED SETTINGS #############
+ # Where should envoy's configuration be stored in the istio-proxy container
+ configPath: "/etc/istio/proxy"
+ binaryPath: "/usr/local/bin/envoy"
+ # The pseudo service name used for Envoy.
+ serviceCluster: istio-proxy
+ # These settings that determine how long an old Envoy
+ # process should be kept alive after an occasional reload.
+ drainDuration: 45s
+ parentShutdownDuration: 1m0s
+ #
+ # The mode used to redirect inbound connections to Envoy. This setting
+ # has no effect on outbound traffic: iptables REDIRECT is always used for
+ # outbound connections.
+ # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
+ # The "REDIRECT" mode loses source addresses during redirection.
+ # If "TPROXY", use iptables TPROXY to redirect to Envoy.
+ # The "TPROXY" mode preserves both the source and destination IP
+ # addresses and ports, so that they can be used for advanced filtering
+ # and manipulation.
+ # The "TPROXY" mode also configures the sidecar to run with the
+ # CAP_NET_ADMIN capability, which is required to use TPROXY.
+ #interceptionMode: REDIRECT
+ #
+ # Port where Envoy listens (on local host) for admin commands
+ # You can exec into the istio-proxy container in a pod and
+ # curl the admin port (curl http://localhost:15000/) to obtain
+ # diagnostic information from Envoy. See
+ # https://lyft.github.io/envoy/docs/operations/admin.html
+ # for more details
+ proxyAdminPort: 15000
+ #
+ # Zipkin trace collector
+ zipkinAddress: zipkin.istio-system:9411
+ #
+ # Statsd metrics collector converts statsd metrics into Prometheus metrics.
+ statsdUdpAddress: istio-statsd-prom-bridge.istio-system:9125
+ #
+ # Mutual TLS authentication between sidecars and istio control plane.
+ controlPlaneAuthPolicy: NONE
+ #
+ # Address where istio Pilot service is running
+ discoveryAddress: istio-pilot.istio-system:15007
+
+---
+# Source: istio/templates/sidecar-injector-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ app: istio
+ chart: istio-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: sidecar-injector
+data:
+ config: |-
+ policy: disabled
+ template: |-
+ initContainers:
+ - name: istio-init
+ image: docker.io/istio/proxy_init:0.8.0
+ args:
+ - "-p"
+ - [[ .MeshConfig.ProxyListenPort ]]
+ - "-u"
+ - 1337
+ - "-m"
+ - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
+ - "-i"
+ [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]]
+ - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]"
+ [[ else -]]
+ - "*"
+ [[ end -]]
+ - "-x"
+ [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]]
+ - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]"
+ [[ else -]]
+ - ""
+ [[ end -]]
+ - "-b"
+ [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]]
+ - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]"
+ [[ else -]]
+ - [[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]
+ - "-d"
+ [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts") -]]
+ - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts" ]]"
+ [[ else -]]
+ - ""
+ [[ end -]]
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ capabilities:
+ add:
+ - NET_ADMIN
+ privileged: true
+ restartPolicy: Always
+
+ containers:
+ - name: istio-proxy
+ image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]]
+ "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]"
+ [[ else -]]
+ docker.io/istio/proxy_debug:0.8.0
+ [[ end -]]
+ args:
+ - proxy
+ - sidecar
+ - --configPath
+ - [[ .ProxyConfig.ConfigPath ]]
+ - --binaryPath
+ - [[ .ProxyConfig.BinaryPath ]]
+ - --serviceCluster
+ [[ if ne "" (index .ObjectMeta.Labels "app") -]]
+ - [[ index .ObjectMeta.Labels "app" ]]
+ [[ else -]]
+ - "istio-proxy"
+ [[ end -]]
+ - --drainDuration
+ - [[ formatDuration .ProxyConfig.DrainDuration ]]
+ - --parentShutdownDuration
+ - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
+ - --discoveryAddress
+ - [[ .ProxyConfig.DiscoveryAddress ]]
+ - --discoveryRefreshDelay
+ - [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]
+ - --zipkinAddress
+ - [[ .ProxyConfig.ZipkinAddress ]]
+ - --connectTimeout
+ - [[ formatDuration .ProxyConfig.ConnectTimeout ]]
+ - --statsdUdpAddress
+ - [[ .ProxyConfig.StatsdUdpAddress ]]
+ - --proxyAdminPort
+ - [[ .ProxyConfig.ProxyAdminPort ]]
+ - --controlPlaneAuthPolicy
+ - [[ .ProxyConfig.ControlPlaneAuthPolicy ]]
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: ISTIO_META_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ privileged: false
+ readOnlyRootFilesystem: true
+ [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]]
+ capabilities:
+ add:
+ - NET_ADMIN
+ [[ else -]]
+ runAsUser: 1337
+ [[ end -]]
+ restartPolicy: Always
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ volumeMounts:
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ volumes:
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-certs
+ secret:
+ optional: true
+ [[ if eq .Spec.ServiceAccountName "" -]]
+ secretName: istio.default
+ [[ else -]]
+ secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
+ [[ end -]]
+
+
+---
+# Source: istio/charts/egressgateway/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-egressgateway-service-account
+ namespace: istio-system
+ labels:
+ app: egressgateway
+ chart: egressgateway-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+
+---
+# Source: istio/charts/ingressgateway/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-ingressgateway-service-account
+ namespace: istio-system
+ labels:
+ app: ingressgateway
+ chart: ingressgateway-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+
+---
+# Source: istio/charts/mixer/templates/create-custom-resources-job.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-mixer-post-install-account
