summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--deployments/helm/servicemesh/istio-operator/Chart.yaml7
-rw-r--r--deployments/helm/servicemesh/istio-operator/README.md19
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml1
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml2
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/namespace.yaml14
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.1-crd.yaml565
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml2
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.3-crd.yaml889
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml97
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml1
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.1-crd.yaml208
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml2
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.3-crd.yaml369
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml5
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml1
-rw-r--r--deployments/helm/servicemesh/istio-operator/values.yaml39
-rw-r--r--deployments/helm/servicemesh/istio/README.md2
-rw-r--r--deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml3
-rw-r--r--deployments/helm/servicemesh/istio/istio-instance/values.yaml12
-rw-r--r--deployments/helm/servicemesh/rbac/.helmignore22
-rw-r--r--deployments/helm/servicemesh/rbac/Chart.yaml18
-rw-r--r--deployments/helm/servicemesh/rbac/templates/_helpers.tpl69
-rw-r--r--deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml23
-rw-r--r--deployments/helm/servicemesh/rbac/templates/servicerole.yaml24
-rw-r--r--deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml26
-rw-r--r--deployments/helm/servicemesh/rbac/values.yaml26
-rw-r--r--src/k8splugin/api/brokerhandler.go12
-rw-r--r--src/k8splugin/api/brokerhandler_test.go41
28 files changed, 2455 insertions, 44 deletions
diff --git a/deployments/helm/servicemesh/istio-operator/Chart.yaml b/deployments/helm/servicemesh/istio-operator/Chart.yaml
index 1da83af4..1ef9650f 100644
--- a/deployments/helm/servicemesh/istio-operator/Chart.yaml
+++ b/deployments/helm/servicemesh/istio-operator/Chart.yaml
@@ -1,5 +1,3 @@
-
-
#/*Copyright 2019 Intel Corporation, Inc
# *
# * Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,7 +12,8 @@
# * See the License for the specific language governing permissions and
# * limitations under the License.
# */
+apiVersion: v1
name: istio-operator
-version: 0.0.15
+version: 0.0.22
description: istio-operator manages Istio deployments on Kubernetes
-appVersion: 0.2.1
+appVersion: 0.3.3
diff --git a/deployments/helm/servicemesh/istio-operator/README.md b/deployments/helm/servicemesh/istio-operator/README.md
index 4611a81e..c32e016d 100644
--- a/deployments/helm/servicemesh/istio-operator/README.md
+++ b/deployments/helm/servicemesh/istio-operator/README.md
@@ -14,42 +14,43 @@
* limitations under the License.
*/
+# Istio-operator chart
+
## Prerequisites
- Kubernetes 1.10.0+
## Installing the chart
-To install the chart from local directory:
+To install the chart:
-```
-helm install --name=istio-operator --namespace=istio-system istio-operator
+```bash
+❯ helm install --name=istio-operator --namespace=istio-system istio-operator
```
## Uninstalling the Chart
To uninstall/delete the `istio-operator` release:
-```
-$ helm del --purge istio-operator
+```bash
+❯ helm del --purge istio-operator
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
-The following table lists the configurable parameters of the Banzaicloud Istio Operator chart and their default values.
-
Parameter | Description | Default
--------- | ----------- | -------
`operator.image.repository` | Operator container image repository | `banzaicloud/istio-operator`
-`operator.image.tag` | Operator container image tag | `0.2.1`
+`operator.image.tag` | Operator container image tag | `0.3.3`
`operator.image.pullPolicy` | Operator container image pull policy | `IfNotPresent`
`operator.resources` | CPU/Memory resource requests/limits (YAML) | Memory: `128Mi/256Mi`, CPU: `100m/200m`
-`istioVersion` | Supported Istio version | `1.2`
+`istioVersion` | Supported Istio version | `1.3`
`prometheusMetrics.enabled` | If true, use direct access for Prometheus metrics | `false`
`prometheusMetrics.authProxy.enabled` | If true, use auth proxy for Prometheus metrics | `true`
`prometheusMetrics.authProxy.image.repository` | Auth proxy container image repository | `gcr.io/kubebuilder/kube-rbac-proxy`
`prometheusMetrics.authProxy.image.tag` | Auth proxy container image tag | `v0.4.0`
`prometheusMetrics.authProxy.image.pullPolicy` | Auth proxy container image pull policy | `IfNotPresent`
`rbac.enabled` | Create rbac service account and roles | `true`
+`rbac.psp.enabled` | Create pod security policy and binding | `false`
diff --git a/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml b/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml
index 8a047e03..aee3aeef 100644
--- a/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml
+++ b/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "istio-operator.fullname" . }}-authproxy
+ namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "istio-operator.name" . }}
helm.sh/chart: {{ include "istio-operator.chart" . }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml b/deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml
index aad8a2be..6f7e6f9a 100644
--- a/deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml
+++ b/deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "istio-operator.fullname" . }}-authproxy
+ namespace: {{ .Release.Namespace }}
annotations:
prometheus.io/port: "8443"
prometheus.io/scheme: https
@@ -20,6 +21,7 @@ spec:
ports:
- name: https
port: 8443
+ protocol: TCP
targetPort: https
selector:
control-plane: controller-manager
diff --git a/deployments/helm/servicemesh/istio-operator/templates/namespace.yaml b/deployments/helm/servicemesh/istio-operator/templates/namespace.yaml
new file mode 100644
index 00000000..daaf21d3
--- /dev/null
+++ b/deployments/helm/servicemesh/istio-operator/templates/namespace.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.useNamespaceResource }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ app: {{ include "istio-operator.name" . }}
