From ff6efb972444391839c9b88f3a0c7eed0c483b3a Mon Sep 17 00:00:00 2001 From: Deepak Goel Date: Mon, 20 Jan 2020 12:13:15 -0800 Subject: [PATCH] bump istio chart from 1.3.3 to 1.4.3 (#368) Co-authored-by: Alejandro Escobar --- staging/istio/Chart.yaml | 4 +- staging/istio/README.md | 91 +- staging/istio/charts/galley/Chart.yaml | 4 +- .../charts/galley/templates/clusterrole.yaml | 32 +- .../charts/galley/templates/deployment.yaml | 33 +- .../validatingwebhookconfiguration.yaml.tpl | 9 + staging/istio/charts/galley/values.yaml | 7 + staging/istio/charts/gateways/Chart.yaml | 4 +- .../charts/gateways/templates/deployment.yaml | 105 +- .../gateways/templates/preconfigured.yaml | 6 +- staging/istio/charts/grafana/Chart.yaml | 4 +- .../grafana/dashboards/galley-dashboard.json | 89 +- staging/istio/charts/istio-init/Chart.yaml | 4 +- staging/istio/charts/istio-init/README.md | 19 +- .../istio/charts/istio-init/files/crd-10.yaml | 4715 ++++++++++++++++- .../istio/charts/istio-init/files/crd-11.yaml | 114 +- .../istio/charts/istio-init/files/crd-12.yaml | 26 - .../istio/charts/istio-init/files/crd-14.yaml | 137 + .../templates/configmap-crd-12.yaml | 8 - .../templates/configmap-crd-14.yaml | 8 + .../templates/{crd-12.yaml => crd-14.yaml} | 4 +- .../istio-init/templates/job-crd-10.yaml | 4 + .../istio-init/templates/job-crd-11.yaml | 4 + .../istio-init/templates/job-crd-12.yaml | 26 - .../istio-init/templates/job-crd-14.yaml | 30 + .../istio-init/templates/serviceaccount.yaml | 1 + staging/istio/charts/istio-init/values.yaml | 13 +- staging/istio/charts/istiocoredns/Chart.yaml | 2 +- .../istiocoredns/templates/configmap.yaml | 10 +- .../istiocoredns/templates/deployment.yaml | 5 +- staging/istio/charts/istiocoredns/values.yaml | 4 +- staging/istio/charts/kiali/Chart.yaml | 4 +- .../charts/kiali/templates/clusterrole.yaml | 161 +- .../charts/kiali/templates/configmap.yaml | 2 + .../charts/kiali/templates/deployment.yaml | 3 + staging/istio/charts/kiali/values.yaml | 5 +- staging/istio/charts/mixer/Chart.yaml | 4 +- .../istio/charts/mixer/templates/config.yaml | 30 +- .../charts/mixer/templates/deployment.yaml | 29 + staging/istio/charts/mixer/values.yaml | 1 - staging/istio/charts/pilot/Chart.yaml | 4 +- .../charts/pilot/templates/clusterrole.yaml | 14 +- .../charts/pilot/templates/configmap.yaml | 14 + .../charts/pilot/templates/deployment.yaml | 25 +- staging/istio/charts/pilot/values.yaml | 9 +- staging/istio/charts/prometheus/Chart.yaml | 4 +- staging/istio/charts/security/Chart.yaml | 4 +- .../create-custom-resources-job.yaml | 8 +- .../charts/security/templates/deployment.yaml | 9 + .../istio/charts/security/templates/job.yaml | 4 +- .../templates/poddisruptionbudget.yaml | 22 + staging/istio/charts/security/values.yaml | 4 + .../charts/sidecarInjectorWebhook/Chart.yaml | 4 +- .../templates/clusterrole.yaml | 2 + .../templates/deployment.yaml | 12 + .../templates/mutatingwebhook.yaml | 3 +- .../templates/poddisruptionbudget.yaml | 2 +- .../charts/sidecarInjectorWebhook/values.yaml | 17 +- staging/istio/charts/tracing/Chart.yaml | 2 +- .../tracing/templates/deployment-jaeger.yaml | 16 +- .../tracing/templates/deployment-zipkin.yaml | 3 + .../tracing/templates/service-jaeger.yaml | 4 + .../charts/tracing/templates/service.yaml | 10 +- staging/istio/charts/tracing/values.yaml | 7 +- staging/istio/files/injection-template.yaml | 98 +- staging/istio/templates/_helpers.tpl | 7 - staging/istio/templates/configmap.yaml | 54 +- .../templates/sidecar-injector-configmap.yaml | 4 + staging/istio/values.yaml | 87 +- 69 files changed, 5427 insertions(+), 787 deletions(-) delete mode 100644 staging/istio/charts/istio-init/files/crd-12.yaml create mode 100644 staging/istio/charts/istio-init/files/crd-14.yaml delete mode 100644 staging/istio/charts/istio-init/templates/configmap-crd-12.yaml create mode 100644 staging/istio/charts/istio-init/templates/configmap-crd-14.yaml rename staging/istio/charts/istio-init/templates/{crd-12.yaml => crd-14.yaml} (61%) delete mode 100644 staging/istio/charts/istio-init/templates/job-crd-12.yaml create mode 100644 staging/istio/charts/istio-init/templates/job-crd-14.yaml create mode 100644 staging/istio/charts/pilot/templates/configmap.yaml create mode 100644 staging/istio/charts/security/templates/poddisruptionbudget.yaml diff --git a/staging/istio/Chart.yaml b/staging/istio/Chart.yaml index 448169ef8..86931041e 100644 --- a/staging/istio/Chart.yaml +++ b/staging/istio/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: istio -version: 1.3.5 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2-0" description: Helm chart for all istio components keywords: diff --git a/staging/istio/README.md b/staging/istio/README.md index de67ba20b..f7f35cc17 100644 --- a/staging/istio/README.md +++ b/staging/istio/README.md @@ -2,8 +2,6 @@ [Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. - - The documentation here is for developers only, please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/install/helm/) for all other uses. ## Introduction @@ -41,23 +39,27 @@ The chart deploys pods that consume minimum resources as specified in the resour ## Installing the Chart 1. If a service account has not already been installed for Tiller, install one: - ``` + + ```bash $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml ``` 1. Install Tiller on your cluster with the service account: - ``` + + ```bash $ helm init --service-account tiller ``` 1. Set and create the namespace where Istio was installed: - ``` + + ```bash $ NAMESPACE=istio-system $ kubectl create ns $NAMESPACE ``` 1. If you are enabling `kiali`, you need to create the secret that contains the username and passphrase for `kiali` dashboard: - ``` + + ```bash $ echo -n 'admin' | base64 YWRtaW4= $ echo -n '1f2d1e2e67df' | base64 @@ -80,45 +82,50 @@ The chart deploys pods that consume minimum resources as specified in the resour 1. If you are using security mode for Grafana, create the secret first as follows: - Encode username, you can change the username to the name as you want: - ``` - $ echo -n 'admin' | base64 - YWRtaW4= - ``` + + ```bash + $ echo -n 'admin' | base64 + YWRtaW4= + ``` - Encode passphrase, you can change the passphrase to the passphrase as you want: - ``` - $ echo -n '1f2d1e2e67df' | base64 - MWYyZDFlMmU2N2Rm - ``` + + ```bash + $ echo -n '1f2d1e2e67df' | base64 + MWYyZDFlMmU2N2Rm + ``` - Create secret for Grafana: - ``` - $ cat <=1.9.0): - ``` - $ helm install istio --name istio --namespace $NAMESPACE - ``` + + ```bash + $ helm install istio --name istio --namespace $NAMESPACE + ``` - Without the sidecar injection webhook: - ``` - $ helm install istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false - ``` + + ```bash + $ helm install istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false + ``` ## Configuration @@ -130,11 +137,13 @@ Helm charts expose configuration options which are currently in alpha. The curr ## Uninstalling the Chart To uninstall/delete the `istio` release but continue to track the release: - ``` - $ helm delete istio - ``` + +```bash +$ helm delete istio +``` To uninstall/delete the `istio` release completely and make its name free for later use: - ``` - $ helm delete --purge istio - ``` + +```bash +$ helm delete --purge istio +``` diff --git a/staging/istio/charts/galley/Chart.yaml b/staging/istio/charts/galley/Chart.yaml index 0070f08ed..fa45a9d01 100644 --- a/staging/istio/charts/galley/Chart.yaml +++ b/staging/istio/charts/galley/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: galley -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2" description: Helm chart for galley deployment keywords: diff --git a/staging/istio/charts/galley/templates/clusterrole.yaml b/staging/istio/charts/galley/templates/clusterrole.yaml index 8abc797ac..427a50463 100644 --- a/staging/istio/charts/galley/templates/clusterrole.yaml +++ b/staging/istio/charts/galley/templates/clusterrole.yaml @@ -8,21 +8,29 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: + # For reading Istio resources +- apiGroups: [ + "authentication.istio.io", + "config.istio.io", + "networking.istio.io", + "rbac.istio.io", + "security.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] + # For updating Istio resource statuses +- apiGroups: [ + "authentication.istio.io", + "config.istio.io", + "networking.istio.io", + "rbac.istio.io", + "security.istio.io"] + resources: ["*/status"] + verbs: ["update"] +{{- if not .Values.global.operatorManageWebhooks }} - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["*"] -- apiGroups: ["config.istio.io"] # istio mixer CRD watcher - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: ["networking.istio.io"] - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: ["authentication.istio.io"] - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: ["rbac.istio.io"] - resources: ["*"] - verbs: ["get", "list", "watch"] +{{- end }} - apiGroups: ["extensions","apps"] resources: ["deployments"] resourceNames: ["istio-galley"] diff --git a/staging/istio/charts/galley/templates/deployment.yaml b/staging/istio/charts/galley/templates/deployment.yaml index af417ee8e..942268633 100644 --- a/staging/istio/charts/galley/templates/deployment.yaml +++ b/staging/istio/charts/galley/templates/deployment.yaml @@ -24,10 +24,13 @@ spec: app: {{ template "galley.name" . }} chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} - release: {{ .Release.Name }} + release: {{ .Release.Name }} istio: galley annotations: sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} spec: serviceAccountName: istio-galley-service-account {{- if .Values.global.priorityClassName }} @@ -59,11 +62,19 @@ spec: {{- else }} - --insecure=true {{- end }} +{{- if .Values.enableServiceDiscovery }} + - --enableServiceDiscovery=true +{{- end }} {{- if not $.Values.global.useMCP }} - --enable-server=false {{- end }} {{- if not $.Values.global.configValidation }} - --enable-validation=false +{{- end }} +{{- if .Values.global.operatorManageWebhooks }} + - --enable-reconcileWebhookConfiguration=false +{{- else }} + - --enable-reconcileWebhookConfiguration=true {{- end }} - --validation-webhook-config-file - /etc/config/validatingwebhookconfiguration.yaml @@ -71,10 +82,23 @@ spec: {{- if $.Values.global.logging.level }} - --log_output_level={{ $.Values.global.logging.level }} {{- end}} +{{- if .Values.enableAnalysis }} + - --enableAnalysis=true +{{- end }} +{{- if .Values.global.certificates }} + - --validation.tls.clientCertificate=/etc/dnscerts/cert-chain.pem + - --validation.tls.privateKey=/etc/dnscerts/key.pem + - --validation.tls.caCertificates=/etc/dnscerts/root-cert.pem +{{- end }} volumeMounts: - name: certs mountPath: /etc/certs readOnly: true +{{- if .Values.global.certificates }} + - name: dnscerts + mountPath: /etc/dnscerts + readOnly: true +{{- end }} - name: config mountPath: /etc/config readOnly: true @@ -109,6 +133,11 @@ spec: - name: certs secret: secretName: istio.istio-galley-service-account +{{- if .Values.global.certificates }} + - name: dnscerts + secret: + secretName: dns.istio-galley-service-account +{{- end }} - name: config configMap: name: istio-galley-configuration @@ -124,4 +153,4 @@ spec: {{- else if .Values.global.defaultTolerations }} tolerations: {{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} + {{- end }} \ No newline at end of file diff --git a/staging/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl b/staging/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl index ce68fb8a5..253fd2156 100644 --- a/staging/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl +++ b/staging/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl @@ -39,6 +39,15 @@ webhooks: - "*" resources: - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + apiVersions: + - "*" + resources: + - "*" - operations: - CREATE - UPDATE diff --git a/staging/istio/charts/galley/values.yaml b/staging/istio/charts/galley/values.yaml index a1d3a8e77..1dc415a8c 100644 --- a/staging/istio/charts/galley/values.yaml +++ b/staging/istio/charts/galley/values.yaml @@ -8,6 +8,7 @@ rollingMaxUnavailable: 25% image: galley nodeSelector: {} tolerations: [] +podAnnotations: {} # Specify the pod anti-affinity that allows you to constrain which nodes # your pod is eligible to be scheduled based on labels on pods that are @@ -29,3 +30,9 @@ tolerations: [] # "security" and value "S1". podAntiAffinityLabelSelector: [] podAntiAffinityTermLabelSelector: [] + +# Enable service discovery processing in Galley +enableServiceDiscovery: false + +# Enable analysis and status update in Galley +enableAnalysis: false diff --git a/staging/istio/charts/gateways/Chart.yaml b/staging/istio/charts/gateways/Chart.yaml index 8391581d1..c02701885 100644 --- a/staging/istio/charts/gateways/Chart.yaml +++ b/staging/istio/charts/gateways/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: gateways -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/staging/istio/charts/gateways/templates/deployment.yaml b/staging/istio/charts/gateways/templates/deployment.yaml index 4dcdef778..ca7eb1673 100644 --- a/staging/istio/charts/gateways/templates/deployment.yaml +++ b/staging/istio/charts/gateways/templates/deployment.yaml @@ -1,18 +1,15 @@ {{- range $key, $spec := .Values }} {{- if ne $key "enabled" }} {{- if $spec.enabled }} + +{{- $labels := merge (dict "release" $.Release.Name "chart" (include "gateway.chart" $) "heritage" $.Release.Service) $spec.labels }} apiVersion: apps/v1 kind: Deployment metadata: name: {{ $key }} namespace: {{ $spec.namespace | default $.Release.Namespace }} labels: - chart: {{ template "gateway.