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: istio-mixer-post-install-istio-system
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+rules:
+- apiGroups: ["config.istio.io"] # istio CRD watcher
+ resources: ["*"]
+ verbs: ["create", "get", "list", "watch", "patch"]
+- apiGroups: ["networking.istio.io"] # needed to create mixer destination rules
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-mixer-post-install-role-binding-istio-system
+ labels:
+ app: mixer
+ chart: mixer-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-mixer-post-install-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-mixer-post-install-account
+ namespace: istio-system
+---
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: istio-mixer-post-install
+ namespace: istio-system
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-delete-policy": before-hook-creation
+ labels:
+ app: mixer
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ template:
+ metadata:
+ name: istio-mixer-post-install
+ labels:
+ app: mixer
+ release: RELEASE-NAME
+ spec:
+ serviceAccountName: istio-mixer-post-install-account
+ containers:
+ - name: hyperkube
+ image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
+ command:
+ - ./kubectl
+ - apply
+ - -f
+ - /tmp/mixer/custom-resources.yaml
+ volumeMounts:
+ - mountPath: "/tmp/mixer"
+ name: tmp-configmap-mixer
+ volumes:
+ - name: tmp-configmap-mixer
+ configMap:
+ name: istio-mixer-custom-resources
+ restartPolicy: Never # CRD might take some time till they are available to consume
+
+---
+# Source: istio/charts/mixer/templates/serviceaccount.yaml
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-mixer-service-account
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+
+---
+# Source: istio/charts/pilot/templates/serviceaccount.yaml
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-pilot-service-account
+ namespace: istio-system
+ labels:
+ app: istio-pilot
+ chart: pilot-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+
+---
+# Source: istio/charts/prometheus/templates/serviceaccount.yaml
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: prometheus
+ namespace: istio-system
+
+---
+# Source: istio/charts/security/templates/serviceaccount.yaml
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-citadel-service-account
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-cleanup-old-ca-service-account
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-sidecar-injector-service-account
+ namespace: istio-system
+ labels:
+ app: istio-sidecar-injector
+ chart: sidecarInjectorWebhook-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+
+---
+# Source: istio/charts/mixer/templates/crds.yaml
+# Mixer CRDs
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: rules.config.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: core
+spec:
+ group: config.istio.io
+ names:
+ kind: rule
+ plural: rules
+ singular: rule
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: attributemanifests.config.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: core
+spec:
+ group: config.istio.io
+ names:
+ kind: attributemanifest
+ plural: attributemanifests
+ singular: attributemanifest
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: circonuses.config.istio.io
+ labels:
+ app: mixer
+ package: circonus
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: circonus
+ plural: circonuses
+ singular: circonus
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: deniers.config.istio.io
+ labels:
+ app: mixer
+ package: denier
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: denier
+ plural: deniers
+ singular: denier
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: fluentds.config.istio.io
+ labels:
+ app: mixer
+ package: fluentd
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: fluentd
+ plural: fluentds
+ singular: fluentd
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: kubernetesenvs.config.istio.io
+ labels:
+ app: mixer
+ package: kubernetesenv
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: kubernetesenv
+ plural: kubernetesenvs
+ singular: kubernetesenv
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: listcheckers.config.istio.io
+ labels:
+ app: mixer
+ package: listchecker
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: listchecker
+ plural: listcheckers
+ singular: listchecker
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: memquotas.config.istio.io
+ labels:
+ app: mixer
+ package: memquota
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: memquota
+ plural: memquotas
+ singular: memquota
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: noops.config.istio.io
+ labels:
+ app: mixer
+ package: noop
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: noop
+ plural: noops
+ singular: noop
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: opas.config.istio.io
+ labels:
+ app: mixer
+ package: opa
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: opa
+ plural: opas
+ singular: opa
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: prometheuses.config.istio.io
+ labels:
+ app: mixer
+ package: prometheus
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: prometheus
+ plural: prometheuses
+ singular: prometheus
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: rbacs.config.istio.io
+ labels:
+ app: mixer
+ package: rbac
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: rbac
+ plural: rbacs
+ singular: rbac
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: servicecontrols.config.istio.io
+ labels:
+ app: mixer
+ package: servicecontrol