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/version: "{{ .Chart.AppVersion | replace "+" "_" }}"
+ app.kubernetes.io/part-of: {{ include "istio-operator.name" . }}
+ name: {{ .Release.Namespace }}
+{{- end }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.1-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.1-crd.yaml
new file mode 100644
index 00000000..287b9879
--- /dev/null
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.1-crd.yaml
@@ -0,0 +1,565 @@
+{{ if eq .Values.istioVersion "1.1" }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: istios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: Istio
+ plural: istios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ controlPlaneSecurityEnabled:
+ description: ControlPlaneSecurityEnabled control plane services are
+ communicating through mTLS
+ type: boolean
+ defaultConfigVisibility:
+ description: Set the default set of namespaces to which services, service
+ entries, virtual services, destination rules should be exported to
+ type: string
+ defaultPodDisruptionBudget:
+ description: Enable pod disruption budget for the control plane, which
+ is used to ensure Istio control plane components are gradually upgraded
+ or recovered
+ properties:
+ enabled:
+ type: boolean
+ type: object
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ galley:
+ description: Galley configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ gateways:
+ description: Gateways configuration options
+ properties:
+ egress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ enabled:
+ type: boolean
+ ingress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ type: object
+ imagePullPolicy:
+ description: ImagePullPolicy describes a policy for if/when to pull
+ a container image
+ enum:
+ - Always
+ - Never
+ - IfNotPresent
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ istioCoreDNS:
+ description: Istio CoreDNS provides DNS resolution for services in multi
+ mesh setups
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ pluginImage:
+ type: string
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ meshExpansion:
+ description: If set to true, the pilot and citadel mtls will be exposed
+ on the ingress gateway also the remote istios will be connected through
+ gateways
+ type: boolean
+ mixer:
+ description: Mixer configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ mtls:
+ description: MTLS enables or disables global mTLS
+ type: boolean
+ multiMesh:
+ description: Set to true to connect two or more meshes via their respective
+ ingressgateway services when workloads in each cluster cannot directly
+ talk to one another. All meshes should be using Istio mTLS and must
+ have a shared root CA for this model to work.
+ type: boolean
+ nodeAgent:
+ description: NodeAgent configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ outboundTrafficPolicy:
+ description: Set the default behavior of the sidecar for handling outbound
+ traffic from the application (ALLOW_ANY or REGISTRY_ONLY)
+ properties:
+ mode:
+ enum:
+ - ALLOW_ANY
+ - REGISTRY_ONLY
+ type: string
+ type: object
+ pilot:
+ description: Pilot configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ sidecar:
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ traceSampling:
+ format: float
+ type: number
+ type: object
+ proxy:
+ description: Proxy configuration options
+ properties:
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ image:
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sds:
+ description: If SDS is configured, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead of
+ using K8S secrets to mount the certificates
+ properties:
+ enabled:
+ description: If set to true, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead
+ of using K8S secrets to mount the certificates.
+ type: boolean
+ udsPath:
+ description: Unix Domain Socket through which envoy communicates
+ with NodeAgent SDS to get key/cert for mTLS. Use secret-mount
+ files instead of SDS if set to empty.
+ type: string
+ useNormalJwt:
+ description: If set to true, envoy will fetch normal k8s service
+ account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
+ (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
+ and pass to sds server, which will be used to request key/cert
+ eventually this flag is ignored if UseTrustworthyJwt is set
+ type: boolean
+ useTrustworthyJwt:
+ description: 'If set to true, Istio will inject volumes mount for
+ k8s service account JWT, so that K8s API server mounts k8s service
+ account JWT to envoy container, which will be used to generate
+ key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)'
+ type: boolean
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ tracing:
+ description: Configuration for each of the supported tracers
+ properties:
+ datadog:
+ properties:
+ address:
+ description: Host:Port for submitting traces to the Datadog
+ agent.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ enabled:
+ type: boolean
+ lightstep:
+ properties:
+ accessToken:
+ description: required for sending data to the pool
+ type: string
+ address:
+ description: the <host>:<port> of the satellite pool
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ cacertPath:
+ description: the path to the file containing the cacert to use
+ when verifying TLS. If secure is true, this is required. If
+ a value is specified then a secret called "lightstep.cacert"
+ must be created in the destination namespace with the key
+ matching the base of the provided cacertPath and the value
+ being the cacert itself.
+ type: string
+ secure:
+ description: specifies whether data should be sent with TLS
+ type: boolean
+ type: object
+ tracer:
+ enum:
+ - zipkin
+ - lightstep
+ - datadog
+ type: string
+ zipkin:
+ properties:
+ address:
+ description: Host:Port for reporting trace data in zipkin format.
+ If not specified, will default to zipkin service (port 9411)
+ in the same namespace as the other istio components.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ type: object
+ useMCP:
+ description: Use the Mesh Control Protocol (MCP) for configuring Mixer
+ and Pilot. Requires galley.
