diff options
Diffstat (limited to 'install/istio.yaml')
-rw-r--r-- | install/istio.yaml | 3505 |
1 files changed, 2445 insertions, 1060 deletions
diff --git a/install/istio.yaml b/install/istio.yaml index 500940d..15716c5 100644 --- a/install/istio.yaml +++ b/install/istio.yaml @@ -1,525 +1,210 @@ apiVersion: v1 kind: Namespace metadata: - name: istio-system + name: istio-system + labels: + istio-injection: disabled --- -# Source: istio/charts/mixer/templates/configmap.yaml +# Source: istio/charts/galley/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: istio-statsd-prom-bridge + name: istio-galley-configuration namespace: istio-system labels: - app: istio-statsd-prom-bridge - chart: mixer-0.8.0 + app: istio-galley + chart: galley-1.0.0 release: RELEASE-NAME heritage: Tiller istio: mixer data: - mapping.conf: |- + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.0 + release: RELEASE-NAME + heritage: Tiller + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + # disabled per @costinm's request + # - serviceentries + - virtualservices + failurePolicy: Fail + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - servicecontrolreports + - tracespans + failurePolicy: Fail + + --- +# Source: istio/charts/grafana/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: istio-mixer-custom-resources + name: istio-grafana-custom-resources namespace: istio-system labels: - app: istio-mixer - chart: mixer-0.8.0 + app: istio-grafana + chart: grafana-0.1.0 release: RELEASE-NAME heritage: Tiller - istio: mixer + istio: grafana data: custom-resources.yaml: |- - apiVersion: "config.istio.io/v1alpha2" - kind: attributemanifest + apiVersion: authentication.istio.io/v1alpha1 + kind: Policy metadata: - name: istioproxy + name: grafana-ports-mtls-disabled namespace: istio-system spec: - attributes: - origin.ip: - valueType: IP_ADDRESS - origin.uid: - valueType: STRING - origin.user: - valueType: STRING - request.headers: - valueType: STRING_MAP - request.id: - valueType: STRING - request.host: - valueType: STRING - request.method: - valueType: STRING - request.path: - valueType: STRING - request.reason: - valueType: STRING - request.referer: - valueType: STRING - request.scheme: - valueType: STRING - request.total_size: - valueType: INT64 - request.size: - valueType: INT64 - request.time: - valueType: TIMESTAMP - request.useragent: - valueType: STRING - response.code: - valueType: INT64 - response.duration: - valueType: DURATION - response.headers: - valueType: STRING_MAP - response.total_size: - valueType: INT64 - response.size: - valueType: INT64 - response.time: - valueType: TIMESTAMP - source.uid: - valueType: STRING - source.user: - valueType: STRING - destination.uid: - valueType: STRING - connection.id: - valueType: STRING - connection.received.bytes: - valueType: INT64 - connection.received.bytes_total: - valueType: INT64 - connection.sent.bytes: - valueType: INT64 - connection.sent.bytes_total: - valueType: INT64 - connection.duration: - valueType: DURATION - connection.mtls: - valueType: BOOL - context.protocol: - valueType: STRING - context.timestamp: - valueType: TIMESTAMP - context.time: - valueType: TIMESTAMP - api.service: - valueType: STRING - api.version: - valueType: STRING - api.operation: - valueType: STRING - api.protocol: - valueType: STRING - request.auth.principal: - valueType: STRING - request.auth.audiences: - valueType: STRING - request.auth.presenter: - valueType: STRING - request.auth.claims: - valueType: STRING_MAP - request.auth.raw_claims: - valueType: STRING - request.api_key: - valueType: STRING + targets: + - name: grafana + ports: + - number: 3000 + run.sh: |- + #!/bin/sh - --- - apiVersion: "config.istio.io/v1alpha2" - kind: attributemanifest - metadata: - name: kubernetes - namespace: istio-system - spec: - attributes: - source.ip: - valueType: IP_ADDRESS - source.labels: - valueType: STRING_MAP - source.name: - valueType: STRING - source.namespace: - valueType: STRING - source.service: - valueType: STRING - source.serviceAccount: - valueType: STRING - destination.ip: - valueType: IP_ADDRESS - destination.labels: - valueType: STRING_MAP - destination.name: - valueType: STRING - destination.namespace: - valueType: STRING - destination.service: - valueType: STRING - destination.serviceAccount: - valueType: STRING - --- - apiVersion: "config.istio.io/v1alpha2" - kind: stdio - metadata: - name: handler - namespace: istio-system - spec: - outputAsJson: true - --- - apiVersion: "config.istio.io/v1alpha2" - kind: logentry - metadata: - name: accesslog - namespace: istio-system - spec: - severity: '"Info"' - timestamp: request.time - variables: - originIp: origin.ip | ip("0.0.0.0") - sourceIp: source.ip | ip("0.0.0.0") - sourceService: source.service | "" - sourceUser: source.user | source.uid | "" - sourceNamespace: source.namespace | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationService: destination.service | "" - destinationNamespace: destination.namespace | "" - apiName: api.service | "" - apiVersion: api.version | "" - apiClaims: request.headers["sec-istio-auth-userinfo"]| "" - apiKey: request.api_key | request.headers["x-api-key"] | "" - requestOperation: api.operation | "" - protocol: request.scheme | "http" - method: request.method | "" - url: request.path | "" - responseCode: response.code | 0 - responseSize: response.size | 0 - requestSize: request.size | 0 - latency: response.duration | "0ms" - connectionMtls: connection.mtls | false - userAgent: request.useragent | "" - responseTimestamp: response.time - receivedBytes: request.total_size | connection.received.bytes | 0 - sentBytes: response.total_size | connection.sent.bytes | 0 - referer: request.referer | "" - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: stdio - namespace: istio-system - spec: - match: "true" # If omitted match is true. - actions: - - handler: handler.stdio - instances: - - accesslog.logentry - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: requestcount - namespace: istio-system - spec: - value: "1" - dimensions: - source_service: source.service | "unknown" - source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" - destination_version: destination.labels["version"] | "unknown" - response_code: response.code | 200 - connection_mtls: connection.mtls | false - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: requestduration - namespace: istio-system - spec: - value: response.duration | "0ms" - dimensions: - source_service: source.service | "unknown" - source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" - destination_version: destination.labels["version"] | "unknown" - response_code: response.code | 200 - connection_mtls: connection.mtls | false - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: requestsize - namespace: istio-system - spec: - value: request.size | 0 - dimensions: - source_service: source.service | "unknown" - source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" - destination_version: destination.labels["version"] | "unknown" - response_code: response.code | 200 - connection_mtls: connection.mtls | false - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: responsesize - namespace: istio-system - spec: - value: response.size | 0 - dimensions: - source_service: source.service | "unknown" - source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" - destination_version: destination.labels["version"] | "unknown" - response_code: response.code | 200 - connection_mtls: connection.mtls | false - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: tcpbytesent - namespace: istio-system - labels: - istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp - spec: - value: connection.sent.bytes | 0 - dimensions: - source_service: source.service | "unknown" - source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" - destination_version: destination.labels["version"] | "unknown" - connection_mtls: connection.mtls | false - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: tcpbytereceived - namespace: istio-system - labels: - istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp - spec: - value: connection.received.bytes | 0 - dimensions: - source_service: source.service | "unknown" - source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" - destination_version: destination.labels["version"] | "unknown" - connection_mtls: connection.mtls | false - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: prometheus - metadata: - name: handler - namespace: istio-system - spec: - metrics: - - name: request_count - instance_name: requestcount.metric.istio-system - kind: COUNTER - label_names: - - source_service - - source_version - - destination_service - - destination_version - - response_code - - connection_mtls - - name: request_duration - instance_name: requestduration.metric.istio-system - kind: DISTRIBUTION - label_names: - - source_service - - source_version - - destination_service - - destination_version - - response_code - - connection_mtls - buckets: - explicit_buckets: - bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - - name: request_size - instance_name: requestsize.metric.istio-system - kind: DISTRIBUTION - label_names: - - source_service - - source_version - - destination_service - - destination_version - - response_code - - connection_mtls - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: response_size - instance_name: responsesize.metric.istio-system - kind: DISTRIBUTION - label_names: - - source_service - - source_version - - destination_service - - destination_version - - response_code - - connection_mtls - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: tcp_bytes_sent - instance_name: tcpbytesent.metric.istio-system - kind: COUNTER - label_names: - - source_service - - source_version - - destination_service - - destination_version - - connection_mtls - - name: tcp_bytes_received - instance_name: tcpbytereceived.metric.istio-system - kind: COUNTER - label_names: - - source_service - - source_version - - destination_service - - destination_version - - connection_mtls - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: promhttp - namespace: istio-system - labels: - istio-protocol: http - spec: - actions: - - handler: handler.prometheus - instances: - - requestcount.metric - - requestduration.metric - - requestsize.metric - - responsesize.metric - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: promtcp - namespace: istio-system - labels: - istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP - spec: - actions: - - handler: handler.prometheus - instances: - - tcpbytesent.metric - - tcpbytereceived.metric - --- + set -x - apiVersion: "config.istio.io/v1alpha2" - kind: kubernetesenv - metadata: - name: handler - namespace: istio-system - spec: - # when running from mixer root, use the following config after adding a - # symbolic link to a kubernetes config file via: - # - # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig - # - # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: kubeattrgenrulerule - namespace: istio-system - spec: - actions: - - handler: handler.kubernetesenv - instances: - - attributes.kubernetes - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: tcpkubeattrgenrulerule - namespace: istio-system - spec: - match: context.protocol == "tcp" - actions: - - handler: handler.kubernetesenv - instances: - - attributes.kubernetes - --- - apiVersion: "config.istio.io/v1alpha2" - kind: kubernetes - metadata: - name: attributes - namespace: istio-system - spec: - # Pass the required attribute data to the adapter - source_uid: source.uid | "" - source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr - destination_uid: destination.uid | "" - origin_uid: '""' - origin_ip: ip("0.0.0.0") # default to unspecified ip addr - attribute_bindings: - # Fill the new attributes from the adapter produced output. - # $out refers to an instance of OutputTemplate message - source.ip: $out.source_pod_ip | ip("0.0.0.0") - source.labels: $out.source_labels | emptyStringMap() - source.namespace: $out.source_namespace | "default" - source.service: $out.source_service | "unknown" - source.serviceAccount: $out.source_service_account_name | "unknown" - destination.ip: $out.destination_pod_ip | ip("0.0.0.0") - destination.labels: $out.destination_labels | emptyStringMap() - destination.namespace: $out.destination_namespace | "default" - destination.service: $out.destination_service | "unknown" - destination.serviceAccount: $out.destination_service_account_name | "unknown" - --- - # Configuration needed by Mixer. - # Mixer cluster is delivered via CDS - # Specify mixer cluster settings - apiVersion: networking.istio.io/v1alpha3 - kind: DestinationRule - metadata: - name: istio-policy - namespace: istio-system - spec: - host: istio-policy.istio-system.svc.cluster.local - trafficPolicy: - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 - --- - apiVersion: networking.istio.io/v1alpha3 - kind: DestinationRule - metadata: - name: istio-telemetry - namespace: istio-system - spec: - host: istio-telemetry.istio-system.svc.cluster.local - trafficPolicy: - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 - --- + pathToResourceYAML=${1} + + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + /kubectl apply -f ${pathToResourceYAML} --- +# Source: istio/charts/mixer/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-statsd-prom-bridge + namespace: istio-system + labels: + app: istio-statsd-prom-bridge + chart: mixer-1.0.0 + release: RELEASE-NAME + heritage: Tiller + istio: mixer +data: + mapping.conf: |- + +--- # Source: istio/charts/prometheus/templates/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -543,11 +228,14 @@ data: kubernetes_sd_configs: - role: endpoints + namespaces: + names: + - istio-system relabel_configs: - - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep - regex: istio-system;istio-telemetry;prometheus + regex: istio-telemetry;prometheus - job_name: 'envoy' # Override the global default and scrape targets from this job every 5 seconds. @@ -557,11 +245,14 @@ data: kubernetes_sd_configs: - role: endpoints + namespaces: + names: + - istio-system relabel_configs: - - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep - regex: istio-system;istio-statsd-prom-bridge;statsd-prom + regex: istio-statsd-prom-bridge;statsd-prom - job_name: 'istio-policy' # Override the global default and scrape targets from this job every 5 seconds. @@ -571,11 +262,15 @@ data: kubernetes_sd_configs: - role: endpoints + namespaces: + names: + - istio-system + relabel_configs: - - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep - regex: istio-system;istio-policy;http-monitoring + regex: istio-policy;http-monitoring - job_name: 'istio-telemetry' # Override the global default and scrape targets from this job every 5 seconds. @@ -585,11 +280,14 @@ data: kubernetes_sd_configs: - role: endpoints + namespaces: + names: + - istio-system relabel_configs: - - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep - regex: istio-system;istio-telemetry;http-monitoring + regex: istio-telemetry;http-monitoring - job_name: 'pilot' # Override the global default and scrape targets from this job every 5 seconds. @@ -599,24 +297,47 @@ data: kubernetes_sd_configs: - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system relabel_configs: - - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep - regex: istio-system;istio-pilot;http-monitoring + regex: istio-galley;http-monitoring # scrape config for API servers - job_name: 'kubernetes-apiservers' kubernetes_sd_configs: - role: endpoints + namespaces: + names: + - default scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token relabel_configs: - - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep - regex: default;kubernetes;https + regex: kubernetes;https # scrape config for nodes (kubelet) - job_name: 'kubernetes-nodes' @@ -725,7 +446,56 @@ data: target_label: pod_name --- +# Source: istio/charts/security/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: istio-system + labels: + app: istio-security + chart: security-1.0.0 + release: RELEASE-NAME + heritage: Tiller + istio: security +data: + custom-resources.yaml: |- + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + /kubectl apply -f ${pathToResourceYAML} + + +--- # Source: istio/templates/configmap.yaml + apiVersion: v1 kind: ConfigMap metadata: @@ -733,42 +503,34 @@ metadata: namespace: istio-system labels: app: istio - chart: istio-0.8.0 + chart: istio-1.0.0 release: RELEASE-NAME heritage: Tiller data: mesh: |- - # - # Edit this list to avoid using mTLS to connect to these services. - # Typically, these are control services (e.g kubernetes API server) that don't have istio sidecar - # to transparently terminate mTLS authentication. - # mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"] - # Set the following variable to true to disable policy checks by the Mixer. # Note that metrics will still be reported to the Mixer. disablePolicyChecks: false + # Set enableTracing to false to disable request tracing. enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "/dev/stdout" # - # To disable the mixer completely (including metrics), comment out - # the following lines - mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 - mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004 - # This is the ingress service name, update if you used a different name - ingressService: istio-ingress - # - # Along with discoveryRefreshDelay, this setting determines how - # frequently should Envoy fetch and update its internal configuration - # from istio Pilot. Lower refresh delay results in higher CPU - # utilization and potential performance loss in exchange for faster - # convergence. Tweak this value according