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: servicecontrol
+ plural: servicecontrols
+ singular: servicecontrol
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: solarwindses.config.istio.io
+ labels:
+ app: mixer
+ package: solarwinds
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: solarwinds
+ plural: solarwindses
+ singular: solarwinds
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: stackdrivers.config.istio.io
+ labels:
+ app: mixer
+ package: stackdriver
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: stackdriver
+ plural: stackdrivers
+ singular: stackdriver
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: statsds.config.istio.io
+ labels:
+ app: mixer
+ package: statsd
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: statsd
+ plural: statsds
+ singular: statsd
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: stdios.config.istio.io
+ labels:
+ app: mixer
+ package: stdio
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: stdio
+ plural: stdios
+ singular: stdio
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: apikeys.config.istio.io
+ labels:
+ app: mixer
+ package: apikey
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: apikey
+ plural: apikeys
+ singular: apikey
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: authorizations.config.istio.io
+ labels:
+ app: mixer
+ package: authorization
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: authorization
+ plural: authorizations
+ singular: authorization
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: checknothings.config.istio.io
+ labels:
+ app: mixer
+ package: checknothing
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: checknothing
+ plural: checknothings
+ singular: checknothing
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: kuberneteses.config.istio.io
+ labels:
+ app: mixer
+ package: adapter.template.kubernetes
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: kubernetes
+ plural: kuberneteses
+ singular: kubernetes
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: listentries.config.istio.io
+ labels:
+ app: mixer
+ package: listentry
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: listentry
+ plural: listentries
+ singular: listentry
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: logentries.config.istio.io
+ labels:
+ app: mixer
+ package: logentry
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: logentry
+ plural: logentries
+ singular: logentry
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: metrics.config.istio.io
+ labels:
+ app: mixer
+ package: metric
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: metric
+ plural: metrics
+ singular: metric
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotas.config.istio.io
+ labels:
+ app: mixer
+ package: quota
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: quota
+ plural: quotas
+ singular: quota
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: reportnothings.config.istio.io
+ labels:
+ app: mixer
+ package: reportnothing
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: reportnothing
+ plural: reportnothings
+ singular: reportnothing
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: servicecontrolreports.config.istio.io
+ labels:
+ app: mixer
+ package: servicecontrolreport
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: servicecontrolreport
+ plural: servicecontrolreports
+ singular: servicecontrolreport
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: tracespans.config.istio.io
+ labels:
+ app: mixer
+ package: tracespan
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: tracespan
+ plural: tracespans
+ singular: tracespan
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: serviceroles.config.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+spec:
+ group: config.istio.io
+ names:
+ kind: ServiceRole
+ plural: serviceroles
+ singular: servicerole
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: servicerolebindings.config.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+spec:
+ group: config.istio.io
+ names:
+ kind: ServiceRoleBinding
+ plural: servicerolebindings
+ singular: servicerolebinding
+ scope: Namespaced
+ version: v1alpha2
+
+---
+# Source: istio/charts/pilot/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: destinationpolicies.config.istio.io
+ labels:
+ app: istio-pilot
+spec:
+ group: config.istio.io
+ names:
+ kind: DestinationPolicy
+ listKind: DestinationPolicyList
+ plural: destinationpolicies
+ singular: destinationpolicy
+ scope: Namespaced
+ version: v1alpha2
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: egressrules.config.istio.io
+ labels:
+ app: istio-pilot
+spec:
+ group: config.istio.io
+ names:
+ kind: EgressRule
+ listKind: EgressRuleList
+ plural: egressrules
+ singular: egressrule
+ scope: Namespaced
+ version: v1alpha2
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: routerules.config.istio.io
+ labels:
+ app: istio-pilot
+spec:
+ group: config.istio.io
+ names:
+ kind: RouteRule
+ listKind: RouteRuleList
+ plural: routerules
+ singular: routerule
+ scope: Namespaced
+ version: v1alpha2
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: virtualservices.networking.istio.io
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ singular: virtualservice
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: destinationrules.networking.istio.io
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ singular: destinationrule
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: serviceentries.networking.istio.io
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ singular: serviceentry