+ type: boolean
+ version:
+ description: Contains the intended Istio version
+ pattern: ^1.1
+ type: string
+ watchAdapterCRDs:
+ description: Whether or not to establish watches for adapter-specific
+ CRDs
+ type: boolean
+ watchOneNamespace:
+ description: Whether to restrict the applications namespace the controller
+ manages
+ type: boolean
+ required:
+ - version
+ - mtls
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml
index b52ffc39..31aae495 100644
--- a/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml
@@ -1,4 +1,4 @@
-{{ if eq .Values.istioVersion 1.2 }}
+{{ if eq .Values.istioVersion "1.2" }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.3-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.3-crd.yaml
new file mode 100644
index 00000000..540d43bd
--- /dev/null
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.3-crd.yaml
@@ -0,0 +1,889 @@
+{{ if eq .Values.istioVersion "1.3" }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: istios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: Istio
+ plural: istios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enableNamespacesByDefault:
+ description: 'Determines Citadel default behavior if the ca.istio.io/env
+ or ca.istio.io/override labels are not found on a given namespace. For
+ example: consider a namespace called "target", which has neither
+ the "ca.istio.io/env" nor the "ca.istio.io/override" namespace
+ labels. To decide whether or not to generate secrets for service
+ accounts created in this "target" namespace, Citadel will defer
+ to this option. If the value of this option is "true" in this
+ case, secrets will be generated for the "target" namespace. If
+ the value of this option is "false" Citadel will not generate
+ secrets upon service account creation.'
+ type: boolean
+ enabled:
+ type: boolean
+ healthCheck:
+ description: Enable health checking on the Citadel CSR signing API.
+ https://istio.io/docs/tasks/security/health-check/
+ type: boolean
+ image:
+ type: string
+ maxWorkloadCertTTL:
+ description: Citadel uses a flag max-workload-cert-ttl to control
+ the maximum lifetime for Istio certificates issued to workloads.
+ The default value is 90 days. If workload-cert-ttl on Citadel
+ or node agent is greater than max-workload-cert-ttl, Citadel will
+ fail issuing the certificate.
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ workloadCertTTL:
+ description: For the workloads running in Kubernetes, the lifetime
+ of their Istio certificates is controlled by the workload-cert-ttl
+ flag on Citadel. The default value is 90 days. This value should
+ be no greater than max-workload-cert-ttl of Citadel.
+ type: string
+ type: object
+ clusterName:
+ description: Should be set to the name of the cluster this installation
+ will run in. This is required for sidecar injection to properly label
+ proxies
+ type: string
+ controlPlaneSecurityEnabled:
+ description: ControlPlaneSecurityEnabled control plane services are
+ communicating through mTLS
+ type: boolean
+ defaultConfigVisibility:
+ description: Set the default set of namespaces to which services, service
+ entries, virtual services, destination rules should be exported to
+ type: string
+ defaultPodDisruptionBudget:
+ description: Enable pod disruption budget for the control plane, which
+ is used to ensure Istio control plane components are gradually upgraded
+ or recovered
+ properties:
+ enabled:
+ type: boolean
+ type: object
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ galley:
+ description: Galley configuration options
+ properties:
+ affinity:
+ type: object
+ configValidation:
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ gateways:
+ description: Gateways configuration options
+ properties:
+ egress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ enabled:
+ type: boolean
+ ingress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ type: object
+ imagePullPolicy:
+ description: ImagePullPolicy describes a policy for if/when to pull
+ a container image
+ enum:
+ - Always
+ - Never
+ - IfNotPresent
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ istioCoreDNS:
+ description: Istio CoreDNS provides DNS resolution for services in multi
+ mesh setups
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ pluginImage:
+ type: string
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ localityLB:
+ description: Locality based load balancing distribution or failover
+ settings.
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute or failover can be
+ set. Explicitly specify loadbalancing weight across different
+ zones and geographical locations. Refer to [Locality weighted
+ load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight)
+ If empty, the locality weight is set according to the endpoints
+ number within it.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated, e.g. 'region/zone'.
+ type: string
+ to:
+ description: Map of upstream localities to traffic distribution
+ weights. The sum of all weights should be == 100. Any locality
+ not assigned a weight will receive no traffic.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: If set to true, locality based load balancing will
+ be enabled
+ type: boolean
+ failover:
+ description: 'Optional: only failover or distribute can be set.
+ Explicitly specify the region traffic will land on when endpoints
+ in local region becomes unhealthy. Should be used together with
+ OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection
+ specified, this will not take effect.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will fail over
+ to when endpoints in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ type: object
+ meshExpansion:
+ description: If set to true, the pilot and citadel mtls will be exposed
+ on the ingress gateway also the remote istios will be connected through
+ gateways
+ type: boolean
+ meshID:
+ description: Mesh ID means Mesh Identifier. It should be unique within
+ the scope where meshes will interact with each other, but it is not
+ required to be globally/universally unique.
+ type: string
+ trustDomain:
+ description: The domain serves to identify the system with SPIFFE. (default "cluster.local")
+ type: string
+ mixer:
+ description: Mixer configuration options
+ properties:
+ affinity:
+ type: object
+ checksEnabled:
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ multiClusterSupport:
+ description: Turn it on if you use mixer that supports multi cluster
+ telemetry
+ type: boolean
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ reportBatchMaxEntries:
+ description: Set reportBatchMaxEntries to 0 to use the default batching
+ behavior (i.e., every 100 requests). A positive value indicates
+ the number of requests that are batched before telemetry data
+ is sent to the mixer server
+ format: int32
+ type: integer
+ reportBatchMaxTime:
+ description: Set reportBatchMaxTime to 0 to use the default batching
+ behavior (i.e., every 1 second). A positive time value indicates
+ the maximum wait time since the last request will telemetry data
+ be batched before being sent to the mixer server
+ type: string
+ resources:
+ type: object
+ sessionAffinityEnabled:
+ description: Set whether to create a STRICT_DNS type cluster for
+ istio-telemetry.