to your setup. - rdsRefreshDelay: 10s + # Deprecated: mixer is using EDS + mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "" + + # How frequently should Envoy fetch key/cert from NodeAgent. + sdsRefreshDelay: 15s + # defaultConfig: - # NOTE: If you change any values in this section, make sure to make - # the same changes in start up args in istio-ingress pods. - # See rdsRefreshDelay for explanation about this setting. - discoveryRefreshDelay: 10s # # TCP connection timeout between Envoy & the application, and between Envoys. connectTimeout: 10s @@ -819,6 +581,7 @@ data: --- # Source: istio/templates/sidecar-injector-configmap.yaml + apiVersion: v1 kind: ConfigMap metadata: @@ -826,7 +589,7 @@ metadata: namespace: istio-system labels: app: istio - chart: istio-0.8.0 + chart: istio-1.0.0 release: RELEASE-NAME heritage: Tiller istio: sidecar-injector @@ -836,7 +599,7 @@ data: template: |- initContainers: - name: istio-init - image: docker.io/istio/proxy_init:0.8.0 + image: "gcr.io/istio-release/proxy_init:1.0.0" args: - "-p" - [[ .MeshConfig.ProxyListenPort ]] @@ -880,7 +643,7 @@ data: image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]] "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]" [[ else -]] - docker.io/istio/proxy_debug:0.8.0 + gcr.io/istio-release/proxy_debug:1.0.0 [[ end -]] args: - proxy @@ -912,7 +675,7 @@ data: - --proxyAdminPort - [[ .ProxyConfig.ProxyAdminPort ]] - --controlPlaneAuthPolicy - - [[ .ProxyConfig.ControlPlaneAuthPolicy ]] + - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/controlPlaneAuthPolicy") .ProxyConfig.ControlPlaneAuthPolicy ]] env: - name: POD_NAME valueFrom: @@ -934,21 +697,27 @@ data: value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] imagePullPolicy: IfNotPresent securityContext: - privileged: false - readOnlyRootFilesystem: true - [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]] - capabilities: - add: - - NET_ADMIN - [[ else -]] - runAsUser: 1337 - [[ end -]] + privileged: false + readOnlyRootFilesystem: true + [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]] + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + [[ else -]] + runAsUser: 1337 + [[ end -]] restartPolicy: Always resources: + [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU") -]] requests: - cpu: 100m - memory: 128Mi + cpu: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU" ]]" + memory: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyMemory" ]]" + [[ else -]] + requests: + cpu: 10m + [[ end -]] volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy @@ -968,9 +737,22 @@ data: secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] [[ end -]] +--- +# Source: istio/charts/galley/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-galley-service-account + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.0 + heritage: Tiller + release: RELEASE-NAME --- -# Source: istio/charts/egressgateway/templates/serviceaccount.yaml +# Source: istio/charts/gateways/templates/serviceaccount.yaml + apiVersion: v1 kind: ServiceAccount metadata: @@ -978,12 +760,10 @@ metadata: namespace: istio-system labels: app: egressgateway - chart: egressgateway-0.8.0 + chart: gateways-1.0.0 heritage: Tiller release: RELEASE-NAME - --- -# Source: istio/charts/ingressgateway/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: @@ -991,108 +771,93 @@ metadata: namespace: istio-system labels: app: ingressgateway - chart: ingressgateway-0.8.0 + chart: gateways-1.0.0 heritage: Tiller release: RELEASE-NAME +--- --- -# Source: istio/charts/mixer/templates/create-custom-resources-job.yaml +# Source: istio/charts/grafana/templates/create-custom-resources-job.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: istio-mixer-post-install-account + name: istio-grafana-post-install-account namespace: istio-system labels: - app: mixer - chart: mixer-0.8.0 + app: istio-grafana + chart: grafana-0.1.0 heritage: Tiller release: RELEASE-NAME --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: - name: istio-mixer-post-install-istio-system - namespace: istio-system + name: istio-grafana-post-install-istio-system labels: - app: mixer - chart: mixer-0.8.0 + app: istio-grafana + chart: grafana-0.1.0 heritage: Tiller release: RELEASE-NAME rules: -- apiGroups: ["config.istio.io"] # istio CRD watcher - resources: ["*"] - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["networking.istio.io"] # needed to create mixer destination rules +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy resources: ["*"] verbs: ["*"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: istio-mixer-post-install-role-binding-istio-system + name: istio-grafana-post-install-role-binding-istio-system labels: - app: mixer - chart: mixer-0.8.0 + app: istio-grafana + chart: grafana-0.1.0 heritage: Tiller release: RELEASE-NAME roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-mixer-post-install-istio-system + name: istio-grafana-post-install-istio-system subjects: - kind: ServiceAccount - name: istio-mixer-post-install-account + name: istio-grafana-post-install-account namespace: istio-system --- - apiVersion: batch/v1 kind: Job metadata: - name: istio-mixer-post-install + name: istio-grafana-post-install namespace: istio-system annotations: "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-delete-policy": hook-succeeded labels: - app: mixer - chart: mixer-0.8.0 + app: istio-grafana + chart: grafana-0.1.0 release: RELEASE-NAME heritage: Tiller spec: template: metadata: - name: istio-mixer-post-install + name: istio-grafana-post-install labels: - app: mixer + app: istio-grafana release: RELEASE-NAME spec: - serviceAccountName: istio-mixer-post-install-account + serviceAccountName: istio-grafana-post-install-account containers: - name: hyperkube image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" - command: - - ./kubectl - - apply - - -f - - /tmp/mixer/custom-resources.yaml + command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] volumeMounts: - - mountPath: "/tmp/mixer" - name: tmp-configmap-mixer + - mountPath: "/tmp/grafana" + name: tmp-configmap-grafana volumes: - - name: tmp-configmap-mixer + - name: tmp-configmap-grafana configMap: - name: istio-mixer-custom-resources - restartPolicy: Never # CRD might take some time till they are available to consume + name: istio-grafana-custom-resources + restartPolicy: OnFailure --- # Source: istio/charts/mixer/templates/serviceaccount.yaml - apiVersion: v1 kind: ServiceAccount metadata: @@ -1100,13 +865,12 @@ metadata: namespace: istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/pilot/templates/serviceaccount.yaml - apiVersion: v1 kind: ServiceAccount metadata: @@ -1114,13 +878,12 @@ metadata: namespace: istio-system labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/prometheus/templates/serviceaccount.yaml - apiVersion: v1 kind: ServiceAccount metadata: @@ -1128,27 +891,118 @@ metadata: namespace: istio-system --- -# Source: istio/charts/security/templates/serviceaccount.yaml +# Source: istio/charts/security/templates/cleanup-secrets.yaml +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. apiVersion: v1 kind: ServiceAccount metadata: - name: istio-citadel-service-account + name: istio-cleanup-secrets-service-account namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security-1.0.0 + heritage: Tiller + release: RELEASE-NAME +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security-1.0.0 + heritage: Tiller + release: RELEASE-NAME +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 heritage: Tiller release: RELEASE-NAME +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-istio-system +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets + namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: security + chart: security-1.0.0 + release: RELEASE-NAME + heritage: Tiller +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: security + release: RELEASE-NAME + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: hyperkube + image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure + --- +# Source: istio/charts/security/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: istio-cleanup-old-ca-service-account + name: istio-citadel-service-account namespace: istio-system labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 heritage: Tiller release: RELEASE-NAME @@ -1161,17 +1015,205 @@ metadata: namespace: istio-system labels: app: istio-sidecar-injector - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 heritage: Tiller release: RELEASE-NAME --- -# Source: istio/charts/mixer/templates/crds.yaml +# Source: istio/templates/crds.yaml +# +# these CRDs only make sense when pilot is enabled +# +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + annotations: + "helm.sh/hook": crd-install + "helm.sh/hook-weight": "-5" + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +# + +# these CRDs only make sense when security is enabled +# + +# +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecs.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- + # Mixer CRDs kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: rules.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer @@ -1182,6 +1224,9 @@ spec: kind: rule plural: rules singular: rule + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1190,6 +1235,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: attributemanifests.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer @@ -1200,6 +1247,32 @@ spec: kind: attributemanifest plural: attributemanifests singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: bypass + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1208,6 +1281,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: circonuses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: circonus @@ -1218,6 +1293,9 @@ spec: kind: circonus plural: circonuses singular: circonus + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1226,6 +1304,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: deniers.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: denier @@ -1236,6 +1316,9 @@ spec: kind: denier plural: deniers singular: denier + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1244,6 +1327,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: fluentds.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: fluentd @@ -1254,6 +1339,9 @@ spec: kind: fluentd plural: fluentds singular: fluentd + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1262,6 +1350,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: kubernetesenvs.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: kubernetesenv @@ -1272,6 +1362,9 @@ spec: kind: kubernetesenv plural: kubernetesenvs singular: kubernetesenv + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1280,6 +1373,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: listcheckers.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: listchecker @@ -1290,6 +1385,9 @@ spec: kind: listchecker plural: listcheckers singular: listchecker + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1298,6 +1396,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: memquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: memquota @@ -1308,6 +1408,9 @@ spec: kind: memquota plural: memquotas singular: memquota + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1316,6 +1419,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: noops.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: noop @@ -1326,6 +1431,9 @@ spec: kind: noop plural: noops singular: noop + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1334,6 +1442,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: opas.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: opa @@ -1344,6 +1454,9 @@ spec: kind: opa plural: opas singular: opa + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1352,6 +1465,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: prometheuses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: prometheus @@ -1362,6 +1477,9 @@ spec: kind: prometheus plural: prometheuses singular: prometheus + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1370,6 +1488,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: rbacs.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: rbac @@ -1380,6 +1500,28 @@ spec: kind: rbac plural: rbacs singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + package: redisquota + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota scope: Namespaced version: v1alpha2 --- @@ -1388,6 +1530,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: servicecontrols.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: servicecontrol @@ -1398,6 +1542,33 @@ spec: kind: servicecontrol plural: servicecontrols singular: servicecontrol + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: signalfx + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1406,6 +1577,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: solarwindses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: solarwinds @@ -1416,6 +1589,9 @@ spec: kind: solarwinds plural: solarwindses singular: solarwinds + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1424,6 +1600,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: stackdrivers.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: stackdriver @@ -1434,6 +1612,9 @@ spec: kind: stackdriver plural: stackdrivers singular: stackdriver + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1442,6 +1623,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: statsds.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: statsd @@ -1452,6 +1635,9 @@ spec: kind: statsd plural: statsds singular: statsd + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1460,6 +1646,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: stdios.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: stdio @@ -1470,6 +1658,9 @@ spec: kind: stdio plural: stdios singular: stdio + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1478,6 +1669,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: apikeys.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: apikey @@ -1488,6 +1681,9 @@ spec: kind: apikey plural: apikeys singular: apikey + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1496,6 +1692,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: authorizations.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: authorization @@ -1506,6 +1704,9 @@ spec: kind: authorization plural: authorizations singular: authorization + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1514,6 +1715,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: checknothings.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: checknothing @@ -1524,6 +1727,9 @@ spec: kind: checknothing plural: checknothings singular: checknothing + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1532,6 +1738,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: kuberneteses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: adapter.template.kubernetes @@ -1542,6 +1750,9 @@ spec: kind: kubernetes plural: kuberneteses singular: kubernetes + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1550,6 +1761,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: listentries.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: listentry @@ -1560,6 +1773,9 @@ spec: kind: listentry plural: listentries singular: listentry + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1568,6 +1784,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: logentries.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: logentry @@ -1578,6 +1796,32 @@ spec: kind: logentry plural: logentries singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: edge + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1586,6 +1830,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: metrics.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: metric @@ -1596,6 +1842,9 @@ spec: kind: metric plural: metrics singular: metric + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1604,6 +1853,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: quotas.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: quota @@ -1614,6 +1865,9 @@ spec: kind: quota plural: quotas singular: quota + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1622,6 +1876,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: reportnothings.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: reportnothing @@ -1632,6 +1888,9 @@ spec: kind: reportnothing plural: reportnothings singular: reportnothing + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1640,6 +1899,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: servicecontrolreports.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: servicecontrolreport @@ -1650,6 +1911,9 @@ spec: kind: servicecontrolreport plural: servicecontrolreports singular: servicecontrolreport + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1658,6 +1922,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: tracespans.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: tracespan @@ -1668,6 +1934,9 @@ spec: kind: tracespan plural: tracespans singular: tracespan + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1675,258 +1944,265 @@ spec: kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: serviceroles.config.istio.io + name: rbacconfigs.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer istio: rbac spec: - group: config.istio.io + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io names: kind: ServiceRole plural: serviceroles singular: servicerole + categories: + - istio-io + - rbac-istio-io scope: Namespaced - version: v1alpha2 + version: v1alpha1 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: servicerolebindings.config.istio.io + name: servicerolebindings.