Skip to content

Commit

Permalink
bump istio chart from 1.3.3 to 1.4.3 (#368)
Browse files Browse the repository at this point in the history
Co-authored-by: Alejandro Escobar <[email protected]>
  • Loading branch information
GoelDeepak and alejandroEsc committed Jan 20, 2020
1 parent 060b51c commit ff6efb9
Show file tree
Hide file tree
Showing 69 changed files with 5,427 additions and 787 deletions.
4 changes: 2 additions & 2 deletions staging/istio/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
name: istio
version: 1.3.5
appVersion: 1.3.3
version: 1.4.3
appVersion: 1.4.3
tillerVersion: ">=2.7.2-0"
description: Helm chart for all istio components
keywords:
Expand Down
91 changes: 50 additions & 41 deletions staging/istio/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@

[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.



The documentation here is for developers only, please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/install/helm/) for all other uses.

## Introduction
Expand Down Expand Up @@ -41,23 +39,27 @@ The chart deploys pods that consume minimum resources as specified in the resour
## Installing the Chart

1. If a service account has not already been installed for Tiller, install one:
```

```bash
$ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
```

1. Install Tiller on your cluster with the service account:
```

```bash
$ helm init --service-account tiller
```

1. Set and create the namespace where Istio was installed:
```

```bash
$ NAMESPACE=istio-system
$ kubectl create ns $NAMESPACE
```

1. If you are enabling `kiali`, you need to create the secret that contains the username and passphrase for `kiali` dashboard:
```

```bash
$ echo -n 'admin' | base64
YWRtaW4=
$ echo -n '1f2d1e2e67df' | base64
Expand All @@ -80,45 +82,50 @@ The chart deploys pods that consume minimum resources as specified in the resour
1. If you are using security mode for Grafana, create the secret first as follows:
- Encode username, you can change the username to the name as you want:
```
$ echo -n 'admin' | base64
YWRtaW4=
```
```bash
$ echo -n 'admin' | base64
YWRtaW4=
```
- Encode passphrase, you can change the passphrase to the passphrase as you want:
```
$ echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
```
```bash
$ echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
```
- Create secret for Grafana:
```
$ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: grafana
namespace: $NAMESPACE
labels:
app: grafana
type: Opaque
data:
username: YWRtaW4=
passphrase: MWYyZDFlMmU2N2Rm
EOF
```
```bash
$ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: grafana
namespace: $NAMESPACE
labels:
app: grafana
type: Opaque
data:
username: YWRtaW4=
passphrase: MWYyZDFlMmU2N2Rm
EOF
```
1. To install the chart with the release name `istio` in namespace $NAMESPACE you defined above:
- With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
```
$ helm install istio --name istio --namespace $NAMESPACE
```
```bash
$ helm install istio --name istio --namespace $NAMESPACE
```
- Without the sidecar injection webhook:
```
$ helm install istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false
```
```bash
$ helm install istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false
```
## Configuration
Expand All @@ -130,11 +137,13 @@ Helm charts expose configuration options which are currently in alpha. The curr
## Uninstalling the Chart
To uninstall/delete the `istio` release but continue to track the release:
```
$ helm delete istio
```
```bash
$ helm delete istio
```
To uninstall/delete the `istio` release completely and make its name free for later use:
```
$ helm delete --purge istio
```
```bash
$ helm delete --purge istio
```
4 changes: 2 additions & 2 deletions staging/istio/charts/galley/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
name: galley
version: 1.3.3
appVersion: 1.3.3
version: 1.4.3
appVersion: 1.4.3
tillerVersion: ">=2.7.2"
description: Helm chart for galley deployment
keywords:
Expand Down
32 changes: 20 additions & 12 deletions staging/istio/charts/galley/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,21 +8,29 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
# For reading Istio resources
- apiGroups: [
"authentication.istio.io",
"config.istio.io",
"networking.istio.io",
"rbac.istio.io",
"security.istio.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
# For updating Istio resource statuses
- apiGroups: [
"authentication.istio.io",
"config.istio.io",
"networking.istio.io",
"rbac.istio.io",
"security.istio.io"]
resources: ["*/status"]
verbs: ["update"]
{{- if not .Values.global.operatorManageWebhooks }}
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["*"]
- apiGroups: ["config.istio.io"] # istio mixer CRD watcher
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.istio.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.istio.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
{{- end }}
- apiGroups: ["extensions","apps"]
resources: ["deployments"]
resourceNames: ["istio-galley"]
Expand Down
33 changes: 31 additions & 2 deletions staging/istio/charts/galley/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,13 @@ spec:
app: {{ template "galley.name" . }}
chart: {{ template "galley.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
release: {{ .Release.Name }}
istio: galley
annotations:
sidecar.istio.io/inject: "false"
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: istio-galley-service-account
{{- if .Values.global.priorityClassName }}
Expand Down Expand Up @@ -59,22 +62,43 @@ spec:
{{- else }}
- --insecure=true
{{- end }}
{{- if .Values.enableServiceDiscovery }}
- --enableServiceDiscovery=true
{{- end }}
{{- if not $.Values.global.useMCP }}
- --enable-server=false
{{- end }}
{{- if not $.Values.global.configValidation }}
- --enable-validation=false
{{- end }}
{{- if .Values.global.operatorManageWebhooks }}
- --enable-reconcileWebhookConfiguration=false
{{- else }}
- --enable-reconcileWebhookConfiguration=true
{{- end }}
- --validation-webhook-config-file
- /etc/config/validatingwebhookconfiguration.yaml
- --monitoringPort={{ .Values.global.monitoringPort }}
{{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }}
{{- end}}
{{- if .Values.enableAnalysis }}
- --enableAnalysis=true
{{- end }}
{{- if .Values.global.certificates }}
- --validation.tls.clientCertificate=/etc/dnscerts/cert-chain.pem
- --validation.tls.privateKey=/etc/dnscerts/key.pem
- --validation.tls.caCertificates=/etc/dnscerts/root-cert.pem
{{- end }}
volumeMounts:
- name: certs
mountPath: /etc/certs
readOnly: true
{{- if .Values.global.certificates }}
- name: dnscerts
mountPath: /etc/dnscerts
readOnly: true
{{- end }}
- name: config
mountPath: /etc/config
readOnly: true
Expand Down Expand Up @@ -109,6 +133,11 @@ spec:
- name: certs
secret:
secretName: istio.istio-galley-service-account
{{- if .Values.global.certificates }}
- name: dnscerts
secret:
secretName: dns.istio-galley-service-account
{{- end }}
- name: config
configMap:
name: istio-galley-configuration
Expand All @@ -124,4 +153,4 @@ spec:
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,15 @@ webhooks:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
Expand Down
7 changes: 7 additions & 0 deletions staging/istio/charts/galley/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ rollingMaxUnavailable: 25%
image: galley
nodeSelector: {}
tolerations: []
podAnnotations: {}

# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
Expand All @@ -29,3 +30,9 @@ tolerations: []
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []

# Enable service discovery processing in Galley
enableServiceDiscovery: false

# Enable analysis and status update in Galley
enableAnalysis: false
4 changes: 2 additions & 2 deletions staging/istio/charts/gateways/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
name: gateways
version: 1.3.3
appVersion: 1.3.3
version: 1.4.3
appVersion: 1.4.3
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
Expand Down
Loading

0 comments on commit ff6efb9

Please sign in to comment.