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: gateways.networking.istio.io
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: Gateway
+ plural: gateways
+ singular: gateway
+ scope: Namespaced
+ version: v1alpha3
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: policies.authentication.istio.io
+spec:
+ group: authentication.istio.io
+ names:
+ kind: Policy
+ plural: policies
+ singular: policy
+ scope: Namespaced
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: httpapispecbindings.config.istio.io
+spec:
+ group: config.istio.io
+ names:
+ kind: HTTPAPISpecBinding
+ plural: httpapispecbindings
+ singular: httpapispecbinding
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: httpapispecs.config.istio.io
+spec:
+ group: config.istio.io
+ names:
+ kind: HTTPAPISpec
+ plural: httpapispecs
+ singular: httpapispec
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotaspecbindings.config.istio.io
+spec:
+ group: config.istio.io
+ names:
+ kind: QuotaSpecBinding
+ plural: quotaspecbindings
+ singular: quotaspecbinding
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotaspecs.config.istio.io
+spec:
+ group: config.istio.io
+ names:
+ kind: QuotaSpec
+ plural: quotaspecs
+ singular: quotaspec
+ scope: Namespaced
+ version: v1alpha2
+
+
+---
+# Source: istio/charts/mixer/templates/clusterrole.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: istio-mixer-istio-system
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+rules:
+- apiGroups: ["config.istio.io"] # istio CRD watcher
+ resources: ["*"]
+ verbs: ["create", "get", "list", "watch", "patch"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
+ verbs: ["get", "list", "watch"]
+
+---
+# Source: istio/charts/pilot/templates/clusterrole.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: istio-pilot-istio-system
+ namespace: istio-system
+ labels:
+ app: istio-pilot
+ chart: pilot-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+rules:
+- apiGroups: ["config.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["networking.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["authentication.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["*"]
+- apiGroups: ["extensions"]
+ resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
+ verbs: ["*"]
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+- apiGroups: [""]
+ resources: ["endpoints", "pods", "services"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources: ["namespaces", "nodes", "secrets"]
+ verbs: ["get", "list", "watch"]
+
+---
+# Source: istio/charts/prometheus/templates/clusterrole.yaml
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: prometheus-istio-system
+ namespace: istio-system
+rules:
+- apiGroups: [""]
+ resources:
+ - nodes
+ - services
+ - endpoints
+ - pods
+ - nodes/proxy
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources:
+ - configmaps
+ verbs: ["get"]
+- nonResourceURLs: ["/metrics"]
+ verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: prometheus-istio-system
+ namespace: istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: prometheus-istio-system
+subjects:
+- kind: ServiceAccount
+ name: prometheus
+ namespace: istio-system
+---
+
+
+---
+# Source: istio/charts/security/templates/clusterrole.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: istio-citadel-istio-system
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create", "get", "watch", "list", "update", "delete"]
+- apiGroups: [""]
+ resources: ["serviceaccounts"]
+ verbs: ["get", "watch", "list"]
+- apiGroups: [""]
+ resources: ["services"]
+ verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: istio-cleanup-old-ca-istio-system
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+rules:
+- apiGroups: [""]
+ resources: ["deployments", "serviceaccounts", "services"]
+ verbs: ["get", "delete"]
+- apiGroups: ["extensions"]
+ resources: ["deployments", "replicasets"]
+ verbs: ["get", "list", "update", "delete"]
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: istio-sidecar-injector-istio-system
+ labels:
+ app: istio-sidecar-injector
+ chart: sidecarInjectorWebhook-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+rules:
+- apiGroups: ["*"]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "patch"]
+
+---
+# Source: istio/charts/mixer/templates/clusterrolebinding.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-mixer-admin-role-binding-istio-system
+ labels:
+ app: mixer
+ chart: mixer-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-mixer-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-mixer-service-account
+ namespace: istio-system
+
+---
+# Source: istio/charts/pilot/templates/clusterrolebinding.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-pilot-istio-system
+ labels:
+ app: istio-pilot
+ chart: pilot-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-pilot-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-pilot-service-account
+ namespace: istio-system
+
+---
+# Source: istio/charts/security/templates/clusterrolebinding.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-citadel-istio-system
+ labels:
+ app: security
+ chart: security-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-citadel-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-citadel-service-account
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: istio-cleanup-old-ca-istio-system
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istio-cleanup-old-ca-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-cleanup-old-ca-service-account
+ namespace: istio-system
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-sidecar-injector-admin-role-binding-istio-system