+ type: boolean
+ stdioAdapterEnabled:
+ description: stdio is a debug adapter in Istio telemetry, it is
+ not recommended for production use
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ mixerlessTelemetry:
+ description: Mixerless telemetry configuration
+ properties:
+ enabled:
+ description: If set to true, experimental Mixerless http telemetry
+ will be enabled
+ type: boolean
+ type: object
+ mtls:
+ description: MTLS enables or disables global mTLS
+ type: boolean
+ multiMesh:
+ description: Set to true to connect two or more meshes via their respective
+ ingressgateway services when workloads in each cluster cannot directly
+ talk to one another. All meshes should be using Istio mTLS and must
+ have a shared root CA for this model to work.
+ type: boolean
+ nodeAgent:
+ description: NodeAgent configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ outboundTrafficPolicy:
+ description: Set the default behavior of the sidecar for handling outbound
+ traffic from the application (ALLOW_ANY or REGISTRY_ONLY)
+ properties:
+ mode:
+ enum:
+ - ALLOW_ANY
+ - REGISTRY_ONLY
+ type: string
+ type: object
+ pilot:
+ description: Pilot configuration options
+ properties:
+ affinity:
+ type: object
+ enableProtocolSniffing:
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ sidecar:
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ traceSampling:
+ format: float
+ type: number
+ type: object
+ policy:
+ description: Policy configuration options
+ properties:
+ affinity:
+ type: object
+ checksEnabled:
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ sessionAffinityEnabled:
+ description: Set whether to create a STRICT_DNS type cluster for
+ istio-telemetry.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ proxy:
+ description: Proxy configuration options
+ properties:
+ accessLogEncoding:
+ description: Configure the access log for sidecar to JSON or TEXT.
+ enum:
+ - JSON
+ - TEXT
+ type: string
+ accessLogFile:
+ description: 'Configures the access log for each sidecar. Options: ""
+ - disables access log "/dev/stdout" - enables access log'
+ enum:
+ - ""
+ - /dev/stdout
+ type: string
+ accessLogFormat:
+ description: 'Configure how and what fields are displayed in sidecar
+ access log. Setting to empty string will result in default log
+ format. If accessLogEncoding is TEXT, value will be used directly
+ as the log format example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%
+ %PROTOCOL%\n" If AccessLogEncoding is JSON, value will be parsed
+ as map[string]string example: ''{"start_time": "%START_TIME%",
+ "req_method": "%REQ(:METHOD)%"}'''
+ type: string
+ componentLogLevel:
+ description: Per Component log level for proxy, applies to gateways
+ and sidecars. If a component level is not set, then the "LogLevel"
+ will be used. If left empty, "misc:error" is used.
+ type: string
+ coreDumpImage:
+ description: Image used to enable core dumps. This is only used,
+ when "EnableCoreDump" is set to true.
+ type: string
+ dnsRefreshRate:
+ description: Configure the DNS refresh rate for Envoy cluster of
+ type STRICT_DNS This must be given it terms of seconds. For example,
+ 300s is valid but 5m is invalid.
+ pattern: ^[0-9]{1,5}s$
+ type: string
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ envoyAccessLogService:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ tcpKeepalive:
+ properties:
+ interval:
+ type: string
+ probes:
+ format: int32
+ type: integer
+ time:
+ type: string
+ type: object
+ tlsSettings:
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ type: string
+ mode:
+ type: string
+ privateKey:
+ type: string
+ sni:
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ envoyMetricsService:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ envoyStatsD:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ image:
+ type: string
+ logLevel:
+ description: 'Log level for proxy, applies to gateways and sidecars.
+ If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
+ enum:
+ - trace
+ - debug
+ - info
+ - warning
+ - error
+ - critical
+ - "off"
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ protocolDetectionTimeout:
+ type: string
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sds:
+ description: If SDS is configured, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead of
+ using K8S secrets to mount the certificates
+ properties:
+ customTokenDirectory:
+ type: string
+ enabled:
+ description: If set to true, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead
+ of using K8S secrets to mount the certificates.
+ type: boolean
+ tokenAudience:
+ description: "The JWT token for SDS and the aud field of such JWT.
+ See RFC 7519, section 4.1.3. When a CSR is sent from Citadel Agent
+ to the CA (e.g. Citadel), this aud is to make sure the \tJWT is
+ intended for the CA."
+ type: string
+ udsPath:
+ description: Unix Domain Socket through which envoy communicates
+ with NodeAgent SDS to get key/cert for mTLS. Use secret-mount
+ files instead of SDS if set to empty.
+ type: string
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ alwaysInjectSelector:
+ description: 'AlwaysInjectSelector: Forces the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match'
+ items:
+ type: object
+ type: array
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enableNamespacesByDefault:
+ description: This controls whether the webhook looks for namespaces
+ for injection enabled or disabled
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ neverInjectSelector:
+ description: 'NeverInjectSelector: Refuses the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match Takes precedence over AlwaysInjectSelector.'
