From ccbd9d767ad08455382e2cec91e0bfc4ed7ea942 Mon Sep 17 00:00:00 2001 From: Pramod Date: Wed, 23 Oct 2019 16:14:19 -0700 Subject: Upgrade istio-operator Issue-ID: AAF-1023 Signed-off-by: Pramod Change-Id: I863a06ee8f504febb822d02c054860065ad888b9 --- .../helm/servicemesh/istio-operator/Chart.yaml | 7 +- .../helm/servicemesh/istio-operator/README.md | 19 +- .../istio-operator/templates/authproxy-rbac.yaml | 1 + .../templates/authproxy-service.yaml | 2 + .../istio-operator/templates/namespace.yaml | 14 + .../templates/operator-istio-1.1-crd.yaml | 565 +++++++++++++ .../templates/operator-istio-1.2-crd.yaml | 2 +- .../templates/operator-istio-1.3-crd.yaml | 889 +++++++++++++++++++++ .../templates/operator-psp-basic.yaml | 97 +++ .../istio-operator/templates/operator-rbac.yaml | 1 + .../templates/operator-remoteistio-1.1-crd.yaml | 208 +++++ .../templates/operator-remoteistio-1.2-crd.yaml | 2 +- .../templates/operator-remoteistio-1.3-crd.yaml | 369 +++++++++ .../istio-operator/templates/operator-service.yaml | 5 + .../templates/operator-statefulset.yaml | 1 + .../helm/servicemesh/istio-operator/values.yaml | 39 +- deployments/helm/servicemesh/istio/README.md | 2 + .../istio/istio-instance/templates/istio-sds.yaml | 3 +- .../servicemesh/istio/istio-instance/values.yaml | 12 +- 19 files changed, 2207 insertions(+), 31 deletions(-) create mode 100644 deployments/helm/servicemesh/istio-operator/templates/namespace.yaml create mode 100644 deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.1-crd.yaml create mode 100644 deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.3-crd.yaml create mode 100644 deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml create mode 100644 deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.1-crd.yaml create mode 100644 deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.3-crd.yaml (limited to 'deployments') diff --git a/deployments/helm/servicemesh/istio-operator/Chart.yaml b/deployments/helm/servicemesh/istio-operator/Chart.yaml index 1da83af4..1ef9650f 100644 --- a/deployments/helm/servicemesh/istio-operator/Chart.yaml +++ b/deployments/helm/servicemesh/istio-operator/Chart.yaml @@ -1,5 +1,3 @@ - - #/*Copyright 2019 Intel Corporation, Inc # * # * Licensed under the Apache License, Version 2.0 (the "License"); @@ -14,7 +12,8 @@ # * See the License for the specific language governing permissions and # * limitations under the License. # */ +apiVersion: v1 name: istio-operator -version: 0.0.15 +version: 0.0.22 description: istio-operator manages Istio deployments on Kubernetes -appVersion: 0.2.1 +appVersion: 0.3.3 diff --git a/deployments/helm/servicemesh/istio-operator/README.md b/deployments/helm/servicemesh/istio-operator/README.md index 4611a81e..c32e016d 100644 --- a/deployments/helm/servicemesh/istio-operator/README.md +++ b/deployments/helm/servicemesh/istio-operator/README.md @@ -14,42 +14,43 @@ * limitations under the License. */ +# Istio-operator chart + ## Prerequisites - Kubernetes 1.10.0+ ## Installing the chart -To install the chart from local directory: +To install the chart: -``` -helm install --name=istio-operator --namespace=istio-system istio-operator +```bash +❯ helm install --name=istio-operator --namespace=istio-system istio-operator ``` ## Uninstalling the Chart To uninstall/delete the `istio-operator` release: -``` -$ helm del --purge istio-operator +```bash +❯ helm del --purge istio-operator ``` The command removes all the Kubernetes components associated with the chart and deletes the release. ## Configuration -The following table lists the configurable parameters of the Banzaicloud Istio Operator chart and their default values. - Parameter | Description | Default --------- | ----------- | ------- `operator.image.repository` | Operator container image repository | `banzaicloud/istio-operator` -`operator.image.tag` | Operator container image tag | `0.2.1` +`operator.image.tag` | Operator container image tag | `0.3.3` `operator.image.pullPolicy` | Operator container image pull policy | `IfNotPresent` `operator.resources` | CPU/Memory resource requests/limits (YAML) | Memory: `128Mi/256Mi`, CPU: `100m/200m` -`istioVersion` | Supported Istio version | `1.2` +`istioVersion` | Supported Istio version | `1.3` `prometheusMetrics.enabled` | If true, use direct access for Prometheus metrics | `false` `prometheusMetrics.authProxy.enabled` | If true, use auth proxy for Prometheus metrics | `true` `prometheusMetrics.authProxy.image.repository` | Auth proxy container image repository | `gcr.io/kubebuilder/kube-rbac-proxy` `prometheusMetrics.authProxy.image.tag` | Auth proxy container image tag | `v0.4.0` `prometheusMetrics.authProxy.image.pullPolicy` | Auth proxy container image pull policy | `IfNotPresent` `rbac.enabled` | Create rbac service account and roles | `true` +`rbac.psp.enabled` | Create pod security policy and binding | `false` diff --git a/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml b/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml index 8a047e03..aee3aeef 100644 --- a/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml +++ b/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "istio-operator.fullname" . }}-authproxy + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "istio-operator.name" . }} helm.sh/chart: {{ include "istio-operator.chart" . }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml b/deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml index aad8a2be..6f7e6f9a 100644 --- a/deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml +++ b/deployments/helm/servicemesh/istio-operator/templates/authproxy-service.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "istio-operator.fullname" . }}-authproxy + namespace: {{ .Release.Namespace }} annotations: prometheus.io/port: "8443" prometheus.io/scheme: https @@ -20,6 +21,7 @@ spec: ports: - name: https port: 8443 + protocol: TCP targetPort: https selector: control-plane: controller-manager diff --git a/deployments/helm/servicemesh/istio-operator/templates/namespace.yaml b/deployments/helm/servicemesh/istio-operator/templates/namespace.yaml new file mode 100644 index 00000000..daaf21d3 --- /dev/null +++ b/deployments/helm/servicemesh/istio-operator/templates/namespace.yaml @@ -0,0 +1,14 @@ +{{- if .Values.useNamespaceResource }} +apiVersion: v1 +kind: Namespace +metadata: + labels: + app: {{ include "istio-operator.name" . }} + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ .Chart.AppVersion | replace "+" "_" }}" + app.kubernetes.io/part-of: {{ include "istio-operator.name" . }} + name: {{ .Release.Namespace }} +{{- end }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.1-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.1-crd.yaml new file mode 100644 index 00000000..287b9879 --- /dev/null +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.1-crd.yaml @@ -0,0 +1,565 @@ +{{ if eq .Values.istioVersion "1.1" }} +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istios.istio.banzaicloud.io + labels: + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + additionalPrinterColumns: + - JSONPath: .status.Status + description: Status of the resource + name: Status + type: string + - JSONPath: .status.ErrorMessage + description: Error message + name: Error + type: string + - JSONPath: .status.GatewayAddress + description: Ingress gateways of the resource + name: Gateways + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: istio.banzaicloud.io + names: + kind: Istio + plural: istios + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + autoInjectionNamespaces: + description: List of namespaces to label with sidecar auto injection + enabled + items: + type: string + type: array + citadel: + description: Citadel configuration options + properties: + affinity: + type: object + caSecretName: + type: string + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + controlPlaneSecurityEnabled: + description: ControlPlaneSecurityEnabled control plane services are + communicating through mTLS + type: boolean + defaultConfigVisibility: + description: Set the default set of namespaces to which services, service + entries, virtual services, destination rules should be exported to + type: string + defaultPodDisruptionBudget: + description: Enable pod disruption budget for the control plane, which + is used to ensure Istio control plane components are gradually upgraded + or recovered + properties: + enabled: + type: boolean + type: object + defaultResources: + description: DefaultResources are applied for all Istio components by + default, can be overridden for each component + type: object + excludeIPRanges: + description: ExcludeIPRanges the range where not to capture egress traffic + type: string + galley: + description: Galley configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + gateways: + description: Gateways configuration options + properties: + egress: + properties: + affinity: + type: object + applicationPorts: + type: string + enabled: + type: boolean + loadBalancerIP: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + ports: + items: + type: object + type: array + replicaCount: + format: int32 + type: integer + requestedNetworkView: + type: string + resources: + type: object + sds: + properties: + enabled: + type: boolean + image: + type: string + resources: + type: object + type: object + serviceAnnotations: + type: object + serviceLabels: + type: object + serviceType: + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + items: + type: object + type: array + type: object + enabled: + type: boolean + ingress: + properties: + affinity: + type: object + applicationPorts: + type: string + enabled: + type: boolean + loadBalancerIP: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + ports: + items: + type: object + type: array + replicaCount: + format: int32 + type: integer + requestedNetworkView: + type: string + resources: + type: object + sds: + properties: + enabled: + type: boolean + image: + type: string + resources: + type: object + type: object + serviceAnnotations: + type: object + serviceLabels: + type: object + serviceType: + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + items: + type: object + type: array + type: object + type: object + imagePullPolicy: + description: ImagePullPolicy describes a policy for if/when to pull + a container image + enum: + - Always + - Never + - IfNotPresent + type: string + includeIPRanges: + description: IncludeIPRanges the range where to capture egress traffic + type: string + istioCoreDNS: + description: Istio CoreDNS provides DNS resolution for services in multi + mesh setups + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + pluginImage: + type: string + replicaCount: + format: int32 + type: integer + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + meshExpansion: + description: If set to true, the pilot and citadel mtls will be exposed + on the ingress gateway also the remote istios will be connected through + gateways + type: boolean + mixer: + description: Mixer configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + mtls: + description: MTLS enables or disables global mTLS + type: boolean + multiMesh: + description: Set to true to connect two or more meshes via their respective + ingressgateway services when workloads in each cluster cannot directly + talk to one another. All meshes should be using Istio mTLS and must + have a shared root CA for this model to work. + type: boolean + nodeAgent: + description: NodeAgent configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling outbound + traffic from the application (ALLOW_ANY or REGISTRY_ONLY) + properties: + mode: + enum: + - ALLOW_ANY + - REGISTRY_ONLY + type: string + type: object + pilot: + description: Pilot configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + sidecar: + type: boolean + tolerations: + items: + type: object + type: array + traceSampling: + format: float + type: number + type: object + proxy: + description: Proxy configuration options + properties: + enableCoreDump: + description: If set, newly injected sidecars will have core dumps + enabled. + type: boolean + image: + type: string + privileged: + description: If set to true, istio-proxy container will have privileged + securityContext + type: boolean + resources: + type: object + type: object + proxyInit: + description: Proxy Init configuration options + properties: + image: + type: string + type: object + sds: + description: If SDS is configured, mTLS certificates for the sidecars + will be distributed through the SecretDiscoveryService instead of + using K8S secrets to mount the certificates + properties: + enabled: + description: If set to true, mTLS certificates for the sidecars + will be distributed through the SecretDiscoveryService instead + of using K8S secrets to mount the certificates. + type: boolean + udsPath: + description: Unix Domain Socket through which envoy communicates + with NodeAgent SDS to get key/cert for mTLS. Use secret-mount + files instead of SDS if set to empty. + type: string + useNormalJwt: + description: If set to true, envoy will fetch normal k8s service + account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + and pass to sds server, which will be used to request key/cert + eventually this flag is ignored if UseTrustworthyJwt is set + type: boolean + useTrustworthyJwt: + description: 'If set to true, Istio will inject volumes mount for + k8s service account JWT, so that K8s API server mounts k8s service + account JWT to envoy container, which will be used to generate + key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)' + type: boolean + type: object + sidecarInjector: + description: SidecarInjector configuration options + properties: + affinity: + type: object + autoInjectionPolicyEnabled: + description: This controls the 'policy' in the sidecar injector + type: boolean + enabled: + type: boolean + image: + type: string + init: + properties: + resources: + type: object + type: object + initCNIConfiguration: + properties: + affinity: + type: object + binDir: + description: Must be the same as the environment’s --cni-bin-dir + setting (kubelet parameter) + type: string + confDir: + description: Must be the same as the environment’s --cni-conf-dir + setting (kubelet parameter) + type: string + enabled: + description: If true, the privileged initContainer istio-init + is not needed to perform the traffic redirect settings for + the istio-proxy + type: boolean + excludeNamespaces: + description: List of namespaces to exclude from Istio pod check + items: + type: string + type: array + image: + type: string + logLevel: + description: Logging level for CNI binary + type: string + type: object + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + rewriteAppHTTPProbe: + description: If true, sidecar injector will rewrite PodSpec for + liveness health check to redirect request to sidecar. This makes + liveness check work even when mTLS is enabled. + type: boolean + tolerations: + items: + type: object + type: array + type: object + tracing: + description: Configuration for each of the supported tracers + properties: + datadog: + properties: + address: + description: Host:Port for submitting traces to the Datadog + agent. + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + type: object + enabled: + type: boolean + lightstep: + properties: + accessToken: + description: required for sending data to the pool + type: string + address: + description: the : of the satellite pool + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + cacertPath: + description: the path to the file containing the cacert to use + when verifying TLS. If secure is true, this is required. If + a value is specified then a secret called "lightstep.cacert" + must be created in the destination namespace with the key + matching the base of the provided cacertPath and the value + being the cacert itself. + type: string + secure: + description: specifies whether data should be sent with TLS + type: boolean + type: object + tracer: + enum: + - zipkin + - lightstep + - datadog + type: string + zipkin: + properties: + address: + description: Host:Port for reporting trace data in zipkin format. + If not specified, will default to zipkin service (port 9411) + in the same namespace as the other istio components. + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + type: object + type: object + useMCP: + description: Use the Mesh Control Protocol (MCP) for configuring Mixer + and Pilot. Requires galley. + type: boolean + version: + description: Contains the intended Istio version + pattern: ^1.1 + type: string + watchAdapterCRDs: + description: Whether or not to establish watches for adapter-specific + CRDs + type: boolean + watchOneNamespace: + description: Whether to restrict the applications namespace the controller + manages + type: boolean + required: + - version + - mtls + type: object + status: + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml index b52ffc39..31aae495 100644 --- a/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.2-crd.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.istioVersion 1.2 }} +{{ if eq .Values.istioVersion "1.2" }} apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.3-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.3-crd.yaml new file mode 100644 index 00000000..540d43bd --- /dev/null +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-istio-1.3-crd.yaml @@ -0,0 +1,889 @@ +{{ if eq .Values.istioVersion "1.3" }} +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istios.istio.banzaicloud.io + labels: + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + additionalPrinterColumns: + - JSONPath: .status.Status + description: Status of the resource + name: Status + type: string + - JSONPath: .status.ErrorMessage + description: Error message + name: Error + type: string + - JSONPath: .status.GatewayAddress + description: Ingress gateways of the resource + name: Gateways + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: istio.banzaicloud.io + names: + kind: Istio + plural: istios + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + autoInjectionNamespaces: + description: List of namespaces to label with sidecar auto injection + enabled + items: + type: string + type: array + citadel: + description: Citadel configuration options + properties: + affinity: + type: object + caSecretName: + type: string + enableNamespacesByDefault: + description: 'Determines Citadel default behavior if the ca.istio.io/env + or ca.istio.io/override labels are not found on a given namespace. For + example: consider a namespace called "target", which has neither + the "ca.istio.io/env" nor the "ca.istio.io/override" namespace + labels. To decide whether or not to generate secrets for service + accounts created in this "target" namespace, Citadel will defer + to this option. If the value of this option is "true" in this + case, secrets will be generated for the "target" namespace. If + the value of this option is "false" Citadel will not generate + secrets upon service account creation.' + type: boolean + enabled: + type: boolean + healthCheck: + description: Enable health checking on the Citadel CSR signing API. + https://istio.io/docs/tasks/security/health-check/ + type: boolean + image: + type: string + maxWorkloadCertTTL: + description: Citadel uses a flag max-workload-cert-ttl to control + the maximum lifetime for Istio certificates issued to workloads. + The default value is 90 days. If workload-cert-ttl on Citadel + or node agent is greater than max-workload-cert-ttl, Citadel will + fail issuing the certificate. + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + workloadCertTTL: + description: For the workloads running in Kubernetes, the lifetime + of their Istio certificates is controlled by the workload-cert-ttl + flag on Citadel. The default value is 90 days. This value should + be no greater than max-workload-cert-ttl of Citadel. + type: string + type: object + clusterName: + description: Should be set to the name of the cluster this installation + will run in. This is required for sidecar injection to properly label + proxies + type: string + controlPlaneSecurityEnabled: + description: ControlPlaneSecurityEnabled control plane services are + communicating through mTLS + type: boolean + defaultConfigVisibility: + description: Set the default set of namespaces to which services, service + entries, virtual services, destination rules should be exported to + type: string + defaultPodDisruptionBudget: + description: Enable pod disruption budget for the control plane, which + is used to ensure Istio control plane components are gradually upgraded + or recovered + properties: + enabled: + type: boolean + type: object + defaultResources: + description: DefaultResources are applied for all Istio components by + default, can be overridden for each component + type: object + excludeIPRanges: + description: ExcludeIPRanges the range where not to capture egress traffic + type: string + galley: + description: Galley configuration options + properties: + affinity: + type: object + configValidation: + type: boolean + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + gateways: + description: Gateways configuration options + properties: + egress: + properties: + affinity: + type: object + applicationPorts: + type: string + enabled: + type: boolean + loadBalancerIP: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + ports: + items: + type: object + type: array + replicaCount: + format: int32 + type: integer + requestedNetworkView: + type: string + resources: + type: object + sds: + properties: + enabled: + type: boolean + image: + type: string + resources: + type: object + type: object + serviceAnnotations: + type: object + serviceLabels: + type: object + serviceType: + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + items: + type: object + type: array + type: object + enabled: + type: boolean + ingress: + properties: + affinity: + type: object + applicationPorts: + type: string + enabled: + type: boolean + loadBalancerIP: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + ports: + items: + type: object + type: array + replicaCount: + format: int32 + type: integer + requestedNetworkView: + type: string + resources: + type: object + sds: + properties: + enabled: + type: boolean + image: + type: string + resources: + type: object + type: object + serviceAnnotations: + type: object + serviceLabels: + type: object + serviceType: + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + items: + type: object + type: array + type: object + type: object + imagePullPolicy: + description: ImagePullPolicy describes a policy for if/when to pull + a container image + enum: + - Always + - Never + - IfNotPresent + type: string + includeIPRanges: + description: IncludeIPRanges the range where to capture egress traffic + type: string + istioCoreDNS: + description: Istio CoreDNS provides DNS resolution for services in multi + mesh setups + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + pluginImage: + type: string + replicaCount: + format: int32 + type: integer + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + localityLB: + description: Locality based load balancing distribution or failover + settings. + properties: + distribute: + description: 'Optional: only one of distribute or failover can be + set. Explicitly specify loadbalancing weight across different + zones and geographical locations. Refer to [Locality weighted + load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) + If empty, the locality weight is set according to the endpoints + number within it.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. 'region/zone'. + type: string + to: + description: Map of upstream localities to traffic distribution + weights. The sum of all weights should be == 100. Any locality + not assigned a weight will receive no traffic. + type: object + type: object + type: array + enabled: + description: If set to true, locality based load balancing will + be enabled + type: boolean + failover: + description: 'Optional: only failover or distribute can be set. + Explicitly specify the region traffic will land on when endpoints + in local region becomes unhealthy. Should be used together with + OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection + specified, this will not take effect.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over + to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + type: object + meshExpansion: + description: If set to true, the pilot and citadel mtls will be exposed + on the ingress gateway also the remote istios will be connected through + gateways + type: boolean + meshID: + description: Mesh ID means Mesh Identifier. It should be unique within + the scope where meshes will interact with each other, but it is not + required to be globally/universally unique. + type: string + trustDomain: + description: The domain serves to identify the system with SPIFFE. (default "cluster.local") + type: string + mixer: + description: Mixer configuration options + properties: + affinity: + type: object + checksEnabled: + type: boolean + enabled: + type: boolean + image: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + multiClusterSupport: + description: Turn it on if you use mixer that supports multi cluster + telemetry + type: boolean + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + reportBatchMaxEntries: + description: Set reportBatchMaxEntries to 0 to use the default batching + behavior (i.e., every 100 requests). A positive value indicates + the number of requests that are batched before telemetry data + is sent to the mixer server + format: int32 + type: integer + reportBatchMaxTime: + description: Set reportBatchMaxTime to 0 to use the default batching + behavior (i.e., every 1 second). A positive time value indicates + the maximum wait time since the last request will telemetry data + be batched before being sent to the mixer server + type: string + resources: + type: object + sessionAffinityEnabled: + description: Set whether to create a STRICT_DNS type cluster for + istio-telemetry. + type: boolean + stdioAdapterEnabled: + description: stdio is a debug adapter in Istio telemetry, it is + not recommended for production use + type: boolean + tolerations: + items: + type: object + type: array + type: object + mixerlessTelemetry: + description: Mixerless telemetry configuration + properties: + enabled: + description: If set to true, experimental Mixerless http telemetry + will be enabled + type: boolean + type: object + mtls: + description: MTLS enables or disables global mTLS + type: boolean + multiMesh: + description: Set to true to connect two or more meshes via their respective + ingressgateway services when workloads in each cluster cannot directly + talk to one another. All meshes should be using Istio mTLS and must + have a shared root CA for this model to work. + type: boolean + nodeAgent: + description: NodeAgent configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling outbound + traffic from the application (ALLOW_ANY or REGISTRY_ONLY) + properties: + mode: + enum: + - ALLOW_ANY + - REGISTRY_ONLY + type: string + type: object + pilot: + description: Pilot configuration options + properties: + affinity: + type: object + enableProtocolSniffing: + type: boolean + enabled: + type: boolean + image: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + sidecar: + type: boolean + tolerations: + items: + type: object + type: array + traceSampling: + format: float + type: number + type: object + policy: + description: Policy configuration options + properties: + affinity: + type: object + checksEnabled: + type: boolean + enabled: + type: boolean + image: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + sessionAffinityEnabled: + description: Set whether to create a STRICT_DNS type cluster for + istio-telemetry. + type: boolean + tolerations: + items: + type: object + type: array + type: object + proxy: + description: Proxy configuration options + properties: + accessLogEncoding: + description: Configure the access log for sidecar to JSON or TEXT. + enum: + - JSON + - TEXT + type: string + accessLogFile: + description: 'Configures the access log for each sidecar. Options: "" + - disables access log "/dev/stdout" - enables access log' + enum: + - "" + - /dev/stdout + type: string + accessLogFormat: + description: 'Configure how and what fields are displayed in sidecar + access log. Setting to empty string will result in default log + format. If accessLogEncoding is TEXT, value will be used directly + as the log format example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% + %PROTOCOL%\n" If AccessLogEncoding is JSON, value will be parsed + as map[string]string example: ''{"start_time": "%START_TIME%", + "req_method": "%REQ(:METHOD)%"}''' + type: string + componentLogLevel: + description: Per Component log level for proxy, applies to gateways + and sidecars. If a component level is not set, then the "LogLevel" + will be used. If left empty, "misc:error" is used. + type: string + coreDumpImage: + description: Image used to enable core dumps. This is only used, + when "EnableCoreDump" is set to true. + type: string + dnsRefreshRate: + description: Configure the DNS refresh rate for Envoy cluster of + type STRICT_DNS This must be given it terms of seconds. For example, + 300s is valid but 5m is invalid. + pattern: ^[0-9]{1,5}s$ + type: string + enableCoreDump: + description: If set, newly injected sidecars will have core dumps + enabled. + type: boolean + envoyAccessLogService: + properties: + enabled: + type: boolean + host: + type: string + port: + format: int32 + type: integer + tcpKeepalive: + properties: + interval: + type: string + probes: + format: int32 + type: integer + time: + type: string + type: object + tlsSettings: + properties: + caCertificates: + type: string + clientCertificate: + type: string + mode: + type: string + privateKey: + type: string + sni: + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + envoyMetricsService: + properties: + enabled: + type: boolean + host: + type: string + port: + format: int32 + type: integer + type: object + envoyStatsD: + properties: + enabled: + type: boolean + host: + type: string + port: + format: int32 + type: integer + type: object + image: + type: string + logLevel: + description: 'Log level for proxy, applies to gateways and sidecars. + If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' + enum: + - trace + - debug + - info + - warning + - error + - critical + - "off" + type: string + privileged: + description: If set to true, istio-proxy container will have privileged + securityContext + type: boolean + protocolDetectionTimeout: + type: string + resources: + type: object + type: object + proxyInit: + description: Proxy Init configuration options + properties: + image: + type: string + type: object + sds: + description: If SDS is configured, mTLS certificates for the sidecars + will be distributed through the SecretDiscoveryService instead of + using K8S secrets to mount the certificates + properties: + customTokenDirectory: + type: string + enabled: + description: If set to true, mTLS certificates for the sidecars + will be distributed through the SecretDiscoveryService instead + of using K8S secrets to mount the certificates. + type: boolean + tokenAudience: + description: "The JWT token for SDS and the aud field of such JWT. + See RFC 7519, section 4.1.3. When a CSR is sent from Citadel Agent + to the CA (e.g. Citadel), this aud is to make sure the \tJWT is + intended for the CA." + type: string + udsPath: + description: Unix Domain Socket through which envoy communicates + with NodeAgent SDS to get key/cert for mTLS. Use secret-mount + files instead of SDS if set to empty. + type: string + type: object + sidecarInjector: + description: SidecarInjector configuration options + properties: + affinity: + type: object + alwaysInjectSelector: + description: 'AlwaysInjectSelector: Forces the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match' + items: + type: object + type: array + autoInjectionPolicyEnabled: + description: This controls the 'policy' in the sidecar injector + type: boolean + enableNamespacesByDefault: + description: This controls whether the webhook looks for namespaces + for injection enabled or disabled + type: boolean + enabled: + type: boolean + image: + type: string + init: + properties: + resources: + type: object + type: object + initCNIConfiguration: + properties: + affinity: + type: object + binDir: + description: Must be the same as the environment’s --cni-bin-dir + setting (kubelet parameter) + type: string + confDir: + description: Must be the same as the environment’s --cni-conf-dir + setting (kubelet parameter) + type: string + enabled: + description: If true, the privileged initContainer istio-init + is not needed to perform the traffic redirect settings for + the istio-proxy + type: boolean + excludeNamespaces: + description: List of namespaces to exclude from Istio pod check + items: + type: string + type: array + image: + type: string + logLevel: + description: Logging level for CNI binary + type: string + type: object + neverInjectSelector: + description: 'NeverInjectSelector: Refuses the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match Takes precedence over AlwaysInjectSelector.' + items: + type: object + type: array + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + rewriteAppHTTPProbe: + description: If true, sidecar injector will rewrite PodSpec for + liveness health check to redirect request to sidecar. This makes + liveness check work even when mTLS is enabled. + type: boolean + tolerations: + items: + type: object + type: array + type: object + telemetry: + description: Telemetry configuration options + properties: + affinity: + type: object + enabled: + type: boolean + image: + type: string + maxReplicas: + format: int32 + type: integer + minReplicas: + format: int32 + type: integer + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + reportBatchMaxEntries: + description: Set reportBatchMaxEntries to 0 to use the default batching + behavior (i.e., every 100 requests). A positive value indicates + the number of requests that are batched before telemetry data + is sent to the mixer server + format: int32 + type: integer + reportBatchMaxTime: + description: Set reportBatchMaxTime to 0 to use the default batching + behavior (i.e., every 1 second). A positive time value indicates + the maximum wait time since the last request will telemetry data + be batched before being sent to the mixer server + type: string + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + tracing: + description: Configuration for each of the supported tracers + properties: + datadog: + properties: + address: + description: Host:Port for submitting traces to the Datadog + agent. + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + type: object + enabled: + type: boolean + lightstep: + properties: + accessToken: + description: required for sending data to the pool + type: string + address: + description: the : of the satellite pool + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + cacertPath: + description: the path to the file containing the cacert to use + when verifying TLS. If secure is true, this is required. If + a value is specified then a secret called "lightstep.cacert" + must be created in the destination namespace with the key + matching the base of the provided cacertPath and the value + being the cacert itself. + type: string + secure: + description: specifies whether data should be sent with TLS + type: boolean + type: object + stackdriver: + type: object + tracer: + enum: + - zipkin + - lightstep + - datadog + type: string + zipkin: + properties: + address: + description: Host:Port for reporting trace data in zipkin format. + If not specified, will default to zipkin service (port 9411) + in the same namespace as the other istio components. + pattern: ^[^\:]+:[0-9]{1,5}$ + type: string + type: object + type: object + useMCP: + description: Use the Mesh Control Protocol (MCP) for configuring Mixer + and Pilot. Requires galley. + type: boolean + version: + description: Contains the intended Istio version + pattern: ^1.3 + type: string + watchAdapterCRDs: + description: Whether or not to establish watches for adapter-specific + CRDs + type: boolean + watchOneNamespace: + description: Whether to restrict the applications namespace the controller + manages + type: boolean + required: + - version + - mtls + type: object + status: + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml new file mode 100644 index 00000000..b6e5eac6 --- /dev/null +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml @@ -0,0 +1,97 @@ +{{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "istio-operator.fullname" . }}-basic + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp:{{ include "istio-operator.fullname" . }}-basic + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "istio-operator.fullname" . }}-basic + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp:{{ include "istio-operator.fullname" . }}-basic + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp:{{ include "istio-operator.fullname" . }}-basic +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-galley-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-egressgateway-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-ingressgateway-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-operator-authproxy + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istiocoredns-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-nodeagent-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-operator-operator + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml index d506ee41..e25462af 100644 --- a/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "istio-operator.fullname" . }}-operator + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "istio-operator.name" . }} helm.sh/chart: {{ include "istio-operator.chart" . }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.1-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.1-crd.yaml new file mode 100644 index 00000000..f298ccde --- /dev/null +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.1-crd.yaml @@ -0,0 +1,208 @@ +{{ if eq .Values.istioVersion "1.1" }} +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: remoteistios.istio.banzaicloud.io + labels: + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + additionalPrinterColumns: + - JSONPath: .status.Status + description: Status of the resource + name: Status + type: string + - JSONPath: .status.ErrorMessage + description: Error message + name: Error + type: string + - JSONPath: .status.GatewayAddress + description: Ingress gateways of the resource + name: Gateways + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: istio.banzaicloud.io + names: + kind: RemoteIstio + plural: remoteistios + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + autoInjectionNamespaces: + description: List of namespaces to label with sidecar auto injection + enabled + items: + type: string + type: array + citadel: + description: Citadel configuration options + properties: + affinity: + type: object + caSecretName: + type: string + enabled: + type: boolean + image: + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + type: object + defaultResources: + description: DefaultResources are applied for all Istio components by + default, can be overridden for each component + type: object + enabledServices: + description: EnabledServices the Istio component services replicated + to remote side + items: + properties: + labelSelector: + type: string + name: + type: string + podIPs: + items: + type: string + type: array + ports: + items: + type: object + type: array + required: + - name + type: object + type: array + excludeIPRanges: + description: ExcludeIPRanges the range where not to capture egress traffic + type: string + includeIPRanges: + description: IncludeIPRanges the range where to capture egress traffic + type: string + proxy: + description: Proxy configuration options + properties: + enableCoreDump: + description: If set, newly injected sidecars will have core dumps + enabled. + type: boolean + image: + type: string + privileged: + description: If set to true, istio-proxy container will have privileged + securityContext + type: boolean + resources: + type: object + type: object + proxyInit: + description: Proxy Init configuration options + properties: + image: + type: string + type: object + sidecarInjector: + description: SidecarInjector configuration options + properties: + affinity: + type: object + autoInjectionPolicyEnabled: + description: This controls the 'policy' in the sidecar injector + type: boolean + enabled: + type: boolean + image: + type: string + init: + properties: + resources: + type: object + type: object + initCNIConfiguration: + properties: + affinity: + type: object + binDir: + description: Must be the same as the environment’s --cni-bin-dir + setting (kubelet parameter) + type: string + confDir: + description: Must be the same as the environment’s --cni-conf-dir + setting (kubelet parameter) + type: string + enabled: + description: If true, the privileged initContainer istio-init + is not needed to perform the traffic redirect settings for + the istio-proxy + type: boolean + excludeNamespaces: + description: List of namespaces to exclude from Istio pod check + items: + type: string + type: array + image: + type: string + logLevel: + description: Logging level for CNI binary + type: string + type: object + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + rewriteAppHTTPProbe: + description: If true, sidecar injector will rewrite PodSpec for + liveness health check to redirect request to sidecar. This makes + liveness check work even when mTLS is enabled. + type: boolean + tolerations: + items: + type: object + type: array + type: object + required: + - enabledServices + type: object + status: + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml index 37741898..6df6ba72 100644 --- a/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.2-crd.