+ labels:
+ app: istio-sidecar-injector
+ chart: sidecarInjectorWebhook-0.8.0
+ heritage: Tiller
+ release: RELEASE-NAME
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-sidecar-injector-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-sidecar-injector-service-account
+ namespace: istio-system
+---
+# Source: istio/charts/egressgateway/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-egressgateway
+ namespace: istio-system
+ labels:
+ chart: egressgateway-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: egressgateway
+spec:
+ type: ClusterIP
+ selector:
+ istio: egressgateway
+ ports:
+ -
+ name: http
+ port: 80
+ -
+ name: https
+ port: 443
+
+---
+# Source: istio/charts/grafana/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: grafana
+ namespace: istio-system
+ annotations:
+ auth.istio.io/3000: NONE
+ labels:
+ app: grafana
+ chart: grafana-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ type: NodePort
+ ports:
+ - port: 3000
+ targetPort: 3000
+ protocol: TCP
+ name: http
+ nodePort: 30300
+ selector:
+ app: grafana
+
+---
+# Source: istio/charts/ingressgateway/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ labels:
+ chart: ingressgateway-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: ingressgateway
+spec:
+ type: LoadBalancer
+ selector:
+ istio: ingressgateway
+ ports:
+ -
+ name: http
+ nodePort: 31380
+ port: 80
+ -
+ name: https
+ nodePort: 31390
+ port: 443
+ -
+ name: tcp
+ nodePort: 31400
+ port: 31400
+
+---
+# Source: istio/charts/mixer/templates/service.yaml
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-policy
+ namespace: istio-system
+ labels:
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ istio: mixer
+spec:
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: 9093
+ selector:
+ istio: mixer
+ istio-mixer-type: policy
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+ labels:
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ istio: mixer
+spec:
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: 9093
+ - name: prometheus
+ port: 42422
+ selector:
+ istio: mixer
+ istio-mixer-type: telemetry
+---
+
+---
+# Source: istio/charts/mixer/templates/statsdtoprom.yaml
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-statsd-prom-bridge
+ namespace: istio-system
+ labels:
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ istio: statsd-prom-bridge
+spec:
+ ports:
+ - name: statsd-prom
+ port: 9102
+ - name: statsd-udp
+ port: 9125
+ protocol: UDP
+ selector:
+ istio: statsd-prom-bridge
+
+---
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-statsd-prom-bridge
+ namespace: istio-system
+ labels:
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ istio: mixer
+spec:
+ template:
+ metadata:
+ labels:
+ istio: statsd-prom-bridge
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-mixer-service-account
+ volumes:
+ - name: config-volume
+ configMap:
+ name: istio-statsd-prom-bridge
+ containers:
+ - name: statsd-prom-bridge
+ image: "prom/statsd-exporter:latest"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9102
+ - containerPort: 9125
+ protocol: UDP
+ args:
+ - '-statsd.mapping-config=/etc/statsd/mapping.conf'
+ resources:
+ {}
+
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/statsd
+
+---
+# Source: istio/charts/pilot/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-pilot
+ namespace: istio-system
+ labels:
+ app: istio-pilot
+ chart: pilot-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ ports:
+ - port: 15003
+ name: http-old-discovery # mTLS or non-mTLS depending on auth setting
+ - port: 15005
+ name: https-discovery # always mTLS
+ - port: 15007
+ name: http-discovery # always plain-text
+ - port: 15010
+ name: grpc-xds # direct
+ - port: 15011
+ name: https-xds # mTLS
+ - port: 8080
+ name: http-legacy-discovery # direct
+ - port: 9093
+ name: http-monitoring
+ selector:
+ istio: pilot
+
+---
+# Source: istio/charts/prometheus/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: prometheus
+ namespace: istio-system
+ annotations:
+ prometheus.io/scrape: 'true'
+ labels:
+ name: prometheus
+spec:
+ selector:
+ app: prometheus
+ ports:
+ - name: http-prometheus
+ protocol: TCP
+ port: 9090
+
+---
+# Source: istio/charts/security/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ # we use the normal name here (e.g. 'prometheus')
+ # as grafana is configured to use this as a data source
+ name: istio-citadel
+ namespace: istio-system
+ labels:
+ app: istio-citadel
+spec:
+ ports:
+ - name: grpc-citadel
+ port: 8060
+ targetPort: 8060
+ protocol: TCP
+ - name: http-monitoring
+ port: 9093
+ selector:
+ istio: citadel
+
+---
+# Source: istio/charts/servicegraph/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: servicegraph
+ namespace: istio-system
+ labels:
+ app: servicegraph
+ chart: servicegraph-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ type: NodePort
+ ports:
+ - port: 8088
+ targetPort: 8088
+ protocol: TCP
+ name: http
+ nodePort: 30088
+ selector:
+ app: servicegraph
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ istio: sidecar-injector
+spec:
+ ports:
+ - port: 443
+ selector:
+ istio: sidecar-injector
+
+---
+# Source: istio/charts/egressgateway/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-egressgateway
+ namespace: istio-system
+ labels:
+ app: egressgateway
+ chart: egressgateway-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: egressgateway
+spec:
+ replicas:
+ template:
+ metadata:
+ labels:
+ istio: egressgateway
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-egressgateway-service-account
+ containers:
+ - name: egressgateway