+ items:
+ type: object
+ type: array
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ telemetry:
+ description: Telemetry configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ reportBatchMaxEntries:
+ description: Set reportBatchMaxEntries to 0 to use the default batching
+ behavior (i.e., every 100 requests). A positive value indicates
+ the number of requests that are batched before telemetry data
+ is sent to the mixer server
+ format: int32
+ type: integer
+ reportBatchMaxTime:
+ description: Set reportBatchMaxTime to 0 to use the default batching
+ behavior (i.e., every 1 second). A positive time value indicates
+ the maximum wait time since the last request will telemetry data
+ be batched before being sent to the mixer server
+ type: string
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ tracing:
+ description: Configuration for each of the supported tracers
+ properties:
+ datadog:
+ properties:
+ address:
+ description: Host:Port for submitting traces to the Datadog
+ agent.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ enabled:
+ type: boolean
+ lightstep:
+ properties:
+ accessToken:
+ description: required for sending data to the pool
+ type: string
+ address:
+ description: the <host>:<port> of the satellite pool
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ cacertPath:
+ description: the path to the file containing the cacert to use
+ when verifying TLS. If secure is true, this is required. If
+ a value is specified then a secret called "lightstep.cacert"
+ must be created in the destination namespace with the key
+ matching the base of the provided cacertPath and the value
+ being the cacert itself.
+ type: string
+ secure:
+ description: specifies whether data should be sent with TLS
+ type: boolean
+ type: object
+ stackdriver:
+ type: object
+ tracer:
+ enum:
+ - zipkin
+ - lightstep
+ - datadog
+ type: string
+ zipkin:
+ properties:
+ address:
+ description: Host:Port for reporting trace data in zipkin format.
+ If not specified, will default to zipkin service (port 9411)
+ in the same namespace as the other istio components.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ type: object
+ useMCP:
+ description: Use the Mesh Control Protocol (MCP) for configuring Mixer
+ and Pilot. Requires galley.
+ type: boolean
+ version:
+ description: Contains the intended Istio version
+ pattern: ^1.3
+ type: string
+ watchAdapterCRDs:
+ description: Whether or not to establish watches for adapter-specific
+ CRDs
+ type: boolean
+ watchOneNamespace:
+ description: Whether to restrict the applications namespace the controller
+ manages
+ type: boolean
+ required:
+ - version
+ - mtls
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml
new file mode 100644
index 00000000..b6e5eac6
--- /dev/null
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml
@@ -0,0 +1,97 @@
+{{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ include "istio-operator.fullname" . }}-basic
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ fsGroup:
+ rule: RunAsAny
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - secret
+ - configMap
+ - emptyDir
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: psp:{{ include "istio-operator.fullname" . }}-basic
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+rules:
+- apiGroups:
+ - policy
+ resourceNames:
+ - {{ include "istio-operator.fullname" . }}-basic
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: psp:{{ include "istio-operator.fullname" . }}-basic
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: psp:{{ include "istio-operator.fullname" . }}-basic
+subjects:
+ - kind: ServiceAccount
+ name: istio-citadel-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-galley-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-egressgateway-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-ingressgateway-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-mixer-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-operator-authproxy
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-pilot-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-sidecar-injector-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istiocoredns-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-nodeagent-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-operator-operator
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml
index d506ee41..e25462af 100644
--- a/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "istio-operator.fullname" . }}-operator
+ namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "istio-operator.name" . }}
helm.sh/chart: {{ include "istio-operator.chart" . }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.1-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.1-crd.yaml
new file mode 100644
index 00000000..f298ccde
--- /dev/null
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.1-crd.yaml
@@ -0,0 +1,208 @@
+{{ if eq .Values.istioVersion "1.1" }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: remoteistios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: RemoteIstio
+ plural: remoteistios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ enabledServices:
+ description: EnabledServices the Istio component services replicated
+ to remote side
+ items:
+ properties:
+ labelSelector:
+ type: string
+ name:
+ type: string
+ podIPs:
+ items:
+ type: string
+ type: array
+ ports:
+ items:
+ type: object
+ type: array
+ required:
+ - name
+ type: object
+ type: array
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ proxy:
+ description: Proxy configuration options
+ properties:
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ image:
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ required:
+ - enabledServices
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml
index 37741898..6df6ba72 100644
--- a/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml
@@ -1,4 +1,4 @@
-{{ if eq .Values.istioVersion 1.2 }}
+{{ if eq .Values.istioVersion "1.2" }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.3-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.3-crd.yaml
new file mode 100644
index 00000000..bb411904
--- /dev/null
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.3-crd.yaml
@@ -0,0 +1,369 @@
+{{ if eq .Values.istioVersion "1.3" }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: remoteistios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: RemoteIstio
+ plural: remoteistios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enableNamespacesByDefault:
+ description: 'Determines Citadel default behavior if the ca.istio.io/env
+ or ca.istio.io/override labels are not found on a given namespace. For
+ example: consider a namespace called "target", which has neither
+ the "ca.istio.io/env" nor the "ca.istio.io/override" namespace
+ labels. To decide whether or not to generate secrets for service
+ accounts created in this "target" namespace, Citadel will defer
+ to this option. If the value of this option is "true" in this
+ case, secrets will be generated for the "target" namespace. If
+ the value of this option is "false" Citadel will not generate
+ secrets upon service account creation.'
+ type: boolean
+ enabled:
+ type: boolean
+ healthCheck:
+ description: Enable health checking on the Citadel CSR signing API.
+ https://istio.io/docs/tasks/security/health-check/
+ type: boolean
+ image:
+ type: string
+ maxWorkloadCertTTL:
+ description: Citadel uses a flag max-workload-cert-ttl to control
+ the maximum lifetime for Istio certificates issued to workloads.
+ The default value is 90 days. If workload-cert-ttl on Citadel
+ or node agent is greater than max-workload-cert-ttl, Citadel will
+ fail issuing the certificate.