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.istioVersion 1.2 }} +{{ if eq .Values.istioVersion "1.2" }} apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.3-crd.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.3-crd.yaml new file mode 100644 index 00000000..bb411904 --- /dev/null +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-remoteistio-1.3-crd.yaml @@ -0,0 +1,369 @@ +{{ if eq .Values.istioVersion "1.3" }} +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: remoteistios.istio.banzaicloud.io + labels: + controller-tools.k8s.io: "1.0" + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + additionalPrinterColumns: + - JSONPath: .status.Status + description: Status of the resource + name: Status + type: string + - JSONPath: .status.ErrorMessage + description: Error message + name: Error + type: string + - JSONPath: .status.GatewayAddress + description: Ingress gateways of the resource + name: Gateways + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: istio.banzaicloud.io + names: + kind: RemoteIstio + plural: remoteistios + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + autoInjectionNamespaces: + description: List of namespaces to label with sidecar auto injection + enabled + items: + type: string + type: array + citadel: + description: Citadel configuration options + properties: + affinity: + type: object + caSecretName: + type: string + enableNamespacesByDefault: + description: 'Determines Citadel default behavior if the ca.istio.io/env + or ca.istio.io/override labels are not found on a given namespace. For + example: consider a namespace called "target", which has neither + the "ca.istio.io/env" nor the "ca.istio.io/override" namespace + labels. To decide whether or not to generate secrets for service + accounts created in this "target" namespace, Citadel will defer + to this option. If the value of this option is "true" in this + case, secrets will be generated for the "target" namespace. If + the value of this option is "false" Citadel will not generate + secrets upon service account creation.' + type: boolean + enabled: + type: boolean + healthCheck: + description: Enable health checking on the Citadel CSR signing API. + https://istio.io/docs/tasks/security/health-check/ + type: boolean + image: + type: string + maxWorkloadCertTTL: + description: Citadel uses a flag max-workload-cert-ttl to control + the maximum lifetime for Istio certificates issued to workloads. + The default value is 90 days. If workload-cert-ttl on Citadel + or node agent is greater than max-workload-cert-ttl, Citadel will + fail issuing the certificate. + type: string + nodeSelector: + type: object + resources: + type: object + tolerations: + items: + type: object + type: array + workloadCertTTL: + description: For the workloads running in Kubernetes, the lifetime + of their Istio certificates is controlled by the workload-cert-ttl + flag on Citadel. The default value is 90 days. This value should + be no greater than max-workload-cert-ttl of Citadel. + type: string + type: object + clusterName: + description: Should be set to the name of the cluster, this is required + for sidecar injection to properly label proxies + type: string + defaultResources: + description: DefaultResources are applied for all Istio components by + default, can be overridden for each component + type: object + enabledServices: + description: EnabledServices the Istio component services replicated + to remote side + items: + properties: + labelSelector: + type: string + name: + type: string + podIPs: + items: + type: string + type: array + ports: + items: + type: object + type: array + required: + - name + type: object + type: array + excludeIPRanges: + description: ExcludeIPRanges the range where not to capture egress traffic + type: string + includeIPRanges: + description: IncludeIPRanges the range where to capture egress traffic + type: string + proxy: + description: Proxy configuration options + properties: + accessLogEncoding: + description: Configure the access log for sidecar to JSON or TEXT. + enum: + - JSON + - TEXT + type: string + accessLogFile: + description: 'Configures the access log for each sidecar. Options: "" + - disables access log "/dev/stdout" - enables access log' + enum: + - "" + - /dev/stdout + type: string + accessLogFormat: + description: 'Configure how and what fields are displayed in sidecar + access log. Setting to empty string will result in default log + format. If accessLogEncoding is TEXT, value will be used directly + as the log format example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% + %PROTOCOL%\n" If AccessLogEncoding is JSON, value will be parsed + as map[string]string example: ''{"start_time": "%START_TIME%", + "req_method": "%REQ(:METHOD)%"}''' + type: string + componentLogLevel: + description: Per Component log level for proxy, applies to gateways + and sidecars. If a component level is not set, then the "LogLevel" + will be used. If left empty, "misc:error" is used. + type: string + coreDumpImage: + description: Image used to enable core dumps. This is only used, + when "EnableCoreDump" is set to true. + type: string + dnsRefreshRate: + description: Configure the DNS refresh rate for Envoy cluster of + type STRICT_DNS This must be given it terms of seconds. For example, + 300s is valid but 5m is invalid. + pattern: ^[0-9]{1,5}s$ + type: string + enableCoreDump: + description: If set, newly injected sidecars will have core dumps + enabled. + type: boolean + envoyAccessLogService: + properties: + enabled: + type: boolean + host: + type: string + port: + format: int32 + type: integer + tcpKeepalive: + properties: + interval: + type: string + probes: + format: int32 + type: integer + time: + type: string + type: object + tlsSettings: + properties: + caCertificates: + type: string + clientCertificate: + type: string + mode: + type: string + privateKey: + type: string + sni: + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + envoyMetricsService: + properties: + enabled: + type: boolean + host: + type: string + port: + format: int32 + type: integer + type: object + envoyStatsD: + properties: + enabled: + type: boolean + host: + type: string + port: + format: int32 + type: integer + type: object + image: + type: string + logLevel: + description: 'Log level for proxy, applies to gateways and sidecars. + If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' + enum: + - trace + - debug + - info + - warning + - error + - critical + - "off" + type: string + privileged: + description: If set to true, istio-proxy container will have privileged + securityContext + type: boolean + protocolDetectionTimeout: + type: string + resources: + type: object + type: object + proxyInit: + description: Proxy Init configuration options + properties: + image: + type: string + type: object + sidecarInjector: + description: SidecarInjector configuration options + properties: + affinity: + type: object + alwaysInjectSelector: + description: 'AlwaysInjectSelector: Forces the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match' + items: + type: object + type: array + autoInjectionPolicyEnabled: + description: This controls the 'policy' in the sidecar injector + type: boolean + enableNamespacesByDefault: + description: This controls whether the webhook looks for namespaces + for injection enabled or disabled + type: boolean + enabled: + type: boolean + image: + type: string + init: + properties: + resources: + type: object + type: object + initCNIConfiguration: + properties: + affinity: + type: object + binDir: + description: Must be the same as the environment’s --cni-bin-dir + setting (kubelet parameter) + type: string + confDir: + description: Must be the same as the environment’s --cni-conf-dir + setting (kubelet parameter) + type: string + enabled: + description: If true, the privileged initContainer istio-init + is not needed to perform the traffic redirect settings for + the istio-proxy + type: boolean + excludeNamespaces: + description: List of namespaces to exclude from Istio pod check + items: + type: string + type: array + image: + type: string + logLevel: + description: Logging level for CNI binary + type: string + type: object + neverInjectSelector: + description: 'NeverInjectSelector: Refuses the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match Takes precedence over AlwaysInjectSelector.' + items: + type: object + type: array + nodeSelector: + type: object + replicaCount: + format: int32 + type: integer + resources: + type: object + rewriteAppHTTPProbe: + description: If true, sidecar injector will rewrite PodSpec for + liveness health check to redirect request to sidecar. This makes + liveness check work even when mTLS is enabled. + type: boolean + tolerations: + items: + type: object + type: array + type: object + required: + - enabledServices + type: object + status: + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml index 04ffc835..bc49dcfd 100644 --- a/deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ include "istio-operator.fullname" . }}-operator" + namespace: {{ .Release.Namespace }} {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} annotations: prometheus.io/scrape: "true" @@ -26,8 +27,12 @@ spec: app.kubernetes.io/component: operator ports: - name: https + protocol: TCP port: 443 + targetPort: 443 {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} - name: metrics + protocol: TCP port: 8080 + targetPort: 8080 {{- end }} diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml index 9e90ee80..0b59d23f 100644 --- a/deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-statefulset.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: "{{ include "istio-operator.fullname" . }}-operator" + namespace: {{ .Release.Namespace }} labels: control-plane: controller-manager controller-tools.k8s.io: "1.0" diff --git a/deployments/helm/servicemesh/istio-operator/values.yaml b/deployments/helm/servicemesh/istio-operator/values.yaml index cb937c11..f1ff6575 100644 --- a/deployments/helm/servicemesh/istio-operator/values.yaml +++ b/deployments/helm/servicemesh/istio-operator/values.yaml @@ -1,12 +1,26 @@ - - +#/*Copyright 2019 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +# Default values for istio-operator. # This is a YAML-formatted file. # Declare variables to be passed into your templates. operator: image: repository: banzaicloud/istio-operator - tag: 0.2.1 + tag: 0.3.3 pullPolicy: IfNotPresent resources: limits: @@ -16,21 +30,30 @@ operator: cpu: 100m memory: 128Mi -istioVersion: 1.2 +istioVersion: "1.3" -## Prometheus Metrics +# If you want the operator to expose the /metrics prometheusMetrics: enabled: false -# Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. + # Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy) + # which protects your /metrics endpoint. authProxy: - enabled: false + enabled: true + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.4.0 + pullPolicy: IfNotPresent ## Role Based Access ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ ## rbac: enabled: true + ## Pod Security Policies + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + psp: + enabled: true nameOverride: "" fullnameOverride: "" diff --git a/deployments/helm/servicemesh/istio/README.md b/deployments/helm/servicemesh/istio/README.md index 8fcba4f8..868c116a 100644 --- a/deployments/helm/servicemesh/istio/README.md +++ b/deployments/helm/servicemesh/istio/README.md @@ -17,4 +17,6 @@ # Steps for Instaling Istio with Istio- Operator # Step 1 - Add the helm chart to install Istio in sds configuration +# NOTE - Edit the namespaces in istio/istio-instance/values.yaml +# to enable istio-injection helm install istio-instance --name istio --namespace istio-system diff --git a/deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml b/deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml index 8c440a4e..4a8b11b2 100644 --- a/deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml +++ b/deployments/helm/servicemesh/istio/istio-instance/templates/istio-sds.yaml @@ -29,8 +29,7 @@ spec: sds: enabled: {{ .Values.spec.sds.enabled }} udsPath: {{ .Values.spec.sds.udsPath | quote }} - useTrustworthyJwt: {{ .Values.spec.sds.useTrustworthyJwt }} - useNormalJwt: {{ .Values.spec.sds.useNormalJwt }} + tokenAudience: {{ .Values.spec.sds.tokenAudience | quote}} gateways: enabled: {{ .Values.spec.gateways.enabled }} ingress: diff --git a/deployments/helm/servicemesh/istio/istio-instance/values.yaml b/deployments/helm/servicemesh/istio/istio-instance/values.yaml index 091999ac..dd77ef1b 100644 --- a/deployments/helm/servicemesh/istio/istio-instance/values.yaml +++ b/deployments/helm/servicemesh/istio/istio-instance/values.yaml @@ -15,25 +15,25 @@ # * limitations under the License. # */ #Declare variables to be passed into Istio SDS template file. +#NOTE : EDit the namespace for which you need Istio injection metadata: name: "istio-sample" spec: - version: "1.2.2" + version: "1.3.3" mtls: true autoInjectionNamespaces: - - + - "default" sds: enabled: true udsPath: "unix:/var/run/sds/uds_path" - useTrustworthyJwt: false - useNormalJwt: true + tokenAudience: "istio-ca" gateways: enabled: true ingress: enabled: true sds: enabled: true - image: "docker.io/istio/node-agent-k8s:1.2.2" + image: "docker.io/istio/node-agent-k8s:1.3.3" nodeAgent: enabled: true - image : "docker.io/istio/node-agent-k8s:1.2.2" + image : "docker.io/istio/node-agent-k8s:1.3.3" -- cgit 1.2.3-korg