+ image: "docker.io/istio/proxyv2:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+ args:
+ - proxy
+ - router
+ - -v
+ - "2"
+ - --discoveryRefreshDelay
+ - '1s' #discoveryRefreshDelay
+ - --drainDuration
+ - '45s' #drainDuration
+ - --parentShutdownDuration
+ - '1m0s' #parentShutdownDuration
+ - --connectTimeout
+ - '10s' #connectTimeout
+ - --serviceCluster
+ - istio-egressgateway
+ - --zipkinAddress
+ - zipkin:9411
+ - --statsdUdpAddress
+ - istio-statsd-prom-bridge:9125
+ - --proxyAdminPort
+ - "15000"
+ - --controlPlaneAuthPolicy
+ - NONE
+ - --discoveryAddress
+ - istio-pilot:8080
+ resources:
+ {}
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: ISTIO_META_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ volumes:
+ - name: istio-certs
+ secret:
+ secretName: "istio.default"
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/grafana/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: grafana
+ namespace: istio-system
+ labels:
+ app: grafana
+ chart: grafana-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: grafana
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ containers:
+ - name: grafana
+ image: "docker.io/istio/grafana:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 3000
+ readinessProbe:
+ httpGet:
+ path: /login
+ port: 3000
+ env:
+ - name: GRAFANA_PORT
+ value: "3000"
+ - name: GF_AUTH_BASIC_ENABLED
+ value: "false"
+ - name: GF_AUTH_ANONYMOUS_ENABLED
+ value: "true"
+ - name: GF_AUTH_ANONYMOUS_ORG_ROLE
+ value: Admin
+ - name: GF_PATHS_DATA
+ value: /data/grafana
+ resources:
+ {}
+
+ volumeMounts:
+ - name: data
+ mountPath: /data/grafana
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+ volumes:
+ - name: data
+ emptyDir: {}
+---
+# Source: istio/charts/ingressgateway/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ labels:
+ app: ingressgateway
+ chart: ingressgateway-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: ingressgateway
+spec:
+ replicas:
+ template:
+ metadata:
+ labels:
+ istio: ingressgateway
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-ingressgateway-service-account
+ containers:
+ - name: ingressgateway
+ image: "docker.io/istio/proxyv2:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+ - containerPort: 31400
+ args:
+ - proxy
+ - router
+ - -v
+ - "2"
+ - --discoveryRefreshDelay
+ - '1s' #discoveryRefreshDelay
+ - --drainDuration
+ - '45s' #drainDuration
+ - --parentShutdownDuration
+ - '1m0s' #parentShutdownDuration
+ - --connectTimeout
+ - '10s' #connectTimeout
+ - --serviceCluster
+ - istio-ingressgateway
+ - --zipkinAddress
+ - zipkin:9411
+ - --statsdUdpAddress
+ - istio-statsd-prom-bridge:9125
+ - --proxyAdminPort
+ - "15000"
+ - --controlPlaneAuthPolicy
+ - NONE
+ - --discoveryAddress
+ - istio-pilot:8080
+ resources:
+ {}
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: ISTIO_META_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: ingressgateway-certs
+ mountPath: "/etc/istio/ingressgateway-certs"
+ readOnly: true
+ volumes:
+ - name: istio-certs
+ secret:
+ secretName: "istio.default"
+ optional: true
+ - name: ingressgateway-certs
+ secret:
+ secretName: "istio-ingressgateway-certs"
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/mixer/templates/deployment.yaml
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-policy
+ namespace: istio-system
+ labels:
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ istio: mixer
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ istio: mixer
+ istio-mixer-type: policy
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-mixer-service-account
+ volumes:
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-mixer-service-account
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+ containers:
+ - name: mixer
+ image: "docker.io/istio/mixer:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9092
+ - containerPort: 9093
+ - containerPort: 42422
+ args:
+ - --address
+ - tcp://127.0.0.1:9092
+ - --configStoreURL=k8s://
+ - --configDefaultNamespace=istio-system
+ - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
+ resources:
+ {}
+
+ - name: istio-proxy
+ image: "docker.io/istio/proxyv2:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9091
+ - containerPort: 15004
+ args:
+ - proxy
+ - --serviceCluster
+ - istio-policy
+ - --templateFile
+ - /etc/istio/proxy/envoy_policy.yaml.tmpl
+ - --controlPlaneAuthPolicy
+ - NONE
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+ labels:
+ chart: mixer-0.8.0
+ release: RELEASE-NAME
+ istio: mixer
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ istio: mixer
+ istio-mixer-type: telemetry
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-mixer-service-account
+ volumes:
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-mixer-service-account
+ optional: true
+ containers:
+ - name: mixer
+ image: "docker.io/istio/mixer:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9092
+ - containerPort: 9093
+ - containerPort: 42422
+ args:
+ - --address
+ - tcp://127.0.0.1:9092
+ - --configStoreURL=k8s://
+ - --configDefaultNamespace=istio-system
+ - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
+ resources:
+ {}
+
+ - name: istio-proxy
+ image: "docker.io/istio/proxyv2:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9091
+ - containerPort: 15004
+ args:
+ - proxy
+ - --serviceCluster
+ - istio-telemetry
+ - --templateFile
+ - /etc/istio/proxy/envoy_telemetry.yaml.tmpl
+ - --controlPlaneAuthPolicy
+ - NONE
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+
+---
+
+---
+# Source: istio/charts/pilot/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-pilot
+ namespace: istio-system
+ # TODO: default tempate doesn't have this, which one is right ?