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer istio: rbac spec: - group: config.istio.io + group: rbac.istio.io names: kind: ServiceRoleBinding plural: servicerolebindings singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io scope: Namespaced - version: v1alpha2 - + version: v1alpha1 --- -# Source: istio/charts/pilot/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: destinationpolicies.config.istio.io + name: adapters.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-pilot + app: mixer + package: adapter + istio: mixer-adapter spec: group: config.istio.io names: - kind: DestinationPolicy - listKind: DestinationPolicyList - plural: destinationpolicies - singular: destinationpolicy + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- -apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: egressrules.config.istio.io + name: instances.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-pilot + app: mixer + package: instance + istio: mixer-instance spec: group: config.istio.io names: - kind: EgressRule - listKind: EgressRuleList - plural: egressrules - singular: egressrule + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- -apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: routerules.config.istio.io + name: templates.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-pilot + app: mixer + package: template + istio: mixer-template spec: group: config.istio.io names: - kind: RouteRule - listKind: RouteRuleList - plural: routerules - singular: routerule + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- -apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition -metadata: - name: virtualservices.networking.istio.io - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - singular: virtualservice - scope: Namespaced - version: v1alpha3 ---- apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition metadata: - name: destinationrules.networking.istio.io + name: handlers.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-pilot + app: mixer + package: handler + istio: mixer-handler spec: - group: networking.istio.io + group: config.istio.io names: - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - singular: destinationrule + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io scope: Namespaced - version: v1alpha3 + version: v1alpha2 --- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceentries.networking.istio.io - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - singular: serviceentry - scope: Namespaced - version: v1alpha3 +# +# --- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition +# Source: istio/charts/galley/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole metadata: - name: gateways.networking.istio.io + name: istio-galley-istio-system labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: Gateway - plural: gateways - singular: gateway - scope: Namespaced - version: v1alpha3 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: policies.authentication.istio.io -spec: - group: authentication.istio.io - names: - kind: Policy - plural: policies - singular: policy - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - kind: HTTPAPISpecBinding - plural: httpapispecbindings - singular: httpapispecbinding - scope: Namespaced - version: v1alpha2 + app: istio-galley + chart: galley-1.0.0 + heritage: Tiller + release: RELEASE-NAME +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["*"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] + --- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 +# Source: istio/charts/gateways/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole metadata: - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - kind: HTTPAPISpec - plural: httpapispecs - singular: httpapispec - scope: Namespaced - version: v1alpha2 + labels: + app: gateways + chart: gateways-1.0.0 + heritage: Tiller + release: RELEASE-NAME + name: istio-egressgateway-istio-system +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] --- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole metadata: - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - kind: QuotaSpecBinding - plural: quotaspecbindings - singular: quotaspecbinding - scope: Namespaced - version: v1alpha2 + labels: + app: gateways + chart: gateways-1.0.0 + heritage: Tiller + release: RELEASE-NAME + name: istio-ingressgateway-istio-system +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] --- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - kind: QuotaSpec - plural: quotaspecs - singular: quotaspec - scope: Namespaced - version: v1alpha2 - --- # Source: istio/charts/mixer/templates/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-mixer-istio-system - namespace: istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["rbac.istio.io"] # istio RBAC watcher + resources: ["*"] + verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] --- # Source: istio/charts/pilot/templates/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-pilot-istio-system - namespace: istio-system labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["*"] @@ -1951,13 +2227,10 @@ rules: --- # Source: istio/charts/prometheus/templates/clusterrole.yaml - ---- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: prometheus-istio-system - namespace: istio-system rules: - apiGroups: [""] resources: @@ -1973,34 +2246,16 @@ rules: verbs: ["get"] - nonResourceURLs: ["/metrics"] verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: prometheus-istio-system - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus-istio-system -subjects: -- kind: ServiceAccount - name: prometheus - namespace: istio-system ---- - --- # Source: istio/charts/security/templates/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-citadel-istio-system - namespace: istio-system labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 heritage: Tiller release: RELEASE-NAME rules: @@ -2013,35 +2268,16 @@ rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: istio-cleanup-old-ca-istio-system - namespace: istio-system - labels: - app: security - chart: security-0.8.0 - heritage: Tiller - release: RELEASE-NAME -rules: -- apiGroups: [""] - resources: ["deployments", "serviceaccounts", "services"] - verbs: ["get", "delete"] -- apiGroups: ["extensions"] - resources: ["deployments", "replicasets"] - verbs: ["get", "list", "update", "delete"] --- # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-sidecar-injector-istio-system labels: app: istio-sidecar-injector - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 heritage: Tiller release: RELEASE-NAME rules: @@ -2053,15 +2289,64 @@ rules: verbs: ["get", "list", "watch", "patch"] --- -# Source: istio/charts/mixer/templates/clusterrolebinding.yaml +# Source: istio/charts/galley/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + app: istio-galley + chart: galley-1.0.0 + heritage: Tiller + release: RELEASE-NAME +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system + +--- +# Source: istio/charts/gateways/templates/clusterrolebindings.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: + name: istio-egressgateway-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-egressgateway-istio-system +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-ingressgateway-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-ingressgateway-istio-system +subjects: + - kind: ServiceAccount + name: istio-ingressgateway-service-account + namespace: istio-system +--- + +--- +# Source: istio/charts/mixer/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: name: istio-mixer-admin-role-binding-istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: @@ -2075,14 +2360,13 @@ subjects: --- # Source: istio/charts/pilot/templates/clusterrolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-pilot-istio-system labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: @@ -2095,55 +2379,49 @@ subjects: namespace: istio-system --- -# Source: istio/charts/security/templates/clusterrolebinding.yaml - +# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: istio-citadel-istio-system - labels: - app: security - chart: security-0.8.0 - heritage: Tiller - release: RELEASE-NAME + name: prometheus-istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-citadel-istio-system + name: prometheus-istio-system subjects: - - kind: ServiceAccount - name: istio-citadel-service-account - namespace: istio-system +- kind: ServiceAccount + name: prometheus + namespace: istio-system + --- +# Source: istio/charts/security/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: - name: istio-cleanup-old-ca-istio-system - namespace: istio-system + name: istio-citadel-istio-system labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-cleanup-old-ca-istio-system + kind: ClusterRole + name: istio-citadel-istio-system subjects: - kind: ServiceAccount - name: istio-cleanup-old-ca-service-account + name: istio-citadel-service-account namespace: istio-system --- # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-sidecar-injector-admin-role-binding-istio-system labels: app: istio-sidecar-injector - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: @@ -2154,76 +2432,76 @@ subjects: - kind: ServiceAccount name: istio-sidecar-injector-service-account namespace: istio-system + +--- +# Source: istio/charts/galley/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + namespace: istio-system + labels: + istio: galley +spec: + ports: + - port: 443 + name: https-validation + - port: 9093 + name: http-monitoring + selector: + istio: galley + --- -# Source: istio/charts/egressgateway/templates/service.yaml +# Source: istio/charts/gateways/templates/service.yaml + apiVersion: v1 kind: Service metadata: name: istio-egressgateway - namespace: istio-system + namespace: istio-system + annotations: labels: - chart: egressgateway-0.8.0 + chart: gateways-1.0.0 release: RELEASE-NAME heritage: Tiller + app: istio-egressgateway istio: egressgateway spec: type: ClusterIP selector: + app: istio-egressgateway istio: egressgateway ports: - - name: http + name: http2 port: 80 - name: https port: 443 - --- -# Source: istio/charts/grafana/templates/service.yaml apiVersion: v1 kind: Service metadata: - name: grafana + name: istio-ingressgateway namespace: istio-system annotations: - auth.istio.io/3000: NONE - labels: - app: grafana - chart: grafana-0.1.0 - release: RELEASE-NAME - heritage: Tiller -spec: - type: NodePort - ports: - - port: 3000 - targetPort: 3000 - protocol: TCP - name: http - nodePort: 30300 - selector: - app: grafana - ---- -# Source: istio/charts/ingressgateway/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: istio-ingressgateway - namespace: istio-system labels: - chart: ingressgateway-0.8.0 + chart: gateways-1.0.0 release: RELEASE-NAME heritage: Tiller + app: istio-ingressgateway istio: ingressgateway spec: type: LoadBalancer selector: + app: istio-ingressgateway istio: ingressgateway ports: - - name: http + name: http2 nodePort: 31380 port: 80 + targetPort: 80 - name: https nodePort: 31390 @@ -2232,6 +2510,47 @@ spec: name: tcp nodePort: 31400 port: 31400 + - + name: tcp-pilot-grpc-tls + port: 15011 + targetPort: 15011 + - + name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - + name: http2-prometheus + port: 15030 + targetPort: 15030 + - + name: http2-grafana + port: 15031 + targetPort: 15031 +--- + +--- +# Source: istio/charts/grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: istio-system + annotations: + labels: + app: grafana + chart: grafana-0.1.0 + release: RELEASE-NAME + heritage: Tiller +spec: + type: NodePort + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + name: http + nodePort: 30300 + selector: + app: grafana --- # Source: istio/charts/mixer/templates/service.yaml @@ -2242,7 +2561,7 @@ metadata: name: istio-policy namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2263,7 +2582,7 @@ metadata: name: istio-telemetry namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2291,7 +2610,7 @@ metadata: name: istio-statsd-prom-bridge namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: statsd-prom-bridge spec: @@ -2312,7 +2631,7 @@ metadata: name: istio-statsd-prom-bridge namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2330,7 +2649,7 @@ spec: name: istio-statsd-prom-bridge containers: - name: statsd-prom-bridge - image: "prom/statsd-exporter:latest" + image: "docker.io/prom/statsd-exporter:v0.6.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9102 @@ -2339,8 +2658,9 @@ spec: args: - '-statsd.mapping-config=/etc/statsd/mapping.conf' resources: - {} - + requests: + cpu: 10m + volumeMounts: - name: config-volume mountPath: /etc/statsd @@ -2354,17 +2674,11 @@ metadata: namespace: istio-system labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 release: RELEASE-NAME heritage: Tiller spec: ports: - - port: 15003 - name: http-old-discovery # mTLS or non-mTLS depending on auth setting - - port: 15005 - name: https-discovery # always mTLS - - port: 15007 - name: http-discovery # always plain-text - port: 15010 name: grpc-xds # direct - port: 15011 @@ -2424,6 +2738,7 @@ kind: Service metadata: name: servicegraph namespace: istio-system + annotations: labels: app: servicegraph chart: servicegraph-0.1.0 @@ -2456,7 +2771,124 @@ spec: istio: sidecar-injector --- -# Source: istio/charts/egressgateway/templates/deployment.yaml +# Source: istio/charts/galley/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley-1.0.0 + release: RELEASE-NAME + heritage: Tiller + istio: galley +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + istio: galley + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-galley-service-account + containers: + - name: validator + image: "gcr.io/istio-release/galley:1.0.0" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 443 + - containerPort: 9093 + command: + - /usr/local/bin/galley + - validator + - --deployment-namespace=istio-system + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --healthCheckInterval=2s + - --healthCheckFile=/health + - --webhook-config-file + - /etc/istio/config/validatingwebhookconfiguration.yaml + volumeMounts: + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: config + mountPath: /etc/istio/config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/gateways/templates/deployment.yaml + apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -2464,23 +2896,26 @@ metadata: namespace: istio-system labels: app: egressgateway - chart: egressgateway-0.8.0 + chart: gateways-1.0.0 release: RELEASE-NAME heritage: Tiller + app: istio-egressgateway istio: egressgateway spec: - replicas: + replicas: 1 template: metadata: labels: + app: istio-egressgateway istio: egressgateway annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-egressgateway-service-account containers: - name: egressgateway - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 80 @@ -2509,9 +2944,10 @@ spec: - --controlPlaneAuthPolicy - NONE - --discoveryAddress - - istio-pilot:8080 + - istio-pilot.istio-system:8080 resources: - {} + requests: + cpu: 10m env: - name: POD_NAME @@ -2527,6 +2963,7 @@ spec: - name: INSTANCE_IP valueFrom: fieldRef: + apiVersion: v1 fieldPath: status.podIP - name: ISTIO_META_POD_NAME valueFrom: @@ -2536,10 +2973,24 @@ spec: - name: istio-certs mountPath: /etc/certs readOnly: true + - name: egressgateway-certs + mountPath: "/etc/istio/egressgateway-certs" + readOnly: true + - name: egressgateway-ca-certs + mountPath: "/etc/istio/egressgateway-ca-certs" + readOnly: true volumes: - name: istio-certs secret: - secretName: "istio.default" + secretName: istio.istio-egressgateway-service-account + optional: true + - name: egressgateway-certs + secret: + secretName: "istio-egressgateway-certs" + optional: true + - name: egressgateway-ca-certs + secret: + secretName: "istio-egressgateway-ca-certs" optional: true affinity: nodeAffinity: @@ -2574,93 +3025,7 @@ spec: operator: In values: - s390x - ---- -# Source: istio/charts/grafana/templates/deployment.yaml -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: grafana - namespace: istio-system - labels: - app: grafana - chart: grafana-0.1.0 - release: RELEASE-NAME - heritage: Tiller -spec: - replicas: 1 - template: - metadata: - labels: - app: grafana - annotations: - sidecar.istio.io/inject: "false" - spec: - containers: - - name: grafana - image: "docker.io/istio/grafana:0.8.0" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 3000 - readinessProbe: - httpGet: - path: /login - port: 3000 - env: - - name: GRAFANA_PORT - value: "3000" - - name: GF_AUTH_BASIC_ENABLED - value: "false" - - name: GF_AUTH_ANONYMOUS_ENABLED - value: "true" - - name: GF_AUTH_ANONYMOUS_ORG_ROLE - value: Admin - - name: GF_PATHS_DATA - value: /data/grafana - resources: - {} - - volumeMounts: - - name: data - mountPath: /data/grafana - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - volumes: - - name: data - emptyDir: {} --- -# Source: istio/charts/ingressgateway/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -2668,28 +3033,35 @@ metadata: namespace: istio-system labels: app: ingressgateway - chart: ingressgateway-0.8.0 + chart: gateways-1.0.0 release: RELEASE-NAME heritage: Tiller + app: istio-ingressgateway istio: ingressgateway spec: - replicas: + replicas: 1 template: metadata: labels: + app: istio-ingressgateway istio: ingressgateway annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-ingressgateway-service-account containers: - name: ingressgateway - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 - containerPort: 31400 + - containerPort: 15011 + - containerPort: 8060 + - containerPort: 15030 + - containerPort: 15031 args: - proxy - router @@ -2714,9 +3086,10 @@ spec: - --controlPlaneAuthPolicy - NONE - --discoveryAddress - - istio-pilot:8080 + - istio-pilot.istio-system:8080 resources: - {} + requests: + cpu: 10m env: - name: POD_NAME @@ -2745,15 +3118,107 @@ spec: - name: ingressgateway-certs mountPath: "/etc/istio/ingressgateway-certs" readOnly: true + - name: ingressgateway-ca-certs + mountPath: "/etc/istio/ingressgateway-ca-certs" + readOnly: true volumes: - name: istio-certs secret: - secretName: "istio.default" + secretName: istio.istio-ingressgateway-service-account optional: true - name: ingressgateway-certs secret: secretName: "istio-ingressgateway-certs" optional: true + - name: ingressgateway-ca-certs + secret: + secretName: "istio-ingressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- + +--- +# Source: istio/charts/grafana/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: grafana + namespace: istio-system + labels: + app: grafana + chart: grafana-0.1.0 + release: RELEASE-NAME + heritage: Tiller +spec: + replicas: 1 + template: + metadata: + labels: + app: grafana + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + containers: + - name: grafana + image: "gcr.io/istio-release/grafana:1.0.0" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + readinessProbe: + httpGet: + path: /login + port: 3000 + env: + - name: GRAFANA_PORT + value: "3000" + - name: GF_AUTH_BASIC_ENABLED + value: "false" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ORG_ROLE + value: Admin + - name: GF_PATHS_DATA + value: /data/grafana + resources: + requests: + cpu: 10m + + volumeMounts: + - name: data + mountPath: /data/grafana affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -2787,6 +3252,9 @@ spec: operator: In values: - s390x + volumes: + - name: data + emptyDir: {} --- # Source: istio/charts/mixer/templates/deployment.yaml @@ -2797,7 +3265,7 @@ metadata: name: istio-policy namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2805,10 +3273,12 @@ spec: template: metadata: labels: + app: policy istio: mixer istio-mixer-type: policy annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-mixer-service-account volumes: @@ -2816,6 +3286,8 @@ spec: secret: secretName: istio.istio-mixer-service-account optional: true + - name: uds-socket + emptyDir: {} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -2851,23 +3323,32 @@ spec: - s390x containers: - name: mixer - image: "docker.io/istio/mixer:0.8.0" + image: "gcr.io/istio-release/mixer:1.0.0" imagePullPolicy: IfNotPresent ports: - - containerPort: 9092 - containerPort: 9093 - containerPort: 42422 args: - --address - - tcp://127.0.0.1:9092 + - unix:///sock/mixer.socket - --configStoreURL=k8s:// - --configDefaultNamespace=istio-system - --trace_zipkin_url=http://zipkin:9411/api/v1/spans resources: - {} - + requests: + cpu: 10m + + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 - name: istio-proxy - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9091 @@ -2897,14 +3378,15 @@ spec: apiVersion: v1 fieldPath: status.podIP resources: - requests: - cpu: 100m - memory: 128Mi - + requests: + cpu: 10m + volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true + - name: uds-socket + mountPath: /sock --- apiVersion: extensions/v1beta1 @@ -2913,7 +3395,7 @@ metadata: name: istio-telemetry namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2921,10 +3403,12 @@ spec: template: metadata: labels: + app: telemetry istio: mixer istio-mixer-type: telemetry annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-mixer-service-account volumes: @@ -2932,25 +3416,36 @@ spec: secret: secretName: istio.istio-mixer-service-account optional: true + - name: uds-socket + emptyDir: {} containers: - name: mixer - image: "docker.io/istio/mixer:0.8.0" + image: "gcr.io/istio-release/mixer:1.0.0" imagePullPolicy: IfNotPresent ports: - - containerPort: 9092 - containerPort: 9093 - containerPort: 42422 args: - --address - - tcp://127.0.0.1:9092 + - unix:///sock/mixer.socket - --configStoreURL=k8s:// - --configDefaultNamespace=istio-system - --trace_zipkin_url=http://zipkin:9411/api/v1/spans resources: - {} - + requests: + cpu: 10m + + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 - name: istio-proxy - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9091 @@ -2980,14 +3475,15 @@ spec: apiVersion: v1 fieldPath: status.podIP resources: - requests: - cpu: 100m - memory: 128Mi - + requests: + cpu: 10m + volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true + - name: uds-socket + mountPath: /sock --- @@ -2998,10 +3494,10 @@ kind: Deployment metadata: name: istio-pilot namespace: istio-system - # TODO: default tempate doesn't have this, which one is right ? + # TODO: default template doesn't have this, which one is right ? labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 release: RELEASE-NAME heritage: Tiller istio: pilot @@ -3013,23 +3509,24 @@ spec: metadata: labels: istio: pilot + app: pilot annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-pilot-service-account containers: - name: discovery - image: "docker.io/istio/pilot:0.8.0" + image: "gcr.io/istio-release/pilot:1.0.0" imagePullPolicy: IfNotPresent args: - "discovery" -# TODO(sdake) remove when secrets are automagically registered ports: - containerPort: 8080 - containerPort: 15010 readinessProbe: httpGet: - path: /v1/registration + path: /debug/endpointz port: 8080 initialDelaySeconds: 30 periodSeconds: 30 @@ -3049,8 +3546,12 @@ spec: value: "500" - name: PILOT_CACHE_SQUASH value: "5" + - name: PILOT_TRACE_SAMPLING + value: "100" resources: - {} + requests: + cpu: 500m + memory: 2048Mi volumeMounts: - name: config-volume @@ -3059,7 +3560,7 @@ spec: mountPath: /etc/certs readOnly: true - name: istio-proxy - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 15003 @@ -3092,8 +3593,7 @@ spec: fieldPath: status.podIP resources: requests: - cpu: 100m - memory: 128Mi + cpu: 10m volumeMounts: - name: istio-certs @@ -3105,7 +3605,7 @@ spec: name: istio - name: istio-certs secret: - secretName: "istio.istio-pilot-service-account" + secretName: istio.istio-pilot-service-account affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -3164,12 +3664,12 @@ spec: app: prometheus annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: prometheus - containers: - name: prometheus - image: "docker.io/prom/prometheus:latest" + image: "docker.io/prom/prometheus:v2.3.1" imagePullPolicy: IfNotPresent args: - '--storage.tsdb.retention=6h' @@ -3186,7 +3686,8 @@ spec: path: /-/ready port: 9090 resources: - {} + requests: + cpu: 10m volumeMounts: - name: config-volume @@ -3239,7 +3740,7 @@ metadata: namespace: istio-system labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 release: RELEASE-NAME heritage: Tiller istio: citadel @@ -3251,20 +3752,22 @@ spec: istio: citadel annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-citadel-service-account containers: - name: citadel - image: "docker.io/istio/citadel:0.8.0" + image: "gcr.io/istio-release/citadel:1.0.0" imagePullPolicy: IfNotPresent args: - --append-dns-names=true - --grpc-port=8060 - --grpc-hostname=citadel - - --self-signed-ca=true - --citadel-storage-namespace=istio-system + - --self-signed-ca=true resources: - {} + requests: + cpu: 10m affinity: nodeAffinity: @@ -3320,10 +3823,11 @@ spec: app: servicegraph annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: containers: - name: servicegraph - image: "docker.io/istio/servicegraph:0.8.0" + image: "gcr.io/istio-release/servicegraph:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 8088 @@ -3338,7 +3842,8 @@ spec: path: /graph port: 8088 resources: - {} + requests: + cpu: 10m affinity: nodeAffinity: @@ -3383,21 +3888,24 @@ metadata: namespace: istio-system labels: app: sidecarInjectorWebhook - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 release: RELEASE-NAME heritage: Tiller istio: sidecar-injector spec: - replicas: + replicas: 1 template: metadata: labels: istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-sidecar-injector-service-account containers: - name: sidecar-injector-webhook - image: "docker.io/istio/sidecar_injector:0.8.0" + image: "gcr.io/istio-release/sidecar_injector:1.0.0" imagePullPolicy: IfNotPresent args: - --caCertFile=/etc/istio/certs/root-cert.pem @@ -3423,7 +3931,7 @@ spec: - /usr/local/bin/sidecar-injector - probe - --probe-path=/health - - --interval=2s + - --interval=4s initialDelaySeconds: 4 periodSeconds: 4 readinessProbe: @@ -3432,9 +3940,13 @@ spec: - /usr/local/bin/sidecar-injector - probe - --probe-path=/health - - --interval=2s + - --interval=4s initialDelaySeconds: 4 periodSeconds: 4 + resources: + requests: + cpu: 10m + volumes: - name: config-volume configMap: @@ -3502,10 +4014,11 @@ spec: app: jaeger annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: containers: - name: jaeger - image: "jaegertracing/all-in-one:1.5" + image: "docker.io/jaegertracing/all-in-one:1.5" imagePullPolicy: IfNotPresent ports: - containerPort: 9411 @@ -3535,7 +4048,8 @@ spec: path: / port: 16686 resources: - {} + requests: + cpu: 10m affinity: nodeAffinity: @@ -3572,47 +4086,27 @@ spec: - s390x --- -# Source: istio/charts/security/templates/cleanup-old-ca.yaml - -apiVersion: batch/v1 -kind: Job +# Source: istio/charts/pilot/templates/gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway metadata: - name: istio-cleanup-old-ca + name: istio-autogenerated-k8s-ingress namespace: istio-system - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: security - chart: security-0.8.0 - release: RELEASE-NAME - heritage: Tiller spec: - template: - metadata: - name: istio-cleanup-old-ca - labels: - app: security - release: RELEASE-NAME - spec: - serviceAccountName: istio-cleanup-old-ca-service-account - containers: - - name: hyperkube - image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" - command: - - /bin/bash - - -c - - > - NS="-n istio-system"; - ./kubectl get deploy istio-ca $NS; - if [[ $? = 0 ]]; then ./kubectl delete deploy istio-ca $NS; fi; - ./kubectl get serviceaccount istio-ca-service-account $NS; - if [[ $? = 0 ]]; then ./kubectl delete serviceaccount istio-ca-service-account $NS; fi; - ./kubectl get service istio-ca-ilb $NS; - if [[ $? = 0 ]]; then ./kubectl delete service istio-ca-ilb $NS; fi - restartPolicy: Never + selector: + istio: ingress + servers: + - port: + number: 80 + protocol: HTTP2 + name: http + hosts: + - "*" + +--- + --- -# Source: istio/charts/egressgateway/templates/autoscale.yaml +# Source: istio/charts/gateways/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -3620,7 +4114,7 @@ metadata: name: istio-egressgateway namespace: istio-system spec: - maxReplicas: 1 + maxReplicas: 5 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 @@ -3630,29 +4124,170 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: 80 - + targetAverageUtilization: 60 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-ingressgateway + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-ingressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 60 +--- --- -# Source: istio/charts/ingressgateway/templates/autoscale.yaml +# Source: istio/charts/mixer/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: istio-ingressgateway + name: istio-policy namespace: istio-system spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-policy + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-telemetry + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-telemetry + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/pilot/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot +spec: maxReplicas: 1 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 kind: Deployment - name: istio-ingressgateway + name: istio-pilot metrics: - type: Resource resource: name: cpu - targetAverageUtilization: 80 + targetAverageUtilization: 55 +--- + +--- +# Source: istio/charts/tracing/templates/service-jaeger.yaml + + +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-query + namespace: istio-system + annotations: + labels: + app: jaeger + jaeger-infra: jaeger-service + chart: tracing-0.1.0 + release: RELEASE-NAME + heritage: Tiller + spec: + type: NodePort + ports: + - name: query-http + port: 16686 + protocol: TCP + targetPort: 16686 + nodePort: 30686 + selector: + app: jaeger +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-collector + namespace: istio-system + labels: + app: jaeger + jaeger-infra: collector-service + chart: tracing-0.1.0 + release: RELEASE-NAME + heritage: Tiller + spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: 14267 + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + selector: + app: jaeger + type: ClusterIP +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-agent + namespace: istio-system + labels: + app: jaeger + jaeger-infra: agent-service + chart: tracing-0.1.0 + release: RELEASE-NAME + heritage: Tiller + spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: 5775 + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: 6831 + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: 6832 + clusterIP: None + selector: + app: jaeger + --- @@ -3671,7 +4306,7 @@ items: release: RELEASE-NAME heritage: Tiller spec: - type: NodePort + type: NodePort ports: - port: 9411 targetPort: 9411 @@ -3685,6 +4320,7 @@ items: metadata: name: tracing namespace: istio-system + annotations: labels: app: jaeger chart: tracing-0.1.0 @@ -3692,14 +4328,12 @@ items: heritage: Tiller spec: ports: - - name: query-http + - name: http-query port: 80 protocol: TCP targetPort: 16686 selector: app: jaeger - type: LoadBalancer - --- # Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -3710,7 +4344,7 @@ metadata: namespace: istio-system labels: app: istio-sidecar-injector - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 release: RELEASE-NAME heritage: Tiller webhooks: @@ -3731,24 +4365,775 @@ webhooks: matchLabels: istio-injection: enabled + --- -# Source: istio/charts/grafana/templates/ingress.yaml +# Source: istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl + --- -# Source: istio/charts/mixer/templates/config.yaml +# Source: istio/charts/grafana/templates/grafana-ports-mtls.yaml + + +--- +# Source: istio/charts/grafana/templates/secret.yaml + +--- +# Source: istio/charts/pilot/templates/meshexpansion.yaml + + +--- +# Source: istio/charts/security/templates/create-custom-resources-job.yaml + + +--- +# Source: istio/charts/security/templates/enable-mesh-mtls.yaml + + +--- +# Source: istio/charts/security/templates/meshexpansion.yaml --- -# Source: istio/charts/prometheus/templates/ingress.yaml --- # Source: istio/charts/servicegraph/templates/ingress.yaml --- +# Source: istio/charts/telemetry-gateway/templates/gateway.yaml + + +--- +# Source: istio/charts/tracing/templates/ingress-jaeger.yaml + +--- # Source: istio/charts/tracing/templates/ingress.yaml --- -# Source: istio/charts/tracing/templates/service-jaeger.yaml +# Source: istio/templates/install-custom-resources.sh.tpl +--- +# Source: istio/charts/mixer/templates/config.yaml +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + namespace: istio-system +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + context.protocol: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + namespace: istio-system +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.service: # DEPRECATED + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service: # DEPRECATED + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +apiVersion: "config.istio.io/v1alpha2" +kind: stdio +metadata: + name: handler + namespace: istio-system +spec: + outputAsJson: true +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: accesslog + namespace: istio-system +spec: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseSize: response.size | 0 + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: tcpaccesslog + namespace: istio-system +spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + namespace: istio-system +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.stdio + instances: + - accesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.stdio + instances: + - tcpaccesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestcount + namespace: istio-system +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestduration + namespace: istio-system +spec: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestsize + namespace: istio-system +spec: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: responsesize + namespace: istio-system +spec: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytesent + namespace: istio-system +spec: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytereceived + namespace: istio-system +spec: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: prometheus +metadata: + name: handler + namespace: istio-system +spec: + metrics: + - name: requests_total + instance_name: requestcount.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + namespace: istio-system +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.prometheus + instances: + - requestcount.metric + - requestduration.metric + - requestsize.metric + - responsesize.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.prometheus + instances: + - tcpbytesent.metric + - tcpbytereceived.metric +--- + +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetesenv +metadata: + name: handler + namespace: istio-system +spec: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + namespace: istio-system +spec: + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetes +metadata: + name: attributes + namespace: istio-system +spec: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attribute_bindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" + +--- +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + namespace: istio-system +spec: + host: istio-policy.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + namespace: istio-system +spec: + host: istio-telemetry.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- |