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ workloadCertTTL:
+ description: For the workloads running in Kubernetes, the lifetime
+ of their Istio certificates is controlled by the workload-cert-ttl
+ flag on Citadel. The default value is 90 days. This value should
+ be no greater than max-workload-cert-ttl of Citadel.
+ type: string
+ type: object
+ clusterName:
+ description: Should be set to the name of the cluster, this is required
+ for sidecar injection to properly label proxies
+ type: string
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ enabledServices:
+ description: EnabledServices the Istio component services replicated
+ to remote side
+ items:
+ properties:
+ labelSelector:
+ type: string
+ name:
+ type: string
+ podIPs:
+ items:
+ type: string
+ type: array
+ ports:
+ items:
+ type: object
+ type: array
+ required:
+ - name
+ type: object
+ type: array
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ proxy:
+ description: Proxy configuration options
+ properties:
+ accessLogEncoding:
+ description: Configure the access log for sidecar to JSON or TEXT.
+ enum:
+ - JSON
+ - TEXT
+ type: string
+ accessLogFile:
+ description: 'Configures the access log for each sidecar. Options: ""
+ - disables access log "/dev/stdout" - enables access log'
+ enum:
+ - ""
+ - /dev/stdout
+ type: string
+ accessLogFormat:
+ description: 'Configure how and what fields are displayed in sidecar
+ access log. Setting to empty string will result in default log
+ format. If accessLogEncoding is TEXT, value will be used directly
+ as the log format example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%
+ %PROTOCOL%\n" If AccessLogEncoding is JSON, value will be parsed
+ as map[string]string example: ''{"start_time": "%START_TIME%",
+ "req_method": "%REQ(:METHOD)%"}'''
+ type: string
+ componentLogLevel:
+ description: Per Component log level for proxy, applies to gateways
+ and sidecars. If a component level is not set, then the "LogLevel"
+ will be used. If left empty, "misc:error" is used.
+ type: string
+ coreDumpImage:
+ description: Image used to enable core dumps. This is only used,
+ when "EnableCoreDump" is set to true.
+ type: string
+ dnsRefreshRate:
+ description: Configure the DNS refresh rate for Envoy cluster of
+ type STRICT_DNS This must be given it terms of seconds. For example,
+ 300s is valid but 5m is invalid.
+ pattern: ^[0-9]{1,5}s$
+ type: string
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ envoyAccessLogService:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ tcpKeepalive:
+ properties:
+ interval:
+ type: string
+ probes:
+ format: int32
+ type: integer
+ time:
+ type: string
+ type: object
+ tlsSettings:
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ type: string
+ mode:
+ type: string
+ privateKey:
+ type: string
+ sni:
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ envoyMetricsService:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ envoyStatsD:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ image:
+ type: string
+ logLevel:
+ description: 'Log level for proxy, applies to gateways and sidecars.
+ If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
+ enum:
+ - trace
+ - debug
+ - info
+ - warning
+ - error
+ - critical
+ - "off"
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ protocolDetectionTimeout:
+ type: string
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ alwaysInjectSelector:
+ description: 'AlwaysInjectSelector: Forces the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match'
+ items:
+ type: object
+ type: array
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enableNamespacesByDefault:
+ description: This controls whether the webhook looks for namespaces
+ for injection enabled or disabled
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ neverInjectSelector:
+ description: 'NeverInjectSelector: Refuses the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match Takes precedence over AlwaysInjectSelector.'
+ items:
+ type: object
+ type: array
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ required:
+ - enabledServices
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml
index 04ffc835..bc49dcfd 100644
--- a/deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
kind: Service
metadata:
name: "{{ include "istio-operator.fullname" . }}-operator"
+ namespace: {{ .Release.Namespace }}
{{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }}
annotations:
prometheus.io/scrape: "true"
@@ -26,8 +27,12 @@ spec:
app.kubernetes.io/component: operator
ports:
- name: https
+ protocol: TCP
port: 443
+ targetPort: 443
{{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }}
- name: metrics
+ protocol: TCP
port: 8080
+ targetPort: 8080
{{- end }}
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml
index 9e90ee80..0b59d23f 100644
--- a/deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml
+++ b/deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: "{{ include "istio-operator.fullname" . }}-operator"
+ namespace: {{ .Release.Namespace }}
labels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
diff --git a/deployments/helm/servicemesh/istio-operator/values.yaml b/deployments/helm/servicemesh/istio-operator/values.yaml
index cb937c11..f1ff6575 100644
--- a/deployments/helm/servicemesh/istio-operator/values.yaml
+++ b/deployments/helm/servicemesh/istio-operator/values.yaml
@@ -1,12 +1,26 @@
-
-
+#/*Copyright 2019 Intel Corporation, Inc
+# *
+# * Licensed under the Apache License, Version 2.0 (the "License");
+# * you may not use this file except in compliance with the License.
+# * You may obtain a copy of the License at
+# *
+# * http://www.apache.org/licenses/LICENSE-2.0
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+# */
+
+# Default values for istio-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
operator:
image:
repository: banzaicloud/istio-operator
- tag: 0.2.1
+ tag: 0.3.3
pullPolicy: IfNotPresent
resources:
limits:
@@ -16,21 +30,30 @@ operator:
cpu: 100m
memory: 128Mi
-istioVersion: 1.2
+istioVersion: "1.3"
-## Prometheus Metrics
+# If you want the operator to expose the /metrics
prometheusMetrics:
enabled: false
-# Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
+ # Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+ # which protects your /metrics endpoint.
authProxy:
- enabled: false
+ enabled: true
+ image:
+ repository: gcr.io/kubebuilder/kube-rbac-proxy
+ tag: v0.4.0
+ pullPolicy: IfNotPresent
## Role Based Access
## Ref: https://kubernetes.io/docs/admin/authorization/rbac/
##
rbac:
enabled: true
+ ## Pod Security Policies
+ ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+ ##
+ psp:
+ enabled: true
nameOverride: ""
fullnameOverride: ""
diff --git a/deployments/helm/servicemesh/istio/README.md b/deployments/helm/servicemesh/istio/README.md
index 8fcba4f8..868c116a 100644
--- a/deployments/helm/servicemesh/istio/README.md
+++ b/deployments/helm/servicemesh/istio/README.md
@@ -17,4 +17,6 @@
# Steps for Instaling Istio with Istio- Operator
# Step 1 - Add the helm chart to install Istio in sds configuration
+# NOTE - Edit the namespaces in istio/istio-instance/values.yaml
+# to enable istio-injection
helm install istio-instance --name istio --namespace istio-system
diff --git a/deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml b/deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml
index 8c440a4e..4a8b11b2 100644
--- a/deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml
+++ b/deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml
@@ -29,8 +29,7 @@ spec:
sds:
enabled: {{ .Values.spec.sds.enabled }}
udsPath: {{ .Values.spec.sds.udsPath | quote }}
- useTrustworthyJwt: {{ .Values.spec.sds.useTrustworthyJwt }}
- useNormalJwt: {{ .Values.spec.sds.useNormalJwt }}
+ tokenAudience: {{ .Values.spec.sds.tokenAudience | quote}}
gateways:
enabled: {{ .Values.spec.gateways.enabled }}
ingress:
diff --git a/deployments/helm/servicemesh/istio/istio-instance/values.yaml b/deployments/helm/servicemesh/istio/istio-instance/values.yaml
index 091999ac..dd77ef1b 100644
--- a/deployments/helm/servicemesh/istio/istio-instance/values.yaml
+++ b/deployments/helm/servicemesh/istio/istio-instance/values.yaml
@@ -15,25 +15,25 @@
# * limitations under the License.
# */
#Declare variables to be passed into Istio SDS template file.
+#NOTE : EDit the namespace for which you need Istio injection
metadata:
name: "istio-sample"
spec:
- version: "1.2.2"
+ version: "1.3.3"
mtls: true
autoInjectionNamespaces:
- -
+ - "default"
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
- useTrustworthyJwt: false
- useNormalJwt: true
+ tokenAudience: "istio-ca"
gateways:
enabled: true
ingress:
enabled: true
sds:
enabled: true
- image: "docker.io/istio/node-agent-k8s:1.2.2"
+ image: "docker.io/istio/node-agent-k8s:1.3.3"
nodeAgent:
enabled: true
- image : "docker.io/istio/node-agent-k8s:1.2.2"
+ image : "docker.io/istio/node-agent-k8s:1.3.3"
diff --git a/deployments/helm/servicemesh/rbac/.helmignore b/deployments/helm/servicemesh/rbac/.helmignore
new file mode 100644
index 00000000..50af0317
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deployments/helm/servicemesh/rbac/Chart.yaml b/deployments/helm/servicemesh/rbac/Chart.yaml
new file mode 100644
index 00000000..8b3bfdc1
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright @ 2019 Intel Corporation
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# # http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Istio Rbac Rules
+name: rbac
+version: 0.1.0
diff --git a/deployments/helm/servicemesh/rbac/templates/_helpers.tpl b/deployments/helm/servicemesh/rbac/templates/_helpers.tpl
new file mode 100644
index 00000000..866dd71e
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/templates/_helpers.tpl
@@ -0,0 +1,69 @@
+# Copyright @ 2019 Intel Corporation
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# # http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rbacname" -}}
+ {{ default "default" .Values.rbacName }}
+{{- end -}}
+
+{{- define "servicerolename" -}}
+ {{ default "default" .Values.serviceRoleRule.name }}
+{{- end -}}
+
+{{- define "servicerolebindingname" -}}
+ {{ default "default" .Values.serviceRoleBinding.name }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "labels" -}}
+app.kubernetes.io/name: {{ include "name" . }}
+helm.sh/chart: {{ include "chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
diff --git a/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml b/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml
new file mode 100644
index 00000000..486993a3
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml
@@ -0,0 +1,23 @@
+#{{/*
+# Copyright @ 2019 Intel Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# imitations under the License.
+#*/}}
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ClusterRbacConfig
+metadata:
+ name: {{ template "rbacname" . }}
+spec:
+ mode: 'ON_WITH_INCLUSION'
+ inclusion:
+ namespaces: [{{ .Values.namespace | quote }}]
+ enforcement_mode: {{ .Values.policyEnforcementMode }}
diff --git a/deployments/helm/servicemesh/rbac/templates/servicerole.yaml b/deployments/helm/servicemesh/rbac/templates/servicerole.yaml
new file mode 100644
index 00000000..d2791379
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/templates/servicerole.yaml
@@ -0,0 +1,24 @@
+#{{/*
+# Copyright @ 2019 Intel Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# imitations under the License.
+#*/}}
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRole
+metadata:
+ name: {{ template "servicerolename" . }}
+ namespace: {{ .Values.namespace }}
+spec:
+ rules:
+ - services: [{{ .Values.serviceRoleRule.services | quote }}]
+ paths: [{{ .Values.serviceRoleRule.paths | quote }}]
+ methods: {{ .Values.serviceRoleRule.methods| toJson }}
diff --git a/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml b/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml
new file mode 100644
index 00000000..c17adf7e
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml
@@ -0,0 +1,26 @@
+#{{/*
+# Copyright @ 2019 Intel Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# imitations under the License.
+#*/}}
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRoleBinding
+metadata:
+ name: {{ template "servicerolebindingname" . }}
+ namespace: {{ .Values.namespace }}
+spec:
+ subjects:
+ - user: {{ .Values.serviceRoleBinding.users | quote }}
+ roleRef:
+ kind: ServiceRole
+ name: {{ .Values.serviceRoleBinding.serviceRoleName | quote }}
+ mode: {{ .Values.policyEnforcementMode }}
diff --git a/deployments/helm/servicemesh/rbac/values.yaml b/deployments/helm/servicemesh/rbac/values.yaml
new file mode 100644
index 00000000..45208ffa
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/values.yaml
@@ -0,0 +1,26 @@
+# Copyright @ 2019 Intel Corporation
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# # http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+
+namespace: multicloud
+policyEnforcementMode: PERMISSIVE
+rbacName: ""
+serviceRoleRule:
+ name: ""
+ service: multicloud-k8s.multicloud.svc.cluster.local
+ paths: "*"
+ methods: [ "GET","HEAD"]
+serviceRoleBinding:
+ name: ""
+ users: "*"
+ serviceRoleName: ""
diff --git a/src/k8splugin/api/brokerhandler.go b/src/k8splugin/api/brokerhandler.go
index 669b539f..b377baf1 100644
--- a/src/k8splugin/api/brokerhandler.go
+++ b/src/k8splugin/api/brokerhandler.go
@@ -134,21 +134,21 @@ func (b brokerInstanceHandler) createHandler(w http.ResponseWriter, r *http.Requ
return
}
- rbName := req.getAttributeValue(req.UserDirectives, "definition-name")
+ rbName := req.getAttributeValue(req.SDNCDirectives, "k8s-rb-definition-name")
if rbName == "" {
- http.Error(w, "definition-name is missing from user-directives", http.StatusBadRequest)
+ http.Error(w, "k8s-rb-definition-name is missing from sdnc-directives", http.StatusBadRequest)
return
}
- rbVersion := req.getAttributeValue(req.UserDirectives, "definition-version")
+ rbVersion := req.getAttributeValue(req.SDNCDirectives, "k8s-rb-definition-version")
if rbVersion == "" {
- http.Error(w, "definition-version is missing from user-directives", http.StatusBadRequest)
+ http.Error(w, "k8s-rb-definition-version is missing from sdnc-directives", http.StatusBadRequest)
return
}
- profileName := req.getAttributeValue(req.UserDirectives, "profile-name")
+ profileName := req.getAttributeValue(req.SDNCDirectives, "k8s-rb-profile-name")
if profileName == "" {
- http.Error(w, "profile-name is missing from user-directives", http.StatusBadRequest)
+ http.Error(w, "k8s-rb-profile-name is missing from sdnc-directives", http.StatusBadRequest)
return
}
diff --git a/src/k8splugin/api/brokerhandler_test.go b/src/k8splugin/api/brokerhandler_test.go
index 8ef5e184..00ca3b7b 100644
--- a/src/k8splugin/api/brokerhandler_test.go
+++ b/src/k8splugin/api/brokerhandler_test.go
@@ -54,11 +54,11 @@ func TestBrokerCreateHandler(t *testing.T) {
"user_directives": {
"attributes": [
{
- "attribute_name": "definition-name",
+ "attribute_name": "k8s-rb-definition-name",
"attribute_value": "test-rbdef"
},
{
- "attribute_name": "definition-version",
+ "attribute_name": "k8s-rb-definition-version",
"attribute_value": "v1"
}
]
@@ -67,9 +67,9 @@ func TestBrokerCreateHandler(t *testing.T) {
expectedCode: http.StatusBadRequest,
},
{
- label: "Succesfully create an Instance",
+ label: "Deprecated parameters passed (user_directives)",
input: bytes.NewBuffer([]byte(`{
- "vf-module-model-customization-id": "84sdfkio938",
+ "vf-module-model-customization-id": "97sdfkio168",
"sdnc_directives": {
"attributes": [
{
@@ -81,15 +81,42 @@ func TestBrokerCreateHandler(t *testing.T) {
"user_directives": {
"attributes": [
{
- "attribute_name": "definition-name",
+ "attribute_name": "rb-definition-name",
+ "attribute_value": "test-rbdef"
+ },
+ {
+ "attribute_name": "rb-definition-version",
+ "attribute_value": "v1"
+ },
+ {
+ "attribute_name": "rb-profile-name",
+ "attribute_value": "profile1"
+ }
+ ]
+ }
+ }`)),
+ expectedCode: http.StatusBadRequest,
+ },
+ {
+ label: "Succesfully create an Instance",
+ input: bytes.NewBuffer([]byte(`{
+ "vf-module-model-customization-id": "84sdfkio938",
+ "sdnc_directives": {
+ "attributes": [
+ {
+ "attribute_name": "vf_module_name",
+ "attribute_value": "test-vf-module-name"
+ },
+ {
+ "attribute_name": "k8s-rb-definition-name",
"attribute_value": "test-rbdef"
},
{
- "attribute_name": "definition-version",
+ "attribute_name": "k8s-rb-definition-version",
"attribute_value": "v1"
},
{
- "attribute_name": "profile-name",
+ "attribute_name": "k8s-rb-profile-name",
"attribute_value": "profile1"
}
]