+ labels:
+ app: istio-pilot
+ chart: pilot-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: pilot
+ annotations:
+ checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ istio: pilot
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-pilot-service-account
+ containers:
+ - name: discovery
+ image: "docker.io/istio/pilot:0.8.0"
+ imagePullPolicy: IfNotPresent
+ args:
+ - "discovery"
+# TODO(sdake) remove when secrets are automagically registered
+ ports:
+ - containerPort: 8080
+ - containerPort: 15010
+ readinessProbe:
+ httpGet:
+ path: /v1/registration
+ port: 8080
+ initialDelaySeconds: 30
+ periodSeconds: 30
+ timeoutSeconds: 5
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: PILOT_THROTTLE
+ value: "500"
+ - name: PILOT_CACHE_SQUASH
+ value: "5"
+ resources:
+ {}
+
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/istio/config
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: istio-proxy
+ image: "docker.io/istio/proxyv2:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 15003
+ - containerPort: 15005
+ - containerPort: 15007
+ - containerPort: 15011
+ args:
+ - proxy
+ - --serviceCluster
+ - istio-pilot
+ - --templateFile
+ - /etc/istio/proxy/envoy_pilot.yaml.tmpl
+ - --controlPlaneAuthPolicy
+ - NONE
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ volumes:
+ - name: config-volume
+ configMap:
+ name: istio
+ - name: istio-certs
+ secret:
+ secretName: "istio.istio-pilot-service-account"
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/prometheus/templates/deployment.yaml
+# TODO: the original template has service account, roles, etc
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: prometheus
+ namespace: istio-system
+ labels:
+ app: prometheus
+ chart: prometheus-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: prometheus
+ template:
+ metadata:
+ labels:
+ app: prometheus
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: prometheus
+
+ containers:
+ - name: prometheus
+ image: "docker.io/prom/prometheus:latest"
+ imagePullPolicy: IfNotPresent
+ args:
+ - '--storage.tsdb.retention=6h'
+ - '--config.file=/etc/prometheus/prometheus.yml'
+ ports:
+ - containerPort: 9090
+ name: http
+ livenessProbe:
+ httpGet:
+ path: /-/healthy
+ port: 9090
+ readinessProbe:
+ httpGet:
+ path: /-/ready
+ port: 9090
+ resources:
+ {}
+
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/prometheus
+ volumes:
+ - name: config-volume
+ configMap:
+ name: prometheus
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/security/templates/deployment.yaml
+# istio CA watching all namespaces
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-citadel
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: citadel
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ istio: citadel
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-citadel-service-account
+ containers:
+ - name: citadel
+ image: "docker.io/istio/citadel:0.8.0"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --append-dns-names=true
+ - --grpc-port=8060
+ - --grpc-hostname=citadel
+ - --self-signed-ca=true
+ - --citadel-storage-namespace=istio-system
+ resources:
+ {}
+
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/servicegraph/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: servicegraph
+ namespace: istio-system
+ labels:
+ app: servicegraph
+ chart: servicegraph-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: servicegraph
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ containers:
+ - name: servicegraph
+ image: "docker.io/istio/servicegraph:0.8.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 8088
+ args:
+ - --prometheusAddr=http://prometheus:9090
+ livenessProbe:
+ httpGet:
+ path: /graph
+ port: 8088
+ readinessProbe:
+ httpGet:
+ path: /graph
+ port: 8088
+ resources:
+ {}
+
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ app: sidecarInjectorWebhook
+ chart: sidecarInjectorWebhook-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: sidecar-injector
+spec:
+ replicas:
+ template:
+ metadata:
+ labels:
+ istio: sidecar-injector
+ spec:
+ serviceAccountName: istio-sidecar-injector-service-account
+ containers:
+ - name: sidecar-injector-webhook
+ image: "docker.io/istio/sidecar_injector:0.8.0"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --caCertFile=/etc/istio/certs/root-cert.pem
+ - --tlsCertFile=/etc/istio/certs/cert-chain.pem
+ - --tlsKeyFile=/etc/istio/certs/key.pem
+ - --injectConfig=/etc/istio/inject/config
+ - --meshConfig=/etc/istio/config/mesh
+ - --healthCheckInterval=2s
+ - --healthCheckFile=/health
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/istio/config
+ readOnly: true
+ - name: certs
+ mountPath: /etc/istio/certs
+ readOnly: true
+ - name: inject-config
+ mountPath: /etc/istio/inject
+ readOnly: true
+ livenessProbe:
+ exec:
+ command:
+ - /usr/local/bin/sidecar-injector
+ - probe
+ - --probe-path=/health
+ - --interval=2s