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} +{{ $labels | toYaml | indent 4 }} spec: {{- if not $spec.autoscaleEnabled }} {{- if $spec.replicaCount }} @@ -33,12 +30,7 @@ spec: template: metadata: labels: - chart: {{ template "gateway.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} +{{ $labels | toYaml | indent 8 }} annotations: sidecar.istio.io/inject: "false" {{- if $spec.podAnnotations }} @@ -129,22 +121,37 @@ spec: - '10s' #connectTimeout - --serviceCluster - {{ $key }} + {{- if eq $.Values.global.proxy.tracer "lightstep" }} + - --lightstepAddress + - {{ $.Values.global.tracer.lightstep.address }} + - --lightstepAccessToken + - {{ $.Values.global.tracer.lightstep.accessToken }} + - --lightstepSecure={{ $.Values.global.tracer.lightstep.secure }} + - --lightstepCacertPath + - {{ $.Values.global.tracer.lightstep.cacertPath }} + {{- else if eq $.Values.global.proxy.tracer "zipkin" }} - --zipkinAddress - {{- if $.Values.global.tracer.zipkin.address }} + {{- if $.Values.global.tracer.zipkin.address }} - {{ $.Values.global.tracer.zipkin.address }} - {{- else if $.Values.global.istioNamespace }} + {{- else if $.Values.global.istioNamespace }} - zipkin.{{ $.Values.global.istioNamespace }}:9411 - {{- else }} + {{- else }} - zipkin:9411 + {{- end }} + {{- else if eq $.Values.global.proxy.tracer "datadog" }} + - --datadogAgentAddress + - {{ $.Values.global.tracer.datadog.address }} {{- end }} {{- if $.Values.global.proxy.envoyStatsd.enabled }} - --statsdUdpAddress - {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }} {{- end }} {{- if $.Values.global.proxy.envoyMetricsService.enabled }} - - --envoyMetricsServiceAddress - - {{ $.Values.global.proxy.envoyMetricsService.host }}:{{ $.Values.global.proxy.envoyMetricsService.port }} - {{- end }} + - --envoyMetricsService + {{- with $.Values.global.proxy.envoyMetricsService }} + - '{"address":"{{ .host }}:{{.port }}"{{ if .tlsSettings }},"tlsSettings":{{ .tlsSettings | toJson }}{{- end }}{{ if .tcpKeepalive }},"tcpKeepalive":{{ .tcpKeepalive | toJson }}{{- end }}}' + {{- end }} + {{- end}} {{- if $.Values.global.proxy.envoyAccessLogService.enabled }} - --envoyAccessLogService {{- with $.Values.global.proxy.envoyAccessLogService }} @@ -226,7 +233,11 @@ spec: - name: SERVICE_ACCOUNT valueFrom: fieldRef: - fieldPath: spec.serviceAccountName + fieldPath: spec.serviceAccountName + {{- if $.Values.global.mtls.auto }} + - name: ISTIO_AUTO_MTLS_ENABLED + value: "true" + {{- end }} - name: ISTIO_META_POD_NAME valueFrom: fieldRef: @@ -236,12 +247,48 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: ISTIO_METAJSON_LABELS + value: | + {{ $labels | toJson}} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - name: SDS_ENABLED value: "{{ $.Values.global.sds.enabled }}" - name: ISTIO_META_WORKLOAD_NAME value: {{ $key }} - name: ISTIO_META_OWNER - value: kubernetes://api/apps/v1/namespaces/{{ $spec.namespace | default $.Release.Namespace }}/deployments/{{ $key }} + value: kubernetes://apis/apps/v1/namespaces/{{ $spec.namespace | default $.Release.Namespace }}/deployments/{{ $key }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if $.Values.global.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.trustDomain }}" + {{- end }} + {{- if eq $.Values.global.proxy.tracer "datadog" }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- end }} + {{- if eq $.Values.global.proxy.tracer "stackdriver" }} + - name: STACKDRIVER_TRACING_ENABLED + value: "true" + - name: STACKDRIVER_TRACING_DEBUG + value: "{{ $.Values.global.tracer.stackdriver.debug }}" + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS + value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}" + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES + value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}" + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS + value: "{{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}" + {{- end }} + {{- end }} {{- if $spec.sds }} {{- if $spec.sds.enabled }} - name: ISTIO_META_USER_SDS @@ -254,6 +301,13 @@ spec: value: {{ $val }} {{- end }} {{- end }} + {{ if eq $key "istio-ingressgateway" }} + {{ $network_set := index $spec.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) $.Values.global.network }} + - name: ISTIO_META_NETWORK + value: {{ $.Values.global.network }} + {{- end }} + {{- end }} volumeMounts: {{- if $.Values.global.sds.enabled }} - name: sdsudspath @@ -276,6 +330,11 @@ spec: mountPath: {{ .mountPath | quote }} readOnly: true {{- end }} + {{- if and (eq $.Values.global.proxy.tracer "lightstep") $.Values.global.tracer.lightstep.cacertPath }} + - mountPath: {{ dir $.Values.global.tracer.lightstep.cacertPath }} + name: lightstep-certs + readOnly: true + {{- end }} {{- if $spec.additionalContainers }} {{ toYaml $spec.additionalContainers | indent 8 }} {{- end }} @@ -314,6 +373,12 @@ spec: name: {{ .configMapName | quote }} optional: true {{- end }} + {{- if and (eq $.Values.global.proxy.tracer "lightstep") $.Values.global.tracer.lightstep.cacertPath }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} affinity: {{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }} {{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }} diff --git a/staging/istio/charts/gateways/templates/preconfigured.yaml b/staging/istio/charts/gateways/templates/preconfigured.yaml index 8d3dee930..31e431db7 100644 --- a/staging/istio/charts/gateways/templates/preconfigured.yaml +++ b/staging/istio/charts/gateways/templates/preconfigured.yaml @@ -26,8 +26,8 @@ spec: name: https-default tls: mode: SIMPLE - serverCertificate: /etc/istio/ingress-certs/tls.crt - privateKey: /etc/istio/ingress-certs/tls.key + serverCertificate: /etc/istio/ingressgateway-certs/tls.crt + privateKey: /etc/istio/ingressgateway-certs/tls.key hosts: - "*" {{ end }} @@ -119,6 +119,7 @@ spec: {{- end }} {{- if .Values.global.multiCluster.enabled }} +{{- if (index .Values "istio-egressgateway" "enabled") }} apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: @@ -149,6 +150,7 @@ spec: protocol: TLS tls: mode: AUTO_PASSTHROUGH +{{- end }} --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway diff --git a/staging/istio/charts/grafana/Chart.yaml b/staging/istio/charts/grafana/Chart.yaml index 7c9d93369..2d1c114a4 100644 --- a/staging/istio/charts/grafana/Chart.yaml +++ b/staging/istio/charts/grafana/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: grafana -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2" diff --git a/staging/istio/charts/grafana/dashboards/galley-dashboard.json b/staging/istio/charts/grafana/dashboards/galley-dashboard.json index b9b07daa9..d67d6e5e8 100644 --- a/staging/istio/charts/grafana/dashboards/galley-dashboard.json +++ b/staging/istio/charts/grafana/dashboards/galley-dashboard.json @@ -903,10 +903,10 @@ "steppedLine": false, "targets": [ { - "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)", + "expr": "sum by (collection) (galley_runtime_state_type_instances_total)", "format": "time_series", "intervalFactor": 1, - "legendFormat": "{{ typeURL }}", + "legendFormat": "{{ collection }}", "refId": "A" } ], @@ -1338,91 +1338,6 @@ "alignLevel": null } }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 35 - }, - "id": 16, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Kubernetes Object Conversion Successes", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Conversions/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, { "aliasColors": {}, "bars": false, diff --git a/staging/istio/charts/istio-init/Chart.yaml b/staging/istio/charts/istio-init/Chart.yaml index 4d826a966..d6869faa6 100644 --- a/staging/istio/charts/istio-init/Chart.yaml +++ b/staging/istio/charts/istio-init/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: istio-init -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2-0" description: Helm chart to initialize Istio CRDs keywords: diff --git a/staging/istio/charts/istio-init/README.md b/staging/istio/charts/istio-init/README.md index c0a0e34f8..d04ed72ab 100644 --- a/staging/istio/charts/istio-init/README.md +++ b/staging/istio/charts/istio-init/README.md @@ -22,17 +22,20 @@ The chart deploys pods that consume minimal resources. ## Installing the Chart 1. If a service account has not already been installed for Tiller, install one: - ``` + + ```bash $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml ``` 1. If Tiller has not already been installed in your cluster, Install Tiller on your cluster with the service account: - ``` + + ```bash $ helm init --service-account tiller ``` 1. Install the Istio initializer chart: - ``` + + ```bash $ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system ``` @@ -51,7 +54,6 @@ Helm charts expose configuration options which are currently in alpha. The curr | `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | | `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | - ## Uninstalling the Chart > Uninstalling this chart does not delete Istio's registered CRDs. Istio by design expects @@ -60,18 +62,21 @@ Helm charts expose configuration options which are currently in alpha. The curr > configuration rather then unexpectedly lose it. To uninstall/delete the `istio-init` release but continue to track the release: - ``` + + ```bash $ helm delete istio-init ``` To uninstall/delete the `istio-init` release completely and make its name free for later use: - ``` + + ```bash $ helm delete --purge istio-init ``` > Warning: Deleting CRDs will delete any configuration that you have made to Istio. To delete all CRDs, run the following command - ``` + + ```bash $ for i in istio-init/files/*crd*yaml; do kubectl delete -f $i; done ``` diff --git a/staging/istio/charts/istio-init/files/crd-10.yaml b/staging/istio/charts/istio-init/files/crd-10.yaml index ce24e8d55..9ef6af039 100644 --- a/staging/istio/charts/istio-init/files/crd-10.yaml +++ b/staging/istio/charts/istio-init/files/crd-10.yaml @@ -1,526 +1,4695 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: virtualservices.networking.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-pilot + app: mixer chart: istio heritage: Tiller + istio: core + package: istio.io.mixer release: istio - annotations: - "helm.sh/hook": crd-install + name: attributemanifests.config.istio.io spec: - group: networking.istio.io + group: config.istio.io names: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - singular: virtualservice - shortNames: - - vs categories: - istio-io - - networking-istio-io + - policy-istio-io + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + attributes: + additionalProperties: + properties: + description: + description: A human-readable description of the attribute's purpose. + format: string + type: string + valueType: + description: The type of data carried by this attribute. + enum: + - VALUE_TYPE_UNSPECIFIED + - STRING + - INT64 + - DOUBLE + - BOOL + - TIMESTAMP + - IP_ADDRESS + - EMAIL_ADDRESS + - URI + - DNS_NAME + - DURATION + - STRING_MAP + type: string + type: object + description: The set of attributes this Istio component will be responsible + for producing at runtime. + type: object + name: + description: Name of the component producing these attributes. + format: string + type: string + revision: + description: The revision of this document. + format: string + type: string + type: object + type: object versions: - - name: v1alpha3 - served: true - storage: true - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + - name: v1alpha2 + served: true + storage: true - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: destinationrules.networking.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: istio-pilot - chart: istio heritage: Tiller + istio: rbac release: istio - annotations: - "helm.sh/hook": crd-install + name: clusterrbacconfigs.rbac.istio.io spec: - group: networking.istio.io + group: rbac.istio.io names: - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - singular: destinationrule - shortNames: - - dr categories: - istio-io - - networking-istio-io - scope: Namespaced + - rbac-istio-io + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + enforcementMode: + enum: + - ENFORCED + - PERMISSIVE + type: string + exclusion: + description: A list of services or namespaces that should not be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + inclusion: + description: A list of services or namespaces that should be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + mode: + description: Istio RBAC mode. + enum: + - "OFF" + - "ON" + - ON_WITH_INCLUSION + - ON_WITH_EXCLUSION + type: string + type: object + type: object versions: - - name: v1alpha3 - served: true - storage: true - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + - name: v1alpha1 + served: true + storage: true - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: serviceentries.networking.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: istio-pilot chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: destinationrules.networking.istio.io spec: - group: networking.istio.io - names: - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - singular: serviceentry - shortNames: - - se - categories: - - istio-io - - networking-istio-io - scope: Namespaced - versions: - - name: v1alpha3 - served: true - storage: true additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host type: string - JSONPath: .metadata.creationTimestamp description: |- CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata name: Age type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a + backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP + upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on + the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to + the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to + a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true + --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: gateways.networking.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: istio-pilot chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: envoyfilters.networking.istio.io spec: group: networking.istio.io names: - kind: Gateway - plural: gateways - singular: gateway - shortNames: - - gw categories: - istio-io - networking-istio-io + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more + details at: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was + generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to SIDECAR_INBOUND context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + type: string + value: + description: The JSON config of the object being patched. + type: object + type: object + type: object + type: array + filters: + items: + properties: + filterConfig: + type: object + filterName: + description: The name of the filter to instantiate. + format: string + type: string + filterType: + description: The type of filter to instantiate. + enum: + - INVALID + - HTTP + - NETWORK + type: string + insertPosition: + description: Insert position in the filter chain. + properties: + index: + description: Position of this filter in the filter chain. + enum: + - FIRST + - LAST + - BEFORE + - AFTER + type: string + relativeTo: + format: string + type: string + type: object + listenerMatch: + properties: + address: + description: One or more IP addresses to which the listener + is bound. + items: + format: string + type: string + type: array + listenerProtocol: + description: Selects a class of listeners for the same protocol. + enum: + - ALL + - HTTP + - TCP + type: string + listenerType: + description: Inbound vs outbound sidecar listener or gateway + listener. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + portNamePrefix: + format: string + type: string + portNumber: + type: integer + type: object + type: object + type: array + workloadLabels: + additionalProperties: + format: string + type: string + description: Deprecated. + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object versions: - - name: v1alpha3 - served: true - storage: true + - name: v1alpha3 + served: true + storage: true + --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: envoyfilters.networking.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: istio-pilot chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: gateways.networking.istio.io spec: group: networking.istio.io names: - kind: EnvoyFilter - plural: envoyfilters - singular: envoyfilter categories: - istio-io - networking-istio-io + kind: Gateway + plural: gateways + shortNames: + - gw + singular: gateway scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + type: object versions: - - name: v1alpha3 - served: true - storage: true + - name: v1alpha3 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: clusterrbacconfigs.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-pilot - istio: rbac + app: istio-mixer + chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: httpapispecbindings.config.istio.io spec: - group: rbac.istio.io + group: config.istio.io names: - kind: ClusterRbacConfig - plural: clusterrbacconfigs - singular: clusterrbacconfig categories: - istio-io - - rbac-istio-io - scope: Cluster + - apim-istio-io + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + api_specs: + items: + properties: + name: + description: The short name of the HTTPAPISpec. + format: string + type: string + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + apiSpecs: + items: + properties: + name: + description: The short name of the HTTPAPISpec. + format: string + type: string + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed HTTPAPISpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array + type: object + type: object versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha2 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: policies.authentication.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-citadel + app: istio-mixer chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: httpapispecs.config.istio.io spec: - group: authentication.istio.io + group: config.istio.io names: - kind: Policy - plural: policies - singular: policy categories: - istio-io - - authentication-istio-io + - apim-istio-io + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + api_keys: + items: + oneOf: + - required: + - query + - required: + - header + - required: + - cookie + properties: + cookie: + format: string + type: string + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string + type: string + type: object + type: array + apiKeys: + items: + oneOf: + - required: + - query + - required: + - header + - required: + - cookie + properties: + cookie: + format: string + type: string + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string + type: string + type: object + type: array + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object + type: object + patterns: + description: List of HTTP patterns to match. + items: + oneOf: + - required: + - uriTemplate + - required: + - regex + properties: + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object + type: object + httpMethod: + format: string + type: string + regex: + format: string + type: string + uriTemplate: + format: string + type: string + type: object + type: array + type: object + type: object versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha2 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: meshpolicies.authentication.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: istio-citadel chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: meshpolicies.authentication.istio.io spec: group: authentication.istio.io names: + categories: + - istio-io + - authentication-istio-io kind: MeshPolicy listKind: MeshPolicyList plural: meshpolicies singular: meshpolicy - categories: - - istio-io - - authentication-istio-io scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Authentication policy for Istio services. See more details + at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' + properties: + originIsOptional: + type: boolean + origins: + description: List of authentication methods that can be used for origin + authentication. + items: + properties: + jwt: + description: Jwt params for the method. + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + peerIsOptional: + type: boolean + peers: + description: List of authentication methods that can be used for peer + authentication. + items: + oneOf: + - required: + - mtls + - required: + - jwt + properties: + jwt: + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + mtls: + description: Set if mTLS is used. + properties: + allowTls: + description: WILL BE DEPRECATED, if set, will translates to + `TLS_PERMISSIVE` mode. + type: boolean + mode: + description: Defines the mode of mTLS authentication. + enum: + - STRICT + - PERMISSIVE + type: string + type: object + type: object + type: array + principalBinding: + description: Define whether peer or origin identity should be use for + principal. + enum: + - USE_PEER + - USE_ORIGIN + type: string + targets: + description: List rules to select workloads that the policy should be + applied on. + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: The name must be a short name from the service registry. + format: string + type: string + ports: + description: Specifies the ports. + items: + oneOf: + - required: + - number + - required: + - name + properties: + name: + format: string + type: string + number: + type: integer + type: object + type: array + type: object + type: array + type: object + type: object versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: httpapispecbindings.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-mixer + app: istio-citadel chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: policies.authentication.istio.io spec: - group: config.istio.io + group: authentication.istio.io names: - kind: HTTPAPISpecBinding - plural: httpapispecbindings - singular: httpapispecbinding categories: - istio-io - - apim-istio-io + - authentication-istio-io + kind: Policy + plural: policies + singular: policy scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Authentication policy for Istio services. See more details + at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' + properties: + originIsOptional: + type: boolean + origins: + description: List of authentication methods that can be used for origin + authentication. + items: + properties: + jwt: + description: Jwt params for the method. + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + peerIsOptional: + type: boolean + peers: + description: List of authentication methods that can be used for peer + authentication. + items: + oneOf: + - required: + - mtls + - required: + - jwt + properties: + jwt: + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + mtls: + description: Set if mTLS is used. + properties: + allowTls: + description: WILL BE DEPRECATED, if set, will translates to + `TLS_PERMISSIVE` mode. + type: boolean + mode: + description: Defines the mode of mTLS authentication. + enum: + - STRICT + - PERMISSIVE + type: string + type: object + type: object + type: array + principalBinding: + description: Define whether peer or origin identity should be use for + principal. + enum: + - USE_PEER + - USE_ORIGIN + type: string + targets: + description: List rules to select workloads that the policy should be + applied on. + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: The name must be a short name from the service registry. + format: string + type: string + ports: + description: Specifies the ports. + items: + oneOf: + - required: + - number + - required: + - name + properties: + name: + format: string + type: string + number: + type: integer + type: object + type: array + type: object + type: array + type: object + type: object versions: - - name: v1alpha2 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: httpapispecs.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: istio-mixer chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: quotaspecbindings.config.istio.io spec: group: config.istio.io names: - kind: HTTPAPISpec - plural: httpapispecs - singular: httpapispec categories: - istio-io - apim-istio-io + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + quotaSpecs: + items: + properties: + name: + description: The short name of the QuotaSpec. + format: string + type: string + namespace: + description: Optional namespace of the QuotaSpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed QuotaSpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array + type: object + type: object versions: - - name: v1alpha2 - served: true - storage: true + - name: v1alpha2 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: quotaspecbindings.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: istio-mixer chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: quotaspecs.config.istio.io spec: group: config.istio.io names: - kind: QuotaSpecBinding - plural: quotaspecbindings - singular: quotaspecbinding categories: - istio-io - apim-istio-io + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: Determines the quotas used for individual requests. + properties: + rules: + description: A list of Quota rules. + items: + properties: + match: + description: If empty, match all request. + items: + properties: + clause: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + description: Map of attribute names to StringMatch type. + type: object + type: object + type: array + quotas: + description: The list of quotas to charge. + items: + properties: + charge: + format: int32 + type: integer + quota: + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object versions: - - name: v1alpha2 - served: true - storage: true + - name: v1alpha2 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: quotaspecs.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-mixer + app: mixer chart: istio heritage: Tiller + istio: rbac + package: istio.io.mixer release: istio - annotations: - "helm.sh/hook": crd-install + name: rbacconfigs.rbac.istio.io spec: - group: config.istio.io + group: rbac.istio.io names: - kind: QuotaSpec - plural: quotaspecs - singular: quotaspec categories: - istio-io - - apim-istio-io + - rbac-istio-io + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + enforcementMode: + enum: + - ENFORCED + - PERMISSIVE + type: string + exclusion: + description: A list of services or namespaces that should not be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + inclusion: + description: A list of services or namespaces that should be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + mode: + description: Istio RBAC mode. + enum: + - "OFF" + - "ON" + - ON_WITH_INCLUSION + - ON_WITH_EXCLUSION + type: string + type: object + type: object versions: - - name: v1alpha2 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: rules.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer - package: istio.io.mixer - istio: core chart: istio heritage: Tiller + istio: core + package: istio.io.mixer release: istio - annotations: - "helm.sh/hook": crd-install + name: rules.config.istio.io spec: group: config.istio.io names: - kind: rule - plural: rules - singular: rule categories: - istio-io - policy-istio-io + kind: rule + plural: rules + singular: rule scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + actions: + description: The actions that will be executed when match evaluates + to `true`. + items: + properties: + handler: + description: Fully qualified name of the handler to invoke. + format: string + type: string + instances: + items: + format: string + type: string + type: array + name: + description: A handle to refer to the results of the action. + format: string + type: string + type: object + type: array + match: + description: Match is an attribute based predicate. + format: string + type: string + requestHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + responseHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + sampling: + properties: + random: + description: Provides filtering of actions based on random selection + per request. + properties: + attributeExpression: + description: Specifies an attribute expression to use to override + the numerator in the `percent_sampled` field. + format: string + type: string + percentSampled: + description: The default sampling rate, expressed as a percentage. + properties: + denominator: + description: Specifies the denominator. + enum: + - HUNDRED + - TEN_THOUSAND + type: string + numerator: + description: Specifies the numerator. + type: integer + type: object + useIndependentRandomness: + description: By default sampling will be based on the value + of the request header `x-request-id`. + type: boolean + type: object + rateLimit: + properties: + maxUnsampledEntries: + description: Number of entries to allow during the `sampling_duration` + before sampling is enforced. + format: int64 + type: integer + samplingDuration: + description: Window in which to enforce the sampling rate. + type: string + samplingRate: + description: The rate at which to sample entries once the unsampled + limit has been reached. + format: int64 + type: integer + type: object + type: object + type: object + type: object versions: - - name: v1alpha2 - served: true - storage: true + - name: v1alpha2 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: attributemanifests.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: mixer - package: istio.io.mixer - istio: core + app: istio-pilot chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: serviceentries.networking.istio.io spec: - group: config.istio.io + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL + or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: networking.istio.io names: - kind: attributemanifest - plural: attributemanifests - singular: attributemanifest categories: - istio-io - - policy-istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object versions: - - name: v1alpha2 - served: true - storage: true + - name: v1alpha3 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: rbacconfigs.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer - package: istio.io.mixer - istio: rbac chart: istio heritage: Tiller + istio: rbac + package: istio.io.mixer release: istio - annotations: - "helm.sh/hook": crd-install + name: servicerolebindings.rbac.istio.io spec: + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date group: rbac.istio.io names: - kind: RbacConfig - plural: rbacconfigs - singular: rbacconfig categories: - istio-io - rbac-istio-io + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + actions: + items: + properties: + constraints: + description: Optional. + items: + properties: + key: + description: Key of the constraint. + format: string + type: string + values: + description: List of valid values for the constraint. + items: + format: string + type: string + type: array + type: object + type: array + hosts: + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + items: + format: string + type: string + type: array + notMethods: + items: + format: string + type: string + type: array + notPaths: + items: + format: string + type: string + type: array + notPorts: + items: + format: int32 + type: integer + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + items: + format: int32 + type: integer + type: array + services: + description: A list of service names. + items: + format: string + type: string + type: array + type: object + type: array + mode: + enum: + - ENFORCED + - PERMISSIVE + type: string + role: + format: string + type: string + roleRef: + description: Reference to the ServiceRole object. + properties: + kind: + description: The type of the role being referenced. + format: string + type: string + name: + description: The name of the ServiceRole object being referenced. + format: string + type: string + type: object + subjects: + description: List of subjects that are assigned the ServiceRole object. + items: + properties: + group: + format: string + type: string + groups: + items: + format: string + type: string + type: array + ips: + items: + format: string + type: string + type: array + names: + items: + format: string + type: string + type: array + namespaces: + items: + format: string + type: string + type: array + notGroups: + items: + format: string + type: string + type: array + notIps: + items: + format: string + type: string + type: array + notNames: + items: + format: string + type: string + type: array + notNamespaces: + items: + format: string + type: string + type: array + properties: + additionalProperties: + format: string + type: string + description: Optional. + type: object + user: + description: Optional. + format: string + type: string + type: object + type: array + type: object + type: object versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: serviceroles.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer - package: istio.io.mixer - istio: rbac chart: istio heritage: Tiller + istio: rbac + package: istio.io.mixer release: istio - annotations: - "helm.sh/hook": crd-install + name: serviceroles.rbac.istio.io spec: group: rbac.istio.io names: - kind: ServiceRole - plural: serviceroles - singular: servicerole categories: - istio-io - rbac-istio-io + kind: ServiceRole + plural: serviceroles + singular: servicerole scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + rules: + description: The set of access rules (permissions) that the role has. + items: + properties: + constraints: + description: Optional. + items: + properties: + key: + description: Key of the constraint. + format: string + type: string + values: + description: List of valid values for the constraint. + items: + format: string + type: string + type: array + type: object + type: array + hosts: + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + items: + format: string + type: string + type: array + notMethods: + items: + format: string + type: string + type: array + notPaths: + items: + format: string + type: string + type: array + notPorts: + items: + format: int32 + type: integer + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + items: + format: int32 + type: integer + type: array + services: + description: A list of service names. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: object versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true + --- -kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - name: servicerolebindings.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: mixer - package: istio.io.mixer - istio: rbac + app: istio-pilot chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: virtualservices.networking.istio.io spec: - group: rbac.istio.io - names: - kind: ServiceRoleBinding - plural: servicerolebindings - singular: servicerolebinding - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true additionalPrinterColumns: - - JSONPath: .spec.roleRef.name - description: The name of the ServiceRole object being referenced - name: Reference + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts type: string - JSONPath: .metadata.creationTimestamp description: |- CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata name: Age type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these + routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + appendHeaders: + additionalProperties: + format: string + type: string + type: object + appendRequestHeaders: + additionalProperties: + format: string + type: string + type: object + appendResponseHeaders: + additionalProperties: + format: string + type: string + type: object + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at + the client side. + properties: + abort: + oneOf: + - properties: + percent: {} + required: + - httpStatus + - properties: + percent: {} + required: + - grpcStatus + - properties: + percent: {} + required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percent: + description: Percentage of requests to be aborted with + the error code provided (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - properties: + percent: {} + required: + - fixedDelay + - properties: + percent: {} + required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + gateways: + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should + be case-insensitive. + type: boolean + method: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + uri: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A http rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + removeRequestHeaders: + items: + format: string + type: string + type: array + removeResponseHeaders: + items: + format: string + type: string + type: array + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per retry attempt for a given request. + type: string + retryOn: + description: Specifies the conditions under which retry takes + place. + format: string + type: string + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A http rule can either redirect or forward (default) + traffic. + items: + properties: + appendRequestHeaders: + additionalProperties: + format: string + type: string + description: Use of `append_request_headers` is deprecated. + type: object + appendResponseHeaders: + additionalProperties: + format: string + type: string + description: Use of `append_response_headers` is deprecated. + type: object + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + removeRequestHeaders: + description: Use of `remove_request_headers` is deprecated. + items: + format: string + type: string + type: array + removeResponseHeaders: + description: Use of `remove_response_header` is deprecated. + items: + format: string + type: string + type: array + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests. + type: string + websocketUpgrade: + description: Deprecated. + type: boolean + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied to. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied to. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true + --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 @@ -545,10 +4714,13 @@ spec: - istio-io - policy-istio-io scope: Namespaced + subresources: + status: {} versions: - name: v1alpha2 served: true storage: true + --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 @@ -573,10 +4745,13 @@ spec: - istio-io - policy-istio-io scope: Namespaced + subresources: + status: {} versions: - name: v1alpha2 served: true storage: true + --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 @@ -601,10 +4776,13 @@ spec: - istio-io - policy-istio-io scope: Namespaced + subresources: + status: {} versions: - name: v1alpha2 served: true storage: true + --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 @@ -629,8 +4807,11 @@ spec: - istio-io - policy-istio-io scope: Namespaced + subresources: + status: {} versions: - name: v1alpha2 served: true storage: true + --- diff --git a/staging/istio/charts/istio-init/files/crd-11.yaml b/staging/istio/charts/istio-init/files/crd-11.yaml index 1c48bd110..98882b2c5 100644 --- a/staging/istio/charts/istio-init/files/crd-11.yaml +++ b/staging/istio/charts/istio-init/files/crd-11.yaml @@ -1,26 +1,122 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: sidecars.networking.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: istio-pilot chart: istio heritage: Tiller release: istio - annotations: - "helm.sh/hook": crd-install + name: sidecars.networking.istio.io spec: group: networking.istio.io names: - kind: Sidecar - plural: sidecars - singular: sidecar categories: - istio-io - networking-istio-io + kind: Sidecar + plural: sidecars + singular: sidecar scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The ip to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: object + type: array + outboundTrafficPolicy: + description: This allows to configure the outbound traffic policy. + properties: + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object versions: - - name: v1alpha3 - served: true - storage: true + - name: v1alpha3 + served: true + storage: true + --- diff --git a/staging/istio/charts/istio-init/files/crd-12.yaml b/staging/istio/charts/istio-init/files/crd-12.yaml deleted file mode 100644 index 0d6bdf5ad..000000000 --- a/staging/istio/charts/istio-init/files/crd-12.yaml +++ /dev/null @@ -1,26 +0,0 @@ -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: authorizationpolicies.rbac.istio.io - labels: - app: istio-pilot - istio: rbac - heritage: Tiller - release: istio - annotations: - "helm.sh/hook": crd-install -spec: - group: rbac.istio.io - names: - kind: AuthorizationPolicy - plural: authorizationpolicies - singular: authorizationpolicy - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true ---- diff --git a/staging/istio/charts/istio-init/files/crd-14.yaml b/staging/istio/charts/istio-init/files/crd-14.yaml new file mode 100644 index 000000000..b958df46d --- /dev/null +++ b/staging/istio/charts/istio-init/files/crd-14.yaml @@ -0,0 +1,137 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more details + at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html' + properties: + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + values: + description: The allowed values for the attribute. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- diff --git a/staging/istio/charts/istio-init/templates/configmap-crd-12.yaml b/staging/istio/charts/istio-init/templates/configmap-crd-12.yaml deleted file mode 100644 index a49736534..000000000 --- a/staging/istio/charts/istio-init/templates/configmap-crd-12.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: {{ .Release.Namespace }} - name: istio-crd-12 -data: - crd-12.yaml: |- -{{.Files.Get "files/crd-12.yaml" | printf "%s" | indent 4}} diff --git a/staging/istio/charts/istio-init/templates/configmap-crd-14.yaml b/staging/istio/charts/istio-init/templates/configmap-crd-14.yaml new file mode 100644 index 000000000..5dc73c39c --- /dev/null +++ b/staging/istio/charts/istio-init/templates/configmap-crd-14.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-14 +data: + crd-14.yaml: |- +{{.Files.Get "files/crd-14.yaml" | printf "%s" | indent 4}} diff --git a/staging/istio/charts/istio-init/templates/crd-12.yaml b/staging/istio/charts/istio-init/templates/crd-14.yaml similarity index 61% rename from staging/istio/charts/istio-init/templates/crd-12.yaml rename to staging/istio/charts/istio-init/templates/crd-14.yaml index 7b378f236..57d11c5f6 100644 --- a/staging/istio/charts/istio-init/templates/crd-12.yaml +++ b/staging/istio/charts/istio-init/templates/crd-14.yaml @@ -1,3 +1,3 @@ {{- if not (.Capabilities.APIVersions.Has "networking.istio.io/v1alpha3") }} -{{.Files.Get "files/crd-12.yaml" }} -{{- end }} +{{.Files.Get "files/crd-14.yaml" }} +{{- end }} diff --git a/staging/istio/charts/istio-init/templates/job-crd-10.yaml b/staging/istio/charts/istio-init/templates/job-crd-10.yaml index 2f98bc51f..cd54edc9e 100644 --- a/staging/istio/charts/istio-init/templates/job-crd-10.yaml +++ b/staging/istio/charts/istio-init/templates/job-crd-10.yaml @@ -14,6 +14,10 @@ spec: - name: istio-init-crd-10 image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- if .Values.job.resources }} + resources: +{{ toYaml .Values.job.resources | indent 10 }} +{{- end }} volumeMounts: - name: crd-10 mountPath: /etc/istio/crd-10 diff --git a/staging/istio/charts/istio-init/templates/job-crd-11.yaml b/staging/istio/charts/istio-init/templates/job-crd-11.yaml index 35996a022..b13343c85 100644 --- a/staging/istio/charts/istio-init/templates/job-crd-11.yaml +++ b/staging/istio/charts/istio-init/templates/job-crd-11.yaml @@ -14,6 +14,10 @@ spec: - name: istio-init-crd-11 image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- if .Values.job.resources }} + resources: +{{ toYaml .Values.job.resources | indent 10 }} +{{- end }} volumeMounts: - name: crd-11 mountPath: /etc/istio/crd-11 diff --git a/staging/istio/charts/istio-init/templates/job-crd-12.yaml b/staging/istio/charts/istio-init/templates/job-crd-12.yaml deleted file mode 100644 index f40425097..000000000 --- a/staging/istio/charts/istio-init/templates/job-crd-12.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - namespace: {{ .Release.Namespace }} - name: istio-init-crd-12-{{ .Values.global.tag | printf "%v" | trunc 32 }} -spec: - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-init-service-account - containers: - - name: istio-init-crd-12 - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - volumeMounts: - - name: crd-12 - mountPath: /etc/istio/crd-12 - readOnly: true - command: ["kubectl", "apply", "-f", "/etc/istio/crd-12/crd-12.yaml"] - volumes: - - name: crd-12 - configMap: - name: istio-crd-12 - restartPolicy: OnFailure diff --git a/staging/istio/charts/istio-init/templates/job-crd-14.yaml b/staging/istio/charts/istio-init/templates/job-crd-14.yaml new file mode 100644 index 000000000..3644bfa67 --- /dev/null +++ b/staging/istio/charts/istio-init/templates/job-crd-14.yaml @@ -0,0 +1,30 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-14-{{ .Values.global.tag | printf "%v" | trunc 32 }} +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-14 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- if .Values.job.resources }} + resources: +{{ toYaml .Values.job.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: crd-14 + mountPath: /etc/istio/crd-14 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-14/crd-14.yaml"] + volumes: + - name: crd-14 + configMap: + name: istio-crd-14 + restartPolicy: OnFailure diff --git a/staging/istio/charts/istio-init/templates/serviceaccount.yaml b/staging/istio/charts/istio-init/templates/serviceaccount.yaml index 25d542a65..314666293 100644 --- a/staging/istio/charts/istio-init/templates/serviceaccount.yaml +++ b/staging/istio/charts/istio-init/templates/serviceaccount.yaml @@ -12,3 +12,4 @@ metadata: labels: app: istio-init istio: init + diff --git a/staging/istio/charts/istio-init/values.yaml b/staging/istio/charts/istio-init/values.yaml index f0cf4f2cc..2abaf6e94 100644 --- a/staging/istio/charts/istio-init/values.yaml +++ b/staging/istio/charts/istio-init/values.yaml @@ -1,13 +1,22 @@ global: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. - # Daily builds from prow are on gcr.io + # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.3.3 + tag: 1.4.3 # imagePullPolicy is applied to istio control plane components. # local tests require IfNotPresent, to avoid uploading to dockerhub. # TODO: Switch to Always as default, and override in the local tests. imagePullPolicy: IfNotPresent + +job: + resources: + requests: + cpu: 10m + memory: 50Mi + limits: + cpu: 100m + memory: 200Mi diff --git a/staging/istio/charts/istiocoredns/Chart.yaml b/staging/istio/charts/istiocoredns/Chart.yaml index 0f1f5d03e..809aaea25 100644 --- a/staging/istio/charts/istiocoredns/Chart.yaml +++ b/staging/istio/charts/istiocoredns/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: Istio CoreDNS provides DNS resolution for services in multicluster setups. name: istiocoredns -version: 1.3.3 +version: 1.4.3 appVersion: 0.1 tillerVersion: ">=2.7.2" diff --git a/staging/istio/charts/istiocoredns/templates/configmap.yaml b/staging/istio/charts/istiocoredns/templates/configmap.yaml index 50d166fe5..925626f6b 100644 --- a/staging/istio/charts/istiocoredns/templates/configmap.yaml +++ b/staging/istio/charts/istiocoredns/templates/configmap.yaml @@ -13,11 +13,19 @@ data: .:53 { errors health + {{ if eq -1 (semver .Values.coreDNSTag | (semver "1.4.0").Compare) }} + # Removed support for the proxy plugin: https://coredns.io/2019/03/03/coredns-1.4.0-release/ + grpc global 127.0.0.1:8053 + forward . /etc/resolv.conf { + except global + } + {{ else }} proxy global 127.0.0.1:8053 { protocol grpc insecure } - prometheus :9153 proxy . /etc/resolv.conf + {{ end }} + prometheus :9153 cache 30 reload } diff --git a/staging/istio/charts/istiocoredns/templates/deployment.yaml b/staging/istio/charts/istiocoredns/templates/deployment.yaml index 4cd5f002d..d5e087983 100644 --- a/staging/istio/charts/istiocoredns/templates/deployment.yaml +++ b/staging/istio/charts/istiocoredns/templates/deployment.yaml @@ -27,6 +27,9 @@ spec: release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} spec: serviceAccountName: istiocoredns-service-account {{- if .Values.global.priorityClassName }} @@ -34,7 +37,7 @@ spec: {{- end }} containers: - name: coredns - image: {{ .Values.coreDNSImage }} + image: {{ .Values.coreDNSImage }}:{{ .Values.coreDNSTag }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: [ "-conf", "/etc/coredns/Corefile" ] volumeMounts: diff --git a/staging/istio/charts/istiocoredns/values.yaml b/staging/istio/charts/istiocoredns/values.yaml index 4724df7e5..6b31219cc 100644 --- a/staging/istio/charts/istiocoredns/values.yaml +++ b/staging/istio/charts/istiocoredns/values.yaml @@ -5,13 +5,15 @@ enabled: false replicaCount: 1 rollingMaxSurge: 100% rollingMaxUnavailable: 25% -coreDNSImage: coredns/coredns:1.1.2 +coreDNSImage: coredns/coredns +coreDNSTag: 1.6.2 # Source code for the plugin can be found at # https://github.com/istio-ecosystem/istio-coredns-plugin # The plugin listens for DNS requests from coredns server at 127.0.0.1:8053 coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 nodeSelector: {} tolerations: [] +podAnnotations: {} # Specify the pod anti-affinity that allows you to constrain which nodes # your pod is eligible to be scheduled based on labels on pods that are diff --git a/staging/istio/charts/kiali/Chart.yaml b/staging/istio/charts/kiali/Chart.yaml index 1f63e6e3e..5057c69c9 100644 --- a/staging/istio/charts/kiali/Chart.yaml +++ b/staging/istio/charts/kiali/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details. name: kiali -version: 1.3.3 -appVersion: 1.3.3 +version: 1.9.0 +appVersion: 1.9.0 tillerVersion: ">=2.7.2" diff --git a/staging/istio/charts/kiali/templates/clusterrole.yaml b/staging/istio/charts/kiali/templates/clusterrole.yaml index d9091a0b9..8ad6e9756 100644 --- a/staging/istio/charts/kiali/templates/clusterrole.yaml +++ b/staging/istio/charts/kiali/templates/clusterrole.yaml @@ -46,84 +46,13 @@ rules: - get - list - watch -- apiGroups: ["config.istio.io"] - resources: - - adapters - - apikeys - - bypasses - - authorizations - - checknothings - - circonuses - - cloudwatches - - deniers - - dogstatsds - - edges - - fluentds - - handlers - - instances - - kubernetesenvs - - kuberneteses - - listcheckers - - listentries - - logentries - - memquotas - - metrics - - noops - - opas - - prometheuses - - quotas - - quotaspecbindings - - quotaspecs - - rbacs - - redisquotas - - reportnothings - - rules - - signalfxs - - solarwindses - - stackdrivers - - statsds - - stdios - - templates - - tracespans - - zipkins - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: ["networking.istio.io"] - resources: - - destinationrules - - gateways - - serviceentries - - sidecars - - virtualservices - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: ["authentication.istio.io"] - resources: - - meshpolicies - - policies - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: ["rbac.istio.io"] - resources: - - clusterrbacconfigs - - rbacconfigs - - servicerolebindings - - serviceroles +- apiGroups: + - config.istio.io + - networking.istio.io + - authentication.istio.io + - rbac.istio.io + - security.istio.io + resources: ["*"] verbs: - create - delete @@ -186,75 +115,13 @@ rules: - get - list - watch -- apiGroups: ["config.istio.io"] - resources: - - adapters - - apikeys - - bypasses - - authorizations - - checknothings - - circonuses - - cloudwatches - - deniers - - dogstatsds - - edges - - fluentds - - handlers - - instances - - kubernetesenvs - - kuberneteses - - listcheckers - - listentries - - logentries - - memquotas - - metrics - - noops - - opas - - prometheuses - - quotas - - quotaspecbindings - - quotaspecs - - rbacs - - redisquotas - - reportnothings - - rules - - signalfxs - - solarwindses - - stackdrivers - - statsds - - stdios - - templates - - tracespans - - zipkins - verbs: - - get - - list - - watch -- apiGroups: ["networking.istio.io"] - resources: - - destinationrules - - gateways - - serviceentries - - sidecars - - virtualservices - verbs: - - get - - list - - watch -- apiGroups: ["authentication.istio.io"] - resources: - - meshpolicies - - policies - verbs: - - get - - list - - watch -- apiGroups: ["rbac.istio.io"] - resources: - - clusterrbacconfigs - - rbacconfigs - - servicerolebindings - - serviceroles +- apiGroups: + - config.istio.io + - networking.istio.io + - authentication.istio.io + - rbac.istio.io + - security.istio.io + resources: ["*"] verbs: - get - list diff --git a/staging/istio/charts/kiali/templates/configmap.yaml b/staging/istio/charts/kiali/templates/configmap.yaml index cd63a90cc..055edd624 100644 --- a/staging/istio/charts/kiali/templates/configmap.yaml +++ b/staging/istio/charts/kiali/templates/configmap.yaml @@ -11,6 +11,8 @@ metadata: data: config.yaml: | istio_namespace: {{ .Release.Namespace }} + deployment: + accessible_namespaces: ['**'] auth: strategy: {{ .Values.dashboard.auth.strategy }} server: diff --git a/staging/istio/charts/kiali/templates/deployment.yaml b/staging/istio/charts/kiali/templates/deployment.yaml index 9389f58d0..ed9009e2f 100644 --- a/staging/istio/charts/kiali/templates/deployment.yaml +++ b/staging/istio/charts/kiali/templates/deployment.yaml @@ -27,6 +27,9 @@ spec: prometheus.io/scrape: "true" prometheus.io/port: "9090" kiali.io/runtimes: go,kiali + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} spec: serviceAccountName: kiali-service-account {{- if .Values.global.priorityClassName }} diff --git a/staging/istio/charts/kiali/values.yaml b/staging/istio/charts/kiali/values.yaml index bb536f1c8..f9d25256b 100644 --- a/staging/istio/charts/kiali/values.yaml +++ b/staging/istio/charts/kiali/values.yaml @@ -5,10 +5,11 @@ enabled: false # Note that if using the demo or demo-auth yaml when installing v replicaCount: 1 hub: quay.io/kiali image: kiali -tag: v1.4 +tag: v1.9 contextPath: /kiali # The root context path to access the Kiali UI. nodeSelector: {} tolerations: [] +podAnnotations: {} # Specify the pod anti-affinity that allows you to constrain which nodes # your pod is eligible to be scheduled based on labels on pods that are @@ -36,7 +37,7 @@ ingress: ## Used to create an Ingress record. hosts: - kiali.local - annotations: + annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" tls: diff --git a/staging/istio/charts/mixer/Chart.yaml b/staging/istio/charts/mixer/Chart.yaml index 68ad8df57..967789b47 100644 --- a/staging/istio/charts/mixer/Chart.yaml +++ b/staging/istio/charts/mixer/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: mixer -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2" description: Helm chart for mixer deployment keywords: diff --git a/staging/istio/charts/mixer/templates/config.yaml b/staging/istio/charts/mixer/templates/config.yaml index 43b2c5ced..07f5893be 100644 --- a/staging/istio/charts/mixer/templates/config.yaml +++ b/staging/istio/charts/mixer/templates/config.yaml @@ -388,7 +388,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | request.host | "unknown" + destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" @@ -425,13 +425,13 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | request.host | "unknown" + destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' @@ -462,13 +462,13 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | request.host | "unknown" + destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' @@ -499,13 +499,13 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | request.host | "unknown" + destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' @@ -1041,13 +1041,15 @@ spec: - '*' {{- end }} trafficPolicy: - {{- if .Values.global.controlPlaneSecurityEnabled }} portLevelSettings: - port: - number: 15004 + number: 15004 # grpc-mixer-mtls tls: mode: ISTIO_MUTUAL - {{- end}} + - port: + number: 9091 # grpc-mixer + tls: + mode: DISABLE connectionPool: http: http2MaxRequests: 10000 @@ -1072,13 +1074,15 @@ spec: - '*' {{- end }} trafficPolicy: - {{- if .Values.global.controlPlaneSecurityEnabled }} portLevelSettings: - port: - number: 15004 + number: 15004 # grpc-mixer-mtls tls: mode: ISTIO_MUTUAL - {{- end}} + - port: + number: 9091 # grpc-mixer + tls: + mode: DISABLE connectionPool: http: http2MaxRequests: 10000 diff --git a/staging/istio/charts/mixer/templates/deployment.yaml b/staging/istio/charts/mixer/templates/deployment.yaml index 2b32b1e1d..3a85cf3a7 100644 --- a/staging/istio/charts/mixer/templates/deployment.yaml +++ b/staging/istio/charts/mixer/templates/deployment.yaml @@ -78,6 +78,11 @@ {{- end }} {{- if .Values.env }} env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace {{- range $key, $val := .Values.env }} - name: {{ $key }} value: "{{ $val }}" @@ -136,6 +141,15 @@ {{- if $.Values.global.trustDomain }} - --trust-domain={{ $.Values.global.trustDomain }} {{- end }} + {{- if $.Values.global.proxy.logLevel }} + - --proxyLogLevel={{ $.Values.global.proxy.logLevel }} + {{- end}} + {{- if $.Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} + {{- end}} env: - name: POD_NAME valueFrom: @@ -264,6 +278,11 @@ - {{ $.Values.telemetry.loadshedding.mode }} {{- if .Values.env }} env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace {{- range $key, $val := .Values.env }} - name: {{ $key }} value: "{{ $val }}" @@ -322,6 +341,15 @@ - --controlPlaneAuthPolicy - NONE {{- end }} + {{- if $.Values.global.proxy.logLevel }} + - --proxyLogLevel={{ $.Values.global.proxy.logLevel }} + {{- end}} + {{- if $.Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} + {{- end}} env: - name: POD_NAME valueFrom: @@ -399,6 +427,7 @@ spec: chart: {{ template "mixer.chart" $ }} heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} + security.istio.io/tlsMode: "istio" istio: mixer istio-mixer-type: {{ $key }} annotations: diff --git a/staging/istio/charts/mixer/values.yaml b/staging/istio/charts/mixer/values.yaml index 4d9452356..d335c36c3 100644 --- a/staging/istio/charts/mixer/values.yaml +++ b/staging/istio/charts/mixer/values.yaml @@ -4,7 +4,6 @@ image: mixer env: - GODEBUG: gctrace=1 # max procs should be ceil(cpu limit + 1) GOMAXPROCS: "6" diff --git a/staging/istio/charts/pilot/Chart.yaml b/staging/istio/charts/pilot/Chart.yaml index 1647d10f8..f9818b4ea 100644 --- a/staging/istio/charts/pilot/Chart.yaml +++ b/staging/istio/charts/pilot/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: pilot -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2" description: Helm chart for pilot deployment keywords: diff --git a/staging/istio/charts/pilot/templates/clusterrole.yaml b/staging/istio/charts/pilot/templates/clusterrole.yaml index 0435c3ebd..83af8fb06 100644 --- a/staging/istio/charts/pilot/templates/clusterrole.yaml +++ b/staging/istio/charts/pilot/templates/clusterrole.yaml @@ -14,6 +14,9 @@ rules: - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["get", "watch", "list"] +- apiGroups: ["security.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["*"] @@ -30,5 +33,14 @@ rules: resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: [""] - resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] + resources: ["endpoints", "pods", "services", "namespaces", "nodes"] verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete"] diff --git a/staging/istio/charts/pilot/templates/configmap.yaml b/staging/istio/charts/pilot/templates/configmap.yaml new file mode 100644 index 000000000..3fe514395 --- /dev/null +++ b/staging/istio/charts/pilot/templates/configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-jwks-extra-cacerts + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} diff --git a/staging/istio/charts/pilot/templates/deployment.yaml b/staging/istio/charts/pilot/templates/deployment.yaml index e43ea7d9d..093bc06a9 100644 --- a/staging/istio/charts/pilot/templates/deployment.yaml +++ b/staging/istio/charts/pilot/templates/deployment.yaml @@ -10,8 +10,6 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} istio: pilot - annotations: - checksum/config-volume: {{ template "istio.configmap.checksum" . }} spec: {{- if not .Values.autoscaleEnabled }} {{- if .Values.replicaCount }} @@ -37,6 +35,9 @@ spec: istio: pilot annotations: sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} spec: serviceAccountName: istio-pilot-service-account {{- if .Values.global.priorityClassName }} @@ -85,7 +86,7 @@ spec: path: /ready port: 8080 initialDelaySeconds: 5 - periodSeconds: 30 + periodSeconds: 5 timeoutSeconds: 5 env: - name: POD_NAME @@ -124,6 +125,10 @@ spec: - name: istio-certs mountPath: /etc/certs readOnly: true +{{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts +{{- end }} {{- if .Values.sidecar }} - name: istio-proxy {{- if contains "/" .Values.global.proxy.image }} @@ -155,6 +160,15 @@ spec: {{- if .Values.global.trustDomain }} - --trust-domain={{ .Values.global.trustDomain }} {{- end }} + {{- if $.Values.global.proxy.logLevel }} + - --proxyLogLevel={{ $.Values.global.proxy.logLevel }} + {{- end}} + {{- if $.Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} + {{- end}} env: - name: POD_NAME valueFrom: @@ -211,6 +225,11 @@ spec: secret: secretName: istio.istio-pilot-service-account optional: true +{{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: istio-jwks-extra-cacerts +{{- end }} affinity: {{- include "nodeaffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }} diff --git a/staging/istio/charts/pilot/values.yaml b/staging/istio/charts/pilot/values.yaml index 58e2a0357..0d37ec59c 100644 --- a/staging/istio/charts/pilot/values.yaml +++ b/staging/istio/charts/pilot/values.yaml @@ -23,11 +23,11 @@ resources: memory: 2048Mi env: PILOT_PUSH_THROTTLE: 100 - GODEBUG: gctrace=1 cpu: targetAverageUtilization: 80 nodeSelector: {} tolerations: [] +podAnnotations: {} # Specify the pod anti-affinity that allows you to constrain which nodes # your pod is eligible to be scheduled based on labels on pods that are @@ -54,3 +54,10 @@ podAntiAffinityTermLabelSelector: [] # to a pilot. It balances out load across pilot instances at the cost of # increasing system churn. keepaliveMaxServerConnectionAge: 30m + +# This is used to set the source of configuration for +# the associated address in configSource, if nothing is specificed +# the default MCP is assumed. The alternative option is SERVICE_REGISTRY +# which describes the source is only forwarding synthetic service entries +configSource: + subscribedResources: diff --git a/staging/istio/charts/prometheus/Chart.yaml b/staging/istio/charts/prometheus/Chart.yaml index 3858cb90f..e4576a8ff 100644 --- a/staging/istio/charts/prometheus/Chart.yaml +++ b/staging/istio/charts/prometheus/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: prometheus -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 2.8.0 tillerVersion: ">=2.7.2" diff --git a/staging/istio/charts/security/Chart.yaml b/staging/istio/charts/security/Chart.yaml index 2021f7252..1b0d7795c 100644 --- a/staging/istio/charts/security/Chart.yaml +++ b/staging/istio/charts/security/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: security -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2" description: Helm chart for istio authentication keywords: diff --git a/staging/istio/charts/security/templates/create-custom-resources-job.yaml b/staging/istio/charts/security/templates/create-custom-resources-job.yaml index 0294e5b08..8d321ac05 100644 --- a/staging/istio/charts/security/templates/create-custom-resources-job.yaml +++ b/staging/istio/charts/security/templates/create-custom-resources-job.yaml @@ -16,7 +16,7 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-security-post-install-{{ .Release.Namespace }} @@ -39,7 +39,7 @@ rules: resources: ["deployments", "replicasets"] verbs: ["get", "list", "watch"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-security-post-install-role-binding-{{ .Release.Namespace }} @@ -63,7 +63,7 @@ metadata: name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} namespace: {{ .Release.Namespace }} annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation labels: app: {{ template "security.name" . }} @@ -79,6 +79,8 @@ spec: chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-security-post-install-account containers: diff --git a/staging/istio/charts/security/templates/deployment.yaml b/staging/istio/charts/security/templates/deployment.yaml index c82be3fe5..7d35ca166 100644 --- a/staging/istio/charts/security/templates/deployment.yaml +++ b/staging/istio/charts/security/templates/deployment.yaml @@ -29,6 +29,9 @@ spec: istio: citadel annotations: sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} spec: serviceAccountName: istio-citadel-service-account {{- if .Values.global.priorityClassName }} @@ -74,6 +77,12 @@ spec: env: - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT value: "{{ .Values.enableNamespacesByDefault }}" + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + {{- end }} {{- if .Values.citadelHealthCheck }} livenessProbe: exec: diff --git a/staging/istio/charts/security/templates/job.yaml b/staging/istio/charts/security/templates/job.yaml index d197ba912..a8c2e50c8 100644 --- a/staging/istio/charts/security/templates/job.yaml +++ b/staging/istio/charts/security/templates/job.yaml @@ -1,7 +1,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: label-ns + name: label-ns-{{ .Values.global.tag | printf "%v" | trunc 32 }} namespace: {{ .Release.Namespace }} labels: release: {{ .Release.Name }} @@ -18,5 +18,5 @@ spec: - name: ns-labeler image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" imagePullPolicy: {{ .Values.global.imagePullPolicy }} - command: ["kubectl", "label", "ns", {{ .Release.Namespace }}, "ca.istio.io/override=true"] + command: ["kubectl", "label", "ns", {{ .Release.Namespace }}, "ca.istio.io/override=true", "--overwrite=true"] restartPolicy: OnFailure diff --git a/staging/istio/charts/security/templates/poddisruptionbudget.yaml b/staging/istio/charts/security/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..b6944e026 --- /dev/null +++ b/staging/istio/charts/security/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-citadel + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ template "security.name" . }} + release: {{ .Release.Name }} + istio: citadel +{{- end }} diff --git a/staging/istio/charts/security/values.yaml b/staging/istio/charts/security/values.yaml index 17c498102..7e9119bb7 100644 --- a/staging/istio/charts/security/values.yaml +++ b/staging/istio/charts/security/values.yaml @@ -10,6 +10,8 @@ selfSigned: true # indicate if self-signed CA is used. createMeshPolicy: true nodeSelector: {} tolerations: [] +podAnnotations: {} + # Enable health checking on the Citadel CSR signing API. # https://istio.io/docs/tasks/security/health-check/ citadelHealthCheck: false @@ -20,6 +22,8 @@ rootCert: /etc/cacerts/root-cert.pem certChain: /etc/cacerts/cert-chain.pem workloadCertTtl: 2160h +# Environment variables that configure Citadel. +env: {} # Determines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override # labels are not found on a given namespace. diff --git a/staging/istio/charts/sidecarInjectorWebhook/Chart.yaml b/staging/istio/charts/sidecarInjectorWebhook/Chart.yaml index 6a9d52d08..fc4035ecc 100644 --- a/staging/istio/charts/sidecarInjectorWebhook/Chart.yaml +++ b/staging/istio/charts/sidecarInjectorWebhook/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: sidecarInjectorWebhook -version: 1.3.3 -appVersion: 1.3.3 +version: 1.4.3 +appVersion: 1.4.3 tillerVersion: ">=2.7.2" description: Helm chart for sidecar injector webhook deployment keywords: diff --git a/staging/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml b/staging/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml index 27f9acb51..c56c7025c 100644 --- a/staging/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +++ b/staging/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml @@ -12,6 +12,8 @@ rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] +{{- if not .Values.global.operatorManageWebhooks }} - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] verbs: ["get", "list", "watch", "patch"] +{{- end }} diff --git a/staging/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml b/staging/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml index abbb93d39..6986ce630 100644 --- a/staging/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +++ b/staging/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml @@ -28,6 +28,9 @@ spec: istio: sidecar-injector annotations: sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} spec: serviceAccountName: istio-sidecar-injector-service-account {{- if .Values.global.priorityClassName }} @@ -49,6 +52,11 @@ spec: - --meshConfig=/etc/istio/config/mesh - --healthCheckInterval=2s - --healthCheckFile=/health +{{- if .Values.global.operatorManageWebhooks }} + - --reconcileWebhookConfig=false +{{- else }} + - --reconcileWebhookConfig=true +{{- end }} volumeMounts: - name: config-volume mountPath: /etc/istio/config @@ -89,7 +97,11 @@ spec: name: istio - name: certs secret: +{{- if .Values.global.certificates }} + secretName: dns.istio-sidecar-injector-service-account +{{- else }} secretName: istio.istio-sidecar-injector-service-account +{{- end }} - name: inject-config configMap: name: istio-sidecar-injector diff --git a/staging/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml b/staging/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml index a30dd38e5..4a31415f2 100644 --- a/staging/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +++ b/staging/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.operatorManageWebhooks }} apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: @@ -36,4 +37,4 @@ webhooks: matchLabels: istio-injection: enabled {{- end }} - +{{- end }} diff --git a/staging/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml b/staging/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml index 51fb3fc3e..870b92508 100644 --- a/staging/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml +++ b/staging/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml @@ -15,4 +15,4 @@ spec: app: {{ template "sidecar-injector.name" . }} release: {{ .Release.Name }} istio: sidecar-injector - {{- end }} \ No newline at end of file + {{- end }} diff --git a/staging/istio/charts/sidecarInjectorWebhook/values.yaml b/staging/istio/charts/sidecarInjectorWebhook/values.yaml index 31980ac19..84cbb7453 100644 --- a/staging/istio/charts/sidecarInjectorWebhook/values.yaml +++ b/staging/istio/charts/sidecarInjectorWebhook/values.yaml @@ -9,6 +9,7 @@ image: sidecar_injector enableNamespacesByDefault: false nodeSelector: {} tolerations: [] +podAnnotations: {} # Specify the pod anti-affinity that allows you to constrain which nodes # your pod is eligible to be scheduled based on labels on pods that are @@ -41,4 +42,18 @@ rewriteAppHTTPProbe: false # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions neverInjectSelector: [] -alwaysInjectSelector: [] \ No newline at end of file +alwaysInjectSelector: [] + +# injectedAnnotations are additional annotations that will be added to the pod spec after injection +# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: +# +# annotations: +# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default +# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default +# +# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before +# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: +# injectedAnnotations: +# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default +# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default +injectedAnnotations: {} diff --git a/staging/istio/charts/tracing/Chart.yaml b/staging/istio/charts/tracing/Chart.yaml index 4fb081ac5..fbcb23b60 100644 --- a/staging/istio/charts/tracing/Chart.yaml +++ b/staging/istio/charts/tracing/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: tracing -version: 1.3.3 +version: 1.4.3 appVersion: 1.5.1 tillerVersion: ">=2.7.2" diff --git a/staging/istio/charts/tracing/templates/deployment-jaeger.yaml b/staging/istio/charts/tracing/templates/deployment-jaeger.yaml index cc7f8999e..916c25c7d 100644 --- a/staging/istio/charts/tracing/templates/deployment-jaeger.yaml +++ b/staging/istio/charts/tracing/templates/deployment-jaeger.yaml @@ -24,11 +24,9 @@ spec: annotations: sidecar.istio.io/inject: "false" prometheus.io/scrape: "true" - prometheus.io/port: "16686" -{{- if .Values.contextPath }} - prometheus.io/path: "{{ .Values.contextPath }}/metrics" -{{- else }} - prometheus.io/path: "/{{ .Values.provider }}/metrics" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} {{- end }} spec: {{- if .Values.global.priorityClassName }} @@ -47,6 +45,10 @@ spec: ports: - containerPort: 9411 - containerPort: 16686 + - containerPort: 14250 + - containerPort: 14267 + - containerPort: 14268 + - containerPort: 14269 - containerPort: 5775 protocol: UDP - containerPort: 6831 @@ -78,11 +80,11 @@ spec: livenessProbe: httpGet: path: / - port: 16686 + port: 14269 readinessProbe: httpGet: path: / - port: 16686 + port: 14269 {{- if eq .Values.jaeger.spanStorageType "badger" }} volumeMounts: - name: data diff --git a/staging/istio/charts/tracing/templates/deployment-zipkin.yaml b/staging/istio/charts/tracing/templates/deployment-zipkin.yaml index 04dfbb033..da779bf45 100644 --- a/staging/istio/charts/tracing/templates/deployment-zipkin.yaml +++ b/staging/istio/charts/tracing/templates/deployment-zipkin.yaml @@ -24,6 +24,9 @@ spec: annotations: sidecar.istio.io/inject: "false" scheduler.alpha.kubernetes.io/critical-pod: "" +{{- if .Values.zipkin.podAnnotations }} +{{ toYaml .Values.zipkin.podAnnotations | indent 8 }} +{{- end }} spec: {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" diff --git a/staging/istio/charts/tracing/templates/service-jaeger.yaml b/staging/istio/charts/tracing/templates/service-jaeger.yaml index 23979baf8..38c4170b1 100644 --- a/staging/istio/charts/tracing/templates/service-jaeger.yaml +++ b/staging/istio/charts/tracing/templates/service-jaeger.yaml @@ -55,6 +55,10 @@ items: port: 14268 targetPort: 14268 protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP selector: app: jaeger type: ClusterIP diff --git a/staging/istio/charts/tracing/templates/service.yaml b/staging/istio/charts/tracing/templates/service.yaml index fe94067b0..798829793 100644 --- a/staging/istio/charts/tracing/templates/service.yaml +++ b/staging/istio/charts/tracing/templates/service.yaml @@ -20,10 +20,9 @@ items: heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: - type: {{ .Values.service.type }} ports: - - port: {{ .Values.service.externalPort }} - targetPort: 9411 + - port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} protocol: TCP name: {{ .Values.service.name }} selector: @@ -43,14 +42,15 @@ items: heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: + type: {{ .Values.service.type }} ports: - name: http-query - port: 80 + port: {{ .Values.service.externalPort }} protocol: TCP {{ if eq .Values.provider "jaeger" }} targetPort: 16686 {{ else }} - targetPort: 9411 + targetPort: {{ .Values.zipkin.queryPort }} {{ end}} selector: app: {{ .Values.provider }} diff --git a/staging/istio/charts/tracing/values.yaml b/staging/istio/charts/tracing/values.yaml index f0d386f6f..16017c13f 100644 --- a/staging/istio/charts/tracing/values.yaml +++ b/staging/istio/charts/tracing/values.yaml @@ -31,7 +31,8 @@ podAntiAffinityTermLabelSelector: [] jaeger: hub: docker.io/jaegertracing image: all-in-one - tag: 1.12 + tag: 1.14 + podAnnotations: {} memory: max_traces: 50000 # spanStorageType value can be "memory" and "badger" for all-in-one image @@ -40,10 +41,12 @@ jaeger: storageClassName: "" accessMode: ReadWriteMany + zipkin: hub: docker.io/openzipkin image: zipkin tag: 2.14.2 + podAnnotations: {} probeStartupDelay: 200 queryPort: 9411 resources: @@ -66,7 +69,7 @@ service: annotations: {} name: http type: ClusterIP - externalPort: 9411 + externalPort: 80 ingress: enabled: false diff --git a/staging/istio/files/injection-template.yaml b/staging/istio/files/injection-template.yaml index 49395a181..b8da3237f 100644 --- a/staging/istio/files/injection-template.yaml +++ b/staging/istio/files/injection-template.yaml @@ -9,7 +9,8 @@ initContainers: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - args: + command: + - istio-iptables - "-p" - "15001" - "-z" @@ -42,14 +43,18 @@ initContainers: resources: {} {{- end }} securityContext: - runAsUser: 0 - runAsNonRoot: false + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: add: - NET_ADMIN - {{- if .Values.global.proxy.privileged }} - privileged: true - {{- end }} + - NET_RAW + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 restartPolicy: Always {{- end }} {{ end -}} @@ -64,9 +69,17 @@ initContainers: imagePullPolicy: IfNotPresent resources: {} securityContext: - runAsUser: 0 - runAsNonRoot: false + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 {{ end }} {{- end }} containers: @@ -131,12 +144,12 @@ containers: - "{{ .ProxyConfig.StatsdUdpAddress }}" {{- end }} {{- if .Values.global.proxy.envoyMetricsService.enabled }} - - --envoyMetricsServiceAddress - - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" + - --envoyMetricsService + - '{{ protoToJSON .ProxyConfig.EnvoyMetricsService }}' {{- end }} {{- if .Values.global.proxy.envoyAccessLogService.enabled }} - --envoyAccessLogService - - '{{ structToJSON .ProxyConfig.EnvoyAccessLogService }}' + - '{{ protoToJSON .ProxyConfig.EnvoyAccessLogService }}' {{- end }} - --proxyAdminPort - "{{ .ProxyConfig.ProxyAdminPort }}" @@ -146,7 +159,7 @@ containers: {{ end -}} - --controlPlaneAuthPolicy - "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}" -{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} +{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" (valueOrDefault .Values.global.proxy.statusPort 0 )) `0`) }} - --statusPort - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" - --applicationPorts @@ -154,6 +167,10 @@ containers: {{- end }} {{- if .Values.global.trustDomain }} - --trust-domain={{ .Values.global.trustDomain }} +{{- end }} +{{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} {{- end }} env: - name: POD_NAME @@ -163,14 +180,18 @@ containers: - name: ISTIO_META_POD_PORTS value: |- [ + {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} - {{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multicluster.clusterName `Kubernetes` }}" + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -183,6 +204,10 @@ containers: valueFrom: fieldRef: fieldPath: spec.serviceAccountName + {{- if .Values.global.mtls.auto }} + - name: ISTIO_AUTO_MTLS_ENABLED + value: "true" + {{- end }} {{- if eq .Values.global.proxy.tracer "datadog" }} - name: HOST_IP valueFrom: @@ -229,7 +254,7 @@ containers: {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER - value: kubernetes://api/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE @@ -246,8 +271,26 @@ containers: - name: ISTIO_META_MESH_ID value: "{{ .Values.global.trustDomain }}" {{- end }} + {{- if eq .Values.global.proxy.tracer "stackdriver" }} + - name: STACKDRIVER_TRACING_ENABLED + value: "true" + - name: STACKDRIVER_TRACING_DEBUG + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetDebug }}" + {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }} + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }}" + {{- end }} + {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }} + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }}" + {{- end }} + {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }} + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }}" + {{- end }} + {{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` (valueOrDefault .Values.global.proxy.statusPort 0 )) `0` }} readinessProbe: httpGet: path: /healthz/ready @@ -257,21 +300,22 @@ containers: failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: - {{- if .Values.global.proxy.privileged }} - privileged: true - {{- end }} - {{- if ne .Values.global.proxy.enableCoreDump true }} - readOnlyRootFilesystem: true - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} add: - NET_ADMIN + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} runAsGroup: 1337 - {{ else -}} - {{ if .Values.global.sds.enabled }} - runAsGroup: 1337 - {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true runAsUser: 1337 {{- end }} resources: diff --git a/staging/istio/templates/_helpers.tpl b/staging/istio/templates/_helpers.tpl index f79bea415..b1f54a4e2 100644 --- a/staging/istio/templates/_helpers.tpl +++ b/staging/istio/templates/_helpers.tpl @@ -37,10 +37,3 @@ Create a fully qualified configmap name. {{- define "istio.configmap.fullname" -}} {{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}} {{- end -}} - -{{/* -Configmap checksum. -*/}} -{{- define "istio.configmap.checksum" -}} -{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}} -{{- end -}} diff --git a/staging/istio/templates/configmap.yaml b/staging/istio/templates/configmap.yaml index 063f2aa76..e260cbb7f 100644 --- a/staging/istio/templates/configmap.yaml +++ b/staging/istio/templates/configmap.yaml @@ -11,14 +11,16 @@ metadata: release: {{ .Release.Name }} data: mesh: |- - # Set the following variable to true to disable policy checks by the Mixer. - # Note that metrics will still be reported to the Mixer. + # Set the following variable to true to disable policy checks by Mixer. + # Note that metrics will still be reported to Mixer. {{- if .Values.mixer.policy.enabled }} disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} {{- else }} disablePolicyChecks: true {{- end }} + disableMixerHttpReports: false + {{- if .Values.mixer.telemetry.reportBatchMaxEntries }} # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server reportBatchMaxEntries: {{ .Values.mixer.telemetry.reportBatchMaxEntries }} @@ -53,7 +55,7 @@ data: enableEnvoyAccessLogService: {{ .Values.global.proxy.envoyAccessLogService.enabled }} {{- if .Values.global.istioRemote }} - + {{- if .Values.global.remotePolicyAddress }} {{- if .Values.global.createRemoteSvcEndpoints }} mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 @@ -68,7 +70,7 @@ data: mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 {{- end }} {{- end }} - + {{- else }} {{- if .Values.mixer.policy.enabled }} @@ -85,7 +87,7 @@ data: mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 {{- end }} {{- end }} - + {{- end }} {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} @@ -124,6 +126,22 @@ data: # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain trustDomain: {{ .Values.global.trustDomain | quote }} + # The trust domain aliases represent the aliases of trust_domain. + # For example, if we have + # trustDomain: td1 + # trustDomainAliases: [“td2”, "td3"] + # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", + # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. + trustDomainAliases: + {{- range .Values.global.trustDomainAliases }} + - {{ . | quote }} + {{- end }} + + # If true, automatically configure client side mTLS settings to match the corresponding service's + # server side mTLS authentication policy, when destination rule for that service does not specify + # TLS settings. + enableAutoMtls: {{ .Values.global.mtls.auto }} + # Set the default behavior of the sidecar for handling outbound traffic from the application: # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no # services or ServiceEntries for the destination port @@ -144,6 +162,10 @@ data: rootNamespace: {{ .Release.Namespace }} {{- end }} + # Configures DNS certificates provisioned through Chiron linked into Pilot. + certificates: +{{ toYaml .Values.global.certificates | trim | indent 6 }} + {{- if .Values.global.defaultConfigVisibilitySettings }} defaultServiceExportTo: {{- range .Values.global.defaultConfigVisibilitySettings }} @@ -162,6 +184,10 @@ data: {{- if $.Values.global.useMCP }} configSources: - address: istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- if .Values.pilot.configSource.subscribedResources }} + subscribedResources: + - {{ .Values.pilot.configSource.subscribedResources }} + {{- end}} {{- if $.Values.global.controlPlaneSecurityEnabled}} tlsSettings: mode: ISTIO_MUTUAL @@ -253,20 +279,28 @@ data: # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API. envoyMetricsService: address: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }} + {{- if .Values.global.proxy.envoyMetricsService.tlsSettings }} + tlsSettings: +{{ toYaml .Values.global.proxy.envoyMetricsService.tlsSettings | trim | indent 10 }} {{- end}} - + {{- if .Values.global.proxy.envoyMetricsService.tcpKeepalive }} + tcpKeepalive: +{{ toYaml .Values.global.proxy.envoyMetricsService.tcpKeepalive | trim | indent 10 }} + {{- end}} + {{- end}} + {{- if .Values.global.proxy.envoyAccessLogService.enabled }} # # Envoy's AccessLog Service pushes access logs to a remote collector via the Access Log Service gRPC API. envoyAccessLogService: address: {{ .Values.global.proxy.envoyAccessLogService.host }}:{{ .Values.global.proxy.envoyAccessLogService.port }} {{- if .Values.global.proxy.envoyAccessLogService.tlsSettings }} - tlsSettings: -{{ toYaml .Values.global.proxy.envoyAccessLogService.tlsSettings | indent 10 }} + tlsSettings: +{{ toYaml .Values.global.proxy.envoyAccessLogService.tlsSettings | trim | indent 10 }} {{- end}} {{- if .Values.global.proxy.envoyAccessLogService.tcpKeepalive }} tcpKeepalive: -{{ toYaml .Values.global.proxy.envoyAccessLogService.tcpKeepalive | indent 10 }} +{{ toYaml .Values.global.proxy.envoyAccessLogService.tcpKeepalive | trim | indent 10 }} {{- end}} {{- end}} @@ -300,7 +334,7 @@ data: meshNetworks: |- {{- if .Values.global.meshNetworks }} networks: -{{ toYaml .Values.global.meshNetworks | indent 6 }} +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} {{- else }} networks: {} {{- end }} diff --git a/staging/istio/templates/sidecar-injector-configmap.yaml b/staging/istio/templates/sidecar-injector-configmap.yaml index 135b7fbad..5cb25b9cf 100644 --- a/staging/istio/templates/sidecar-injector-configmap.yaml +++ b/staging/istio/templates/sidecar-injector-configmap.yaml @@ -22,4 +22,8 @@ data: {{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} template: |- {{ .Files.Get "files/injection-template.yaml" | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": "{{ $val }}" + {{- end }} {{- end }} diff --git a/staging/istio/values.yaml b/staging/istio/values.yaml index 157a0b3f7..4f49926a9 100644 --- a/staging/istio/values.yaml +++ b/staging/istio/values.yaml @@ -31,7 +31,7 @@ galley: # # mixer configuration # -# @see charts/mixer/values.yaml, it takes precedence +# @see charts/mixer/values.yaml for all values mixer: policy: # if policy is enabled the global.disablePolicyChecks has affect. @@ -82,11 +82,11 @@ istiocoredns: global: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. - # Daily builds from prow are on gcr.io + # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.3.3 + tag: 1.4.3 # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: # The control plane has different scopes depending on component, but can configure default log level across all components @@ -120,6 +120,7 @@ global: requests: cpu: 10m memory: 10Mi + # use fully qualified image names for alternate path to proxy. image: proxyv2 # cluster domain. Default value is "cluster.local". @@ -154,14 +155,14 @@ global: # Configure envoy gRPC access log service. envoyAccessLogService: enabled: false - host: # example: accesslog-service.istio-system - port: # example: 15000 + host: # example: accesslog-service.istio-system + port: # example: 15000 tlsSettings: - mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - clientCertificate: # example: /etc/istio/als/cert-chain.pem - privateKey: # example: /etc/istio/als/key.pem - caCertificates: # example: /etc/istio/als/root-cert.pem - sni: # example: als.somedomain + mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + clientCertificate: # example: /etc/istio/als/cert-chain.pem + privateKey: # example: /etc/istio/als/key.pem + caCertificates: # example: /etc/istio/als/root-cert.pem + sni: # example: als.somedomain subjectAltNames: [] # - als.somedomain tcpKeepalive: @@ -257,16 +258,28 @@ global: # Disabled by default. envoyMetricsService: enabled: false - host: # example: metrics-service.istio-system - port: # example: 15000 + host: # example: metrics-service.istio-system + port: # example: 15000 + tlsSettings: + mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + clientCertificate: # example: /etc/istio/ms/cert-chain.pem + privateKey: # example: /etc/istio/ms/key.pem + caCertificates: # example: /etc/istio/ms/root-cert.pem + sni: # example: ms.somedomain + subjectAltNames: [] + # - ms.somedomain + tcpKeepalive: + probes: 3 + time: 10s + interval: 10s # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. tracer: "zipkin" proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxy_init + # Base name for the istio-init container, used to configure iptables. + image: proxyv2 # imagePullPolicy is applied to istio control plane components. # local tests require IfNotPresent, to avoid uploading to dockerhub. @@ -312,12 +325,26 @@ global: datadog: # Host:Port for submitting traces to the Datadog agent. address: "$(HOST_IP):8126" + stackdriver: + # enables trace output to stdout. + debug: false + # The global default max number of attributes per span. + maxNumberOfAttributes: 200 + # The global default max number of annotation events per span. + maxNumberOfAnnotations: 200 + # The global default max number of message events per span. + maxNumberOfMessageEvents: 200 # Default mtls policy. If true, mtls between services will be enabled by default. mtls: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: false + # If set to true, and a given service does not have a corresponding DestinationRule configured, + # or its DestinationRule does not have TLSSettings specified, Istio configures client side + # TLS configuration automatically, based on the server side mTLS authentication policy and the + # availibity of sidecars. + auto: false # Lists the secrets you need to use to pull Istio images from a private registry. imagePullSecrets: [] @@ -364,7 +391,7 @@ global: # NOTE: If using templates, follow the pattern in the commented example below. # podDNSSearchNamespaces: # - global - # - "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global" + # - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" # If set to true, the pilot and citadel mtls will be exposed on the # ingress gateway @@ -423,6 +450,14 @@ global: # else: default dns domain trustDomain: "" + # The trust domain aliases represent the aliases of trust_domain. + # For example, if we have + # trustDomain: td1 + # trustDomainAliases: [“td2”, "td3"] + # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", + # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. + trustDomainAliases: [] + # Mesh ID means Mesh Identifier. It should be unique within the scope where # meshes will interact with each other, but it is not required to be # globally/universally unique. For example, if any of the following are true, @@ -510,6 +545,10 @@ global: # meshNetworks: {} + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + # Specifies the global locality load balancing settings. # Locality-weighted load balancing allows administrators to control the distribution of traffic to # endpoints based on the localities of where the traffic originates and where it will terminate. @@ -538,3 +577,21 @@ global: # This field is set to false by default, so 'helm template ...' # will ignore the helm test yaml files when generating the template enableHelmTest: false + + # Configures DNS certificates provisioned through Chiron linked into Pilot. + # The DNS names in this file are all hard-coded; please ensure the namespaces + # in dnsNames are consistent with those of your services. + # Example: + # certificates: + # - secretName: dns.istio-galley-service-account + # dnsNames: [istio-galley.istio-system.svc, istio-galley.istio-system] + # - secretName: dns.istio-sidecar-injector-service-account + # dnsNames: [istio-sidecar-injector.istio-system.svc, istio-sidecar-injector.istio-system] + certificates: [] + + # Configure whether Operator manages webhook configurations. The current behavior + # of Galley and Sidecar Injector is that they manage their own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false