+ initialDelaySeconds: 4
+ periodSeconds: 4
+ readinessProbe:
+ exec:
+ command:
+ - /usr/local/bin/sidecar-injector
+ - probe
+ - --probe-path=/health
+ - --interval=2s
+ initialDelaySeconds: 4
+ periodSeconds: 4
+ volumes:
+ - name: config-volume
+ configMap:
+ name: istio
+ - name: certs
+ secret:
+ secretName: istio.istio-sidecar-injector-service-account
+ - name: inject-config
+ configMap:
+ name: istio-sidecar-injector
+ items:
+ - key: config
+ path: config
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/tracing/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-tracing
+ namespace: istio-system
+ labels:
+ app: istio-tracing
+ chart: tracing-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: jaeger
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ containers:
+ - name: jaeger
+ image: "jaegertracing/all-in-one:1.5"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9411
+ - containerPort: 16686
+ - containerPort: 5775
+ protocol: UDP
+ - containerPort: 6831
+ protocol: UDP
+ - containerPort: 6832
+ protocol: UDP
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: COLLECTOR_ZIPKIN_HTTP_PORT
+ value: "9411"
+ - name: MEMORY_MAX_TRACES
+ value: "50000"
+ livenessProbe:
+ httpGet:
+ path: /
+ port: 16686
+ readinessProbe:
+ httpGet:
+ path: /
+ port: 16686
+ resources:
+ {}
+
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/security/templates/cleanup-old-ca.yaml
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: istio-cleanup-old-ca
+ namespace: istio-system
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-delete-policy": hook-succeeded
+ labels:
+ app: security
+ chart: security-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ template:
+ metadata:
+ name: istio-cleanup-old-ca
+ labels:
+ app: security
+ release: RELEASE-NAME
+ spec:
+ serviceAccountName: istio-cleanup-old-ca-service-account
+ containers:
+ - name: hyperkube
+ image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
+ command:
+ - /bin/bash
+ - -c
+ - >
+ NS="-n istio-system";
+ ./kubectl get deploy istio-ca $NS;
+ if [[ $? = 0 ]]; then ./kubectl delete deploy istio-ca $NS; fi;
+ ./kubectl get serviceaccount istio-ca-service-account $NS;
+ if [[ $? = 0 ]]; then ./kubectl delete serviceaccount istio-ca-service-account $NS; fi;
+ ./kubectl get service istio-ca-ilb $NS;
+ if [[ $? = 0 ]]; then ./kubectl delete service istio-ca-ilb $NS; fi
+ restartPolicy: Never
+---
+# Source: istio/charts/egressgateway/templates/autoscale.yaml
+
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-egressgateway
+ namespace: istio-system
+spec:
+ maxReplicas: 1
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-egressgateway
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 80
+
+
+---
+# Source: istio/charts/ingressgateway/templates/autoscale.yaml
+
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ maxReplicas: 1
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-ingressgateway
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 80
+
+
+---
+# Source: istio/charts/tracing/templates/service.yaml
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: zipkin
+ namespace: istio-system
+ labels:
+ app: jaeger
+ chart: tracing-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ spec:
+ type: NodePort
+ ports:
+ - port: 9411
+ targetPort: 9411
+ protocol: TCP
+ name: http
+ nodePort: 30411
+ selector:
+ app: jaeger
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: tracing
+ namespace: istio-system
+ labels:
+ app: jaeger
+ chart: tracing-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ spec:
+ ports:
+ - name: query-http
+ port: 80
+ protocol: TCP
+ targetPort: 16686
+ selector:
+ app: jaeger
+ type: LoadBalancer
+
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ app: istio-sidecar-injector
+ chart: sidecarInjectorWebhook-0.8.0
+ release: RELEASE-NAME
+ heritage: Tiller
+webhooks:
+ - name: sidecar-injector.istio.io
+ clientConfig:
+ service:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ path: "/inject"
+ caBundle: ""
+ rules:
+ - operations: [ "CREATE" ]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ failurePolicy: Fail
+ namespaceSelector:
+ matchLabels:
+ istio-injection: enabled
+
+---
+# Source: istio/charts/grafana/templates/ingress.yaml
+
+---
+# Source: istio/charts/mixer/templates/config.yaml
+
+
+---
+# Source: istio/charts/prometheus/templates/ingress.yaml
+
+---
+# Source: istio/charts/servicegraph/templates/ingress.yaml
+
+---
+# Source: istio/charts/tracing/templates/ingress.yaml
+
+---
+# Source: istio/charts/tracing/templates/service-jaeger.yaml
+
+
+
diff --git a/install/kubeadm.conf b/install/kubeadm.conf
new file mode 100644
index 0000000..d683093
--- /dev/null
+++ b/install/kubeadm.conf
@@ -0,0 +1,4 @@
+apiVersion: kubeadm.k8s.io/v1alpha1
+kind: MasterConfiguration
+apiServerExtraArgs:
+ enable-admission-plugins: NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota