Skip to content

GitLab

Unverified Commit 68cf4200 authored by Denise's avatar Denise Committed by GitHub
Browse files
Options

Merge pull request #152 from cbron/istio-mirror-images 

Istio 1.4.300
parents f2a33b9b a3cf28cb
Hide whitespace changes
Inline Side-by-side
Showing with 4456 additions and 0 deletions
charts/rancher-istio/1.4.300/charts/kiali/templates/ingress.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kiali
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- if .Values.ingress.hosts }}
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }}
backend:
serviceName: kiali
servicePort: 20001
{{- end -}}
{{- else }}
- http:
paths:
- path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }}
backend:
serviceName: kiali
servicePort: 20001
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/kiali/templates/kiali-console-configmap.yaml 0 → 100644
View file @ 68cf4200
apiVersion: v1
kind: ConfigMap
metadata:
name: kiali-console
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
env.js: |
window.WEB_ROOT='/k8s/clusters/{{ .Values.global.rancher.clusterId }}/api/v1/namespaces/istio-system/services/http:kiali:20001/proxy';
\ No newline at end of file
charts/rancher-istio/1.4.300/charts/kiali/templates/service.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: Service
metadata:
name: kiali
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- name: http-kiali
protocol: TCP
port: 20001
selector:
app: kiali
charts/rancher-istio/1.4.300/charts/kiali/templates/serviceaccount.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: kiali-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "kiali.name" . }}
chart: {{ template "kiali.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
charts/rancher-istio/1.4.300/charts/kiali/templates/tests/test-kiali-connection.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.enableHelmTest }}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "kiali.fullname" . }}-test
namespace: {{ .Release.Namespace }}
labels:
app: kiali-test
chart: {{ template "kiali.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: kiali
annotations:
sidecar.istio.io/inject: "false"
helm.sh/hook: test-success
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: "{{ template "kiali.fullname" . }}-test"
image: "{{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['curl']
args: ['http://kiali:20001']
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 2 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 2 }}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/kiali/values.yaml 0 → 100755
View file @ 68cf4200
#
# addon kiali
#
enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`.
replicaCount: 1
contextPath: /kiali # The root context path to access the Kiali UI.
nodeSelector: {}
tolerations: []
podAnnotations: {}
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
ingress:
enabled: false
## Used to create an Ingress record.
hosts:
- kiali.local
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: kiali-tls
# hosts:
# - kiali.local
dashboard:
auth:
strategy: login # Can be anonymous, login, or openshift
secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
viewOnlyMode: false # Bind the service account to a role with only read access
grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.
jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.
prometheusAddr: http://prometheus:9090
# When true, a secret will be created with a default username and password. Useful for demos.
createDemoSecret: false
security:
enabled: false
cert_file: /kiali-cert/cert-chain.pem
private_key_file: /kiali-cert/key.pem
charts/rancher-istio/1.4.300/charts/mixer/Chart.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
appVersion: 1.4.3
description: Helm chart for mixer deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
keywords:
- istio
- mixer
name: mixer
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.3
charts/rancher-istio/1.4.300/charts/mixer/templates/_helpers.tpl 0 → 100755
View file @ 68cf4200
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "mixer.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "mixer.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "mixer.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/mixer/templates/autoscale.yaml 0 → 100755
View file @ 68cf4200
{{- range $key, $spec := .Values }}
{{- if or (eq $key "policy") (eq $key "telemetry") }}
{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-{{ $key }}
namespace: {{ $.Release.Namespace }}
labels:
app: {{ template "mixer.name" $ }}
chart: {{ template "mixer.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
spec:
maxReplicas: {{ $spec.autoscaleMax }}
minReplicas: {{ $spec.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-{{ $key }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }}
---
{{- end }}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/mixer/templates/clusterrole.yaml 0 → 100755
View file @ 68cf4200
{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-mixer-{{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["config.istio.io"] # istio CRD watcher
resources: ["*"]
verbs: ["create", "get", "list", "watch", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
{{- end }}
charts/rancher-istio/1.4.300/charts/mixer/templates/clusterrolebinding.yaml 0 → 100755
View file @ 68cf4200
{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-mixer-admin-role-binding-{{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-mixer-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-mixer-service-account
namespace: {{ .Release.Namespace }}
{{- end }}
charts/rancher-istio/1.4.300/charts/mixer/templates/config.yaml 0 → 100755
View file @ 68cf4200
{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }}
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: istioproxy
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
attributes:
origin.ip:
valueType: IP_ADDRESS
origin.uid:
valueType: STRING
origin.user:
valueType: STRING
request.headers:
valueType: STRING_MAP
request.id:
valueType: STRING
request.host:
valueType: STRING
request.method:
valueType: STRING
request.path:
valueType: STRING
request.url_path:
valueType: STRING
request.query_params:
valueType: STRING_MAP
request.reason:
valueType: STRING
request.referer:
valueType: STRING
request.scheme:
valueType: STRING
request.total_size:
valueType: INT64
request.size:
valueType: INT64
request.time:
valueType: TIMESTAMP
request.useragent:
valueType: STRING
response.code:
valueType: INT64
response.duration:
valueType: DURATION
response.headers:
valueType: STRING_MAP
response.total_size:
valueType: INT64
response.size:
valueType: INT64
response.time:
valueType: TIMESTAMP
response.grpc_status:
valueType: STRING
response.grpc_message:
valueType: STRING
source.uid:
valueType: STRING
source.user: # DEPRECATED
valueType: STRING
source.principal:
valueType: STRING
destination.uid:
valueType: STRING
destination.principal:
valueType: STRING
destination.port:
valueType: INT64
connection.event:
valueType: STRING
connection.id:
valueType: STRING
connection.received.bytes:
valueType: INT64
connection.received.bytes_total:
valueType: INT64
connection.sent.bytes:
valueType: INT64
connection.sent.bytes_total:
valueType: INT64
connection.duration:
valueType: DURATION
connection.mtls:
valueType: BOOL
connection.requested_server_name:
valueType: STRING
context.protocol:
valueType: STRING
context.proxy_error_code:
valueType: STRING
context.timestamp:
valueType: TIMESTAMP
context.time:
valueType: TIMESTAMP
# Deprecated, kept for compatibility
context.reporter.local:
valueType: BOOL
context.reporter.kind:
valueType: STRING
context.reporter.uid:
valueType: STRING
api.service:
valueType: STRING
api.version:
valueType: STRING
api.operation:
valueType: STRING
api.protocol:
valueType: STRING
request.auth.principal:
valueType: STRING
request.auth.audiences:
valueType: STRING
request.auth.presenter:
valueType: STRING
request.auth.claims:
valueType: STRING_MAP
request.auth.raw_claims:
valueType: STRING
request.api_key:
valueType: STRING
rbac.permissive.response_code:
valueType: STRING
rbac.permissive.effective_policy_id:
valueType: STRING
check.error_code:
valueType: INT64
check.error_message:
valueType: STRING
check.cache_hit:
valueType: BOOL
quota.cache_hit:
valueType: BOOL
context.proxy_version:
valueType: STRING
---
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: kubernetes
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
attributes:
source.ip:
valueType: IP_ADDRESS
source.labels:
valueType: STRING_MAP
source.metadata:
valueType: STRING_MAP
source.name:
valueType: STRING
source.namespace:
valueType: STRING
source.owner:
valueType: STRING
source.serviceAccount:
valueType: STRING
source.services:
valueType: STRING
source.workload.uid:
valueType: STRING
source.workload.name:
valueType: STRING
source.workload.namespace:
valueType: STRING
destination.ip:
valueType: IP_ADDRESS
destination.labels:
valueType: STRING_MAP
destination.metadata:
valueType: STRING_MAP
destination.owner:
valueType: STRING
destination.name:
valueType: STRING
destination.container.name:
valueType: STRING
destination.namespace:
valueType: STRING
destination.service.uid:
valueType: STRING
destination.service.name:
valueType: STRING
destination.service.namespace:
valueType: STRING
destination.service.host:
valueType: STRING
destination.serviceAccount:
valueType: STRING
destination.workload.uid:
valueType: STRING
destination.workload.name:
valueType: STRING
destination.workload.namespace:
valueType: STRING
---
{{- if and .Values.adapters.stdio.enabled .Values.telemetry.enabled }}
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: stdio
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledAdapter: stdio
params:
outputAsJson: {{ .Values.adapters.stdio.outputAsJson }}
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: accesslog
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: logentry
params:
severity: '"Info"'
timestamp: request.time
variables:
sourceIp: source.ip | ip("0.0.0.0")
sourceApp: source.labels["app"] | ""
sourcePrincipal: source.principal | ""
sourceName: source.name | ""
sourceWorkload: source.workload.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationServiceHost: destination.service.host | request.host | ""
destinationWorkload: destination.workload.name | ""
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
apiClaims: request.auth.raw_claims | ""
apiKey: request.api_key | request.headers["x-api-key"] | ""
protocol: request.scheme | context.protocol | "http"
method: request.method | ""
url: request.path | ""
responseCode: response.code | 0
responseFlags: context.proxy_error_code | ""
responseSize: response.size | 0
permissiveResponseCode: rbac.permissive.response_code | "none"
permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none"
requestSize: request.size | 0
requestId: request.headers["x-request-id"] | ""
clientTraceId: request.headers["x-client-trace-id"] | ""
latency: response.duration | "0ms"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
requestedServerName: connection.requested_server_name | ""
userAgent: request.useragent | ""
responseTimestamp: response.time
receivedBytes: request.total_size | 0
sentBytes: response.total_size | 0
referer: request.referer | ""
httpAuthority: request.headers[":authority"] | request.host | ""
xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
grpcStatus: response.grpc_status | ""
grpcMessage: response.grpc_message | ""
monitored_resource_type: '"global"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpaccesslog
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: logentry
params:
severity: '"Info"'
timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
variables:
connectionEvent: connection.event | ""
sourceIp: source.ip | ip("0.0.0.0")
sourceApp: source.labels["app"] | ""
sourcePrincipal: source.principal | ""
sourceName: source.name | ""
sourceWorkload: source.workload.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
protocol: context.protocol | "tcp"
connectionDuration: connection.duration | "0ms"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
requestedServerName: connection.requested_server_name | ""
receivedBytes: connection.received.bytes | 0
sentBytes: connection.sent.bytes | 0
totalReceivedBytes: connection.received.bytes_total | 0
totalSentBytes: connection.sent.bytes_total | 0
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
responseFlags: context.proxy_error_code | ""
monitored_resource_type: '"global"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: stdio
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
match: context.protocol == "http" || context.protocol == "grpc"
actions:
- handler: stdio
instances:
- accesslog
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: stdiotcp
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
match: context.protocol == "tcp"
actions:
- handler: stdio
instances:
- tcpaccesslog
{{- end }}
---
{{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }}
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: requestcount
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: requestduration
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: metric
params:
value: response.duration | "0ms"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: requestsize
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: metric
params:
value: request.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: responsesize
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: metric
params:
value: response.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpbytesent
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: metric
params:
value: connection.sent.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpbytereceived
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: metric
params:
value: connection.received.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpconnectionsopened
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpconnectionsclosed
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledAdapter: prometheus
params:
metricsExpirationPolicy:
metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}"
metrics:
- name: requests_total
instance_name: requestcount.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
- name: request_duration_seconds
instance_name: requestduration.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
buckets:
explicit_buckets:
bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
- name: request_bytes
instance_name: requestsize.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: response_bytes
instance_name: responsesize.instance.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: tcp_sent_bytes_total
instance_name: tcpbytesent.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
- name: tcp_received_bytes_total
instance_name: tcpbytereceived.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
- name: tcp_connections_opened_total
instance_name: tcpconnectionsopened.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
- name: tcp_connections_closed_total
instance_name: tcpconnectionsclosed.instance.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promhttp
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false)
actions:
- handler: prometheus
instances:
- requestcount
- requestduration
- requestsize
- responsesize
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcp
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
match: context.protocol == "tcp"
actions:
- handler: prometheus
instances:
- tcpbytesent
- tcpbytereceived
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcpconnectionopen
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
match: context.protocol == "tcp" && ((connection.event | "na") == "open")
actions:
- handler: prometheus
instances:
- tcpconnectionsopened
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcpconnectionclosed
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
match: context.protocol == "tcp" && ((connection.event | "na") == "close")
actions:
- handler: prometheus
instances:
- tcpconnectionsclosed
{{- end }}
---
{{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }}
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: kubernetesenv
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledAdapter: kubernetesenv
params:
# when running from mixer root, use the following config after adding a
# symbolic link to a kubernetes config file via:
#
# $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
#
# kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: kubeattrgenrulerule
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
actions:
- handler: kubernetesenv
instances:
- attributes
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: tcpkubeattrgenrulerule
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
match: context.protocol == "tcp"
actions:
- handler: kubernetesenv
instances:
- attributes
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: attributes
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
compiledTemplate: kubernetes
params:
# Pass the required attribute data to the adapter
source_uid: source.uid | ""
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
destination_uid: destination.uid | ""
destination_port: destination.port | 0
attributeBindings:
# Fill the new attributes from the adapter produced output.
# $out refers to an instance of OutputTemplate message
source.ip: $out.source_pod_ip | ip("0.0.0.0")
source.uid: $out.source_pod_uid | "unknown"
source.labels: $out.source_labels | emptyStringMap()
source.name: $out.source_pod_name | "unknown"
source.namespace: $out.source_namespace | "default"
source.owner: $out.source_owner | "unknown"
source.serviceAccount: $out.source_service_account_name | "unknown"
source.workload.uid: $out.source_workload_uid | "unknown"
source.workload.name: $out.source_workload_name | "unknown"
source.workload.namespace: $out.source_workload_namespace | "unknown"
destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
destination.uid: $out.destination_pod_uid | "unknown"
destination.labels: $out.destination_labels | emptyStringMap()
destination.name: $out.destination_pod_name | "unknown"
destination.container.name: $out.destination_container_name | "unknown"
destination.namespace: $out.destination_namespace | "default"
destination.owner: $out.destination_owner | "unknown"
destination.serviceAccount: $out.destination_service_account_name | "unknown"
destination.workload.uid: $out.destination_workload_uid | "unknown"
destination.workload.name: $out.destination_workload_name | "unknown"
destination.workload.namespace: $out.destination_workload_namespace | "unknown"
{{- end }}
---
{{- if .Values.policy.enabled }}
# Configuration needed by Mixer.
# Mixer cluster is delivered via CDS
# Specify mixer cluster settings
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-policy
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
host: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
portLevelSettings:
- port:
number: 15004 # grpc-mixer-mtls
tls:
mode: ISTIO_MUTUAL
- port:
number: 9091 # grpc-mixer
tls:
mode: DISABLE
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
{{- end }}
---
{{- if .Values.telemetry.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-telemetry
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
host: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
portLevelSettings:
- port:
number: 15004 # grpc-mixer-mtls
tls:
mode: ISTIO_MUTUAL
- port:
number: 9091 # grpc-mixer
tls:
mode: DISABLE
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
{{- end }}
---
{{- end }}
charts/rancher-istio/1.4.300/charts/mixer/templates/deployment.yaml 0 → 100755
View file @ 68cf4200
{{- define "policy_container" }}
spec:
serviceAccountName: istio-mixer-service-account
{{- if $.Values.global.priorityClassName }}
priorityClassName: "{{ $.Values.global.priorityClassName }}"
{{- end }}
volumes:
- name: istio-certs
secret:
secretName: istio.istio-mixer-service-account
optional: true
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: uds-socket
emptyDir: {}
- name: policy-adapter-secret
secret:
secretName: policy-adapter-secret
optional: true
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
containers:
- name: mixer
image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.global.monitoringPort }}
- containerPort: 42422
args:
- --monitoringPort={{ .Values.global.monitoringPort }}
- --address
- unix:///sock/mixer.socket
{{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }}
{{- end}}
{{- if $.Values.global.useMCP }}
{{- if $.Values.global.controlPlaneSecurityEnabled}}
- --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901
{{- else }}
- --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901
{{- end }}
{{- else }}
- --configStoreURL=k8s://
{{- end }}
- --configDefaultNamespace={{ $.Release.Namespace }}
{{- if $.Values.adapters.useAdapterCRDs }}
- --useAdapterCRDs=true
{{- else }}
- --useAdapterCRDs=false
{{- end }}
- --useTemplateCRDs=false
{{- if $.Values.global.tracer.zipkin.address }}
- --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
{{- else }}
- --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans
{{- end }}
{{- if .Values.env }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
resources:
{{- if .Values.policy.resources }}
{{ toYaml .Values.policy.resources | indent 10 }}
{{- else if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
{{- if $.Values.global.useMCP }}
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- name: uds-socket
mountPath: /sock
livenessProbe:
httpGet:
path: /version
port: {{ .Values.global.monitoringPort }}
initialDelaySeconds: 5
periodSeconds: 5
- name: istio-proxy
image: "{{ template "system_default_registry" . }}{{ $.Values.global.proxy.repository }}:{{ $.Values.global.proxy.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: 9091
- containerPort: 15004
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }}
- --serviceCluster
- istio-policy
- --templateFile
- /etc/istio/proxy/envoy_policy.yaml.tmpl
{{- if $.Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
{{- end }}
{{- if $.Values.global.trustDomain }}
- --trust-domain={{ $.Values.global.trustDomain }}
{{- end }}
{{- if $.Values.global.proxy.logLevel }}
- --proxyLogLevel={{ $.Values.global.proxy.logLevel }}
{{- end}}
{{- if $.Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }}
{{- end}}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if $.Values.global.proxy.resources }}
{{ toYaml $.Values.global.proxy.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
- name: uds-socket
mountPath: /sock
- name: policy-adapter-secret
mountPath: /var/run/secrets/istio.io/policy/adapter
readOnly: true
{{- end }}
{{- define "telemetry_container" }}
spec:
serviceAccountName: istio-mixer-service-account
{{- if $.Values.global.priorityClassName }}
priorityClassName: "{{ $.Values.global.priorityClassName }}"
{{- end }}
volumes:
- name: istio-certs
secret:
secretName: istio.istio-mixer-service-account
optional: true
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: uds-socket
emptyDir: {}
- name: telemetry-adapter-secret
secret:
secretName: telemetry-adapter-secret
optional: true
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
containers:
- name: mixer
image: "{{ template "system_default_registry" . }}{{ $.Values.repository }}:{{ $.Values.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.global.monitoringPort }}
- containerPort: 42422
args:
- --monitoringPort={{ .Values.global.monitoringPort }}
- --address
- unix:///sock/mixer.socket
{{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }}
{{- end}}
{{- if $.Values.global.useMCP }}
{{- if $.Values.global.controlPlaneSecurityEnabled}}
- --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901
- --certFile=/etc/certs/cert-chain.pem
- --keyFile=/etc/certs/key.pem
- --caCertFile=/etc/certs/root-cert.pem
{{- else }}
- --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901
{{- end }}
{{- else }}
- --configStoreURL=k8s://
{{- end }}
- --configDefaultNamespace={{ $.Release.Namespace }}
{{- if $.Values.adapters.useAdapterCRDs }}
- --useAdapterCRDs=true
{{- else }}
- --useAdapterCRDs=false
{{- end }}
{{- if $.Values.global.tracer.zipkin.address }}
- --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
{{- else }}
- --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans
{{- end }}
- --averageLatencyThreshold
- {{ $.Values.telemetry.loadshedding.latencyThreshold }}
- --loadsheddingMode
- {{ $.Values.telemetry.loadshedding.mode }}
{{- if .Values.env }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
resources:
{{- if .Values.telemetry.resources }}
{{ toYaml .Values.telemetry.resources | indent 10 }}
{{- else if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
{{- if $.Values.global.useMCP }}
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- name: telemetry-adapter-secret
mountPath: /var/run/secrets/istio.io/telemetry/adapter
readOnly: true
- name: uds-socket
mountPath: /sock
livenessProbe:
httpGet:
path: /version
port: {{ .Values.global.monitoringPort }}
initialDelaySeconds: 5
periodSeconds: 5
- name: istio-proxy
image: "{{ template "system_default_registry" . }}{{ $.Values.global.proxy.repository }}:{{ $.Values.global.proxy.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: 9091
- containerPort: 15004
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
- istio-telemetry
- --templateFile
- /etc/istio/proxy/envoy_telemetry.yaml.tmpl
{{- if $.Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
{{- end }}
{{- if $.Values.global.proxy.logLevel }}
- --proxyLogLevel={{ $.Values.global.proxy.logLevel }}
{{- end}}
{{- if $.Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }}
{{- end}}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if $.Values.global.proxy.resources }}
{{ toYaml $.Values.global.proxy.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
- name: uds-socket
mountPath: /sock
{{- end }}
{{- range $key, $spec := .Values }}
{{- if or (eq $key "policy") (eq $key "telemetry") }}
{{- if $spec.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-{{ $key }}
namespace: {{ $.Release.Namespace }}
labels:
app: istio-mixer
chart: {{ template "mixer.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
istio: mixer
spec:
{{- if not $spec.autoscaleEnabled }}
{{- if $spec.replicaCount }}
replicas: {{ $spec.replicaCount }}
{{- else }}
replicas: 1
{{- end }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: {{ $spec.rollingMaxSurge }}
maxUnavailable: {{ $spec.rollingMaxUnavailable }}
selector:
matchLabels:
istio: mixer
istio-mixer-type: {{ $key }}
template:
metadata:
labels:
app: {{ $key }}
chart: {{ template "mixer.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
security.istio.io/tlsMode: "istio"
istio: mixer
istio-mixer-type: {{ $key }}
annotations:
sidecar.istio.io/inject: "false"
{{- with $.Values.podAnnotations }}
{{ toYaml . | indent 8 }}
{{- end }}
{{- if eq $key "policy"}}
{{- template "policy_container" $ }}
{{- else }}
{{- template "telemetry_container" $ }}
{{- end }}
---
{{- end }}
{{- end }}
{{- end }} {{/* range */}}
charts/rancher-istio/1.4.300/charts/mixer/templates/poddisruptionbudget.yaml 0 → 100755
View file @ 68cf4200
{{- range $key, $spec := .Values }}
{{- if or (eq $key "policy") (eq $key "telemetry") }}
{{- if $spec.enabled }}
{{- if $.Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-{{ $key }}
namespace: {{ $.Release.Namespace }}
labels:
app: {{ $key }}
chart: {{ template "mixer.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
version: {{ $.Chart.Version }}
istio: mixer
istio-mixer-type: {{ $key }}
spec:
{{- if $.Values.global.defaultPodDisruptionBudget.enabled }}
{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }}
{{- end }}
selector:
matchLabels:
app: {{ $key }}
release: {{ $.Release.Name }}
istio: mixer
istio-mixer-type: {{ $key }}
---
{{- end }}
{{- end }}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/mixer/templates/service.yaml 0 → 100755
View file @ 68cf4200
{{- range $key, $spec := .Values }}
{{- if or (eq $key "policy") (eq $key "telemetry") }}
{{- if $spec.enabled }}
apiVersion: v1
kind: Service
metadata:
name: istio-{{ $key }}
namespace: {{ $.Release.Namespace }}
annotations:
networking.istio.io/exportTo: "*"
labels:
app: {{ template "mixer.name" $ }}
chart: {{ template "mixer.chart" $ }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
istio: mixer
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: {{ $.Values.global.monitoringPort }}
{{- if eq $key "telemetry" }}
- name: prometheus
port: 42422
{{- if $spec.sessionAffinityEnabled }}
sessionAffinity: ClientIP
{{- end }}
{{- end }}
selector:
istio: mixer
istio-mixer-type: {{ $key }}
---
{{- end }}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/mixer/templates/serviceaccount.yaml 0 → 100755
View file @ 68cf4200
{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-mixer-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ template "mixer.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
charts/rancher-istio/1.4.300/charts/mixer/values.yaml 0 → 100755
View file @ 68cf4200
#
# mixer configuration
#
env:
# max procs should be ceil(cpu limit + 1)
GOMAXPROCS: "6"
policy:
# if policy is enabled, global.disablePolicyChecks has affect.
enabled: false
replicaCount: 1
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
telemetry:
enabled: true
replicaCount: 1
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
sessionAffinityEnabled: false
# mixer load shedding configuration.
# When mixer detects that it is overloaded, it starts rejecting grpc requests.
loadshedding:
# disabled, logonly or enforce
mode: enforce
# based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.
latencyThreshold: 100ms
resources:
requests:
cpu: 1000m
memory: 1G
limits:
# It is best to do horizontal scaling of mixer using moderate cpu allocation.
# We have experimentally found that these values work well.
cpu: 4800m
memory: 4G
# Set reportBatchMaxEntries to 0 to use the default batching behavior (i.e., every 100 requests).
# A positive value indicates the number of requests that are batched before telemetry data
# is sent to the mixer server
reportBatchMaxEntries: 100
# Set reportBatchMaxTime to 0 to use the default batching behavior (i.e., every 1 second).
# A positive time value indicates the maximum wait time since the last request will telemetry data
# be batched before being sent to the mixer server
reportBatchMaxTime: 1s
podAnnotations: {}
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
adapters:
kubernetesenv:
enabled: true
# stdio is a debug adapter in istio-telemetry, it is not recommended for production use.
stdio:
enabled: false
outputAsJson: true
prometheus:
enabled: true
metricsExpiryDuration: 10m
# Setting this to false sets the useAdapterCRDs mixer startup argument to false
useAdapterCRDs: false
charts/rancher-istio/1.4.300/charts/nodeagent/Chart.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
appVersion: 1.4.3
description: Helm chart for nodeagent deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
keywords:
- istio
- nodeagent
name: nodeagent
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.3
charts/rancher-istio/1.4.300/charts/nodeagent/templates/_helpers.tpl 0 → 100755
View file @ 68cf4200
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "nodeagent.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "nodeagent.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "nodeagent.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/nodeagent/templates/clusterrole.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-nodeagent-{{ .Release.Namespace }}
labels:
app: {{ template "nodeagent.name" . }}
chart: {{ template "nodeagent.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
charts/rancher-istio/1.4.300/charts/nodeagent/templates/clusterrolebinding.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-nodeagent-{{ .Release.Namespace }}
labels:
app: {{ template "nodeagent.name" . }}
chart: {{ template "nodeagent.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-nodeagent-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-nodeagent-service-account
namespace: {{ .Release.Namespace }}
charts/rancher-istio/1.4.300/charts/nodeagent/templates/daemonset.yaml 0 → 100755
View file @ 68cf4200
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: istio-nodeagent
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "nodeagent.name" . }}
chart: {{ template "nodeagent.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: nodeagent
spec:
selector:
matchLabels:
istio: nodeagent
template:
metadata:
labels:
app: {{ template "nodeagent.name" . }}
chart: {{ template "nodeagent.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: nodeagent
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-nodeagent-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: nodeagent
image: "{{ template "system_default_registry" . }}{{ $.Values.global.nodeagent.repository }}:{{ $.Values.global.nodeagent.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
volumeMounts:
- mountPath: /var/run/sds
name: sdsudspath
env:
{{- if .Values.env }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
- name: "TRUST_DOMAIN"
value: "{{ .Values.global.trustDomain }}"
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumes:
- name: sdsudspath
hostPath:
path: /var/run/sds
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
updateStrategy:
type: RollingUpdate
charts/rancher-istio/1.4.300/charts/nodeagent/templates/serviceaccount.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-nodeagent-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "nodeagent.name" . }}
chart: {{ template "nodeagent.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
charts/rancher-istio/1.4.300/charts/nodeagent/values.yaml 0 → 100755
View file @ 68cf4200
#
# nodeagent configuration
#
enabled: false
env:
# name of authentication provider.
CA_PROVIDER: ""
# CA endpoint.
CA_ADDR: ""
# names of authentication provider's plugins.
PLUGINS: ""
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
charts/rancher-istio/1.4.300/charts/pilot/Chart.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
appVersion: 1.4.3
description: Helm chart for pilot deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
keywords:
- istio
- pilot
name: pilot
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.3
charts/rancher-istio/1.4.300/charts/pilot/templates/_helpers.tpl 0 → 100755
View file @ 68cf4200
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "pilot.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "pilot.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "pilot.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/pilot/templates/autoscale.yaml 0 → 100755
View file @ 68cf4200
{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-pilot
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-pilot
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }}
---
{{- end }}
charts/rancher-istio/1.4.300/charts/pilot/templates/clusterrole.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-pilot-{{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["config.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["rbac.istio.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["security.istio.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["authentication.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses", "ingresses/status"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "namespaces", "nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "watch", "list", "update", "delete"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete"]
charts/rancher-istio/1.4.300/charts/pilot/templates/clusterrolebinding.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-pilot-{{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-pilot-service-account
namespace: {{ .Release.Namespace }}
charts/rancher-istio/1.4.300/charts/pilot/templates/configmap.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.jwksResolverExtraRootCA }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-jwks-extra-cacerts
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
{{- end }}
charts/rancher-istio/1.4.300/charts/pilot/templates/deployment.yaml 0 → 100755
View file @ 68cf4200
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-pilot
namespace: {{ .Release.Namespace }}
# TODO: default template doesn't have this, which one is right ?
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: pilot
spec:
{{- if not .Values.autoscaleEnabled }}
{{- if .Values.replicaCount }}
replicas: {{ .Values.replicaCount }}
{{- else }}
replicas: 1
{{- end }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.rollingMaxSurge }}
maxUnavailable: {{ .Values.rollingMaxUnavailable }}
selector:
matchLabels:
istio: pilot
template:
metadata:
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: pilot
annotations:
sidecar.istio.io/inject: "false"
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: istio-pilot-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: discovery
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- "discovery"
- --monitoringAddr=:{{ .Values.global.monitoringPort }}
{{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }}
{{- end}}
- --domain
- {{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.oneNamespace }}
- "-a"
- {{ .Release.Namespace }}
{{- end }}
{{- if and $.Values.global.controlPlaneSecurityEnabled (not .Values.sidecar)}}
- --secureGrpcAddr
- ":15011"
{{- else }}
- --secureGrpcAddr
- ""
{{- end }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
- --keepaliveMaxServerConnectionAge
- "{{ .Values.keepaliveMaxServerConnectionAge }}"
ports:
- containerPort: 8080
- containerPort: 15010
{{- if not .Values.sidecar }}
- containerPort: 15011
{{- end }}
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 5
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if .Values.env }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.traceSampling }}"
{{- end }}
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "{{ .Values.enableProtocolSniffingForOutbound }}"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "{{ .Values.enableProtocolSniffingForInbound }}"
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- if .Values.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
{{- end }}
{{- if .Values.sidecar }}
- name: istio-proxy
image: "{{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 15003
- containerPort: 15005
- containerPort: 15007
- containerPort: 15011
args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
- istio-pilot
- --templateFile
- /etc/istio/proxy/envoy_pilot.yaml.tmpl
{{- if $.Values.global.controlPlaneSecurityEnabled}}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
{{- end }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
{{- if $.Values.global.proxy.logLevel }}
- --proxyLogLevel={{ $.Values.global.proxy.logLevel }}
{{- end}}
{{- if $.Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if $.Values.global.logging.level }}
- --log_output_level={{ $.Values.global.logging.level }}
{{- end}}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- if $.Values.global.sds.enabled }}
- name: sds-uds-path
mountPath: /var/run/sds
readOnly: true
- name: istio-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
volumes:
{{- if $.Values.global.sds.enabled }}
- hostPath:
path: /var/run/sds
name: sds-uds-path
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ $.Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: config-volume
configMap:
name: istio
- name: istio-certs
secret:
secretName: istio.istio-pilot-service-account
optional: true
{{- if .Values.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:
name: istio-jwks-extra-cacerts
{{- end }}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
charts/rancher-istio/1.4.300/charts/pilot/templates/meshexpansion.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.meshExpansion.enabled }}
{{- if .Values.global.meshExpansion.useILB }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-ilb-vs-pilot
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
hosts:
- istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-ilb-gateway
tcp:
- match:
- port: 15011
route:
- destination:
host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15011
- match:
- port: 15010
route:
- destination:
host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15010
- match:
- port: 5353
route:
- destination:
host: kube-dns.kube-system.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 53
---
{{- else }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-pilot
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
hosts:
- istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 15011
route:
- destination:
host: istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15011
---
{{- end }}
{{- if .Values.global.controlPlaneSecurityEnabled }}
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: meshexpansion-dr-pilot
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
trafficPolicy:
portLevelSettings:
- port:
number: 15011
tls:
mode: DISABLE
---
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/pilot/templates/poddisruptionbudget.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-pilot
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: pilot
spec:
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
{{- end }}
selector:
matchLabels:
app: {{ template "pilot.name" . }}
release: {{ .Release.Name }}
istio: pilot
{{- end }}
charts/rancher-istio/1.4.300/charts/pilot/templates/service.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: Service
metadata:
name: istio-pilot
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: pilot
spec:
ports:
- port: 15010
name: grpc-xds # direct
- port: 15011
name: https-xds # mTLS
- port: 8080
name: http-legacy-discovery # direct
- port: {{ .Values.global.monitoringPort }}
name: http-monitoring
selector:
istio: pilot
charts/rancher-istio/1.4.300/charts/pilot/templates/serviceaccount.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-pilot-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "pilot.name" . }}
chart: {{ template "pilot.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
charts/rancher-istio/1.4.300/charts/pilot/values.yaml 0 → 100755
View file @ 68cf4200
#
# pilot configuration
#
enabled: true
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
# specify replicaCount when autoscaleEnabled: false
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
sidecar: true
traceSampling: 1.0
# if protocol sniffing is enabled for outbound
enableProtocolSniffingForOutbound: true
# if protocol sniffing is enabled for inbound
enableProtocolSniffingForInbound: false
# Resources for a small pilot install
resources:
requests:
cpu: 500m
memory: 2048Mi
env:
PILOT_PUSH_THROTTLE: 100
cpu:
targetAverageUtilization: 80
nodeSelector: {}
tolerations: []
podAnnotations: {}
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# The following is used to limit how long a sidecar can be connected
# to a pilot. It balances out load across pilot instances at the cost of
# increasing system churn.
keepaliveMaxServerConnectionAge: 30m
# This is used to set the source of configuration for
# the associated address in configSource, if nothing is specificed
# the default MCP is assumed. The alternative option is SERVICE_REGISTRY
# which describes the source is only forwarding synthetic service entries
configSource:
subscribedResources:
charts/rancher-istio/1.4.300/charts/prometheus/Chart.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
appVersion: 2.8.0
description: A Helm chart for Kubernetes
name: prometheus
tillerVersion: '>=2.7.2'
version: 1.4.3
charts/rancher-istio/1.4.300/charts/prometheus/templates/_helpers.tpl 0 → 100755
View file @ 68cf4200
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "prometheus.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "prometheus.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "prometheus.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/prometheus/templates/clusterrole.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus-{{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
- nodes/proxy
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
charts/rancher-istio/1.4.300/charts/prometheus/templates/clusterrolebindings.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-{{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: prometheus
namespace: {{ .Release.Namespace }}
charts/rancher-istio/1.4.300/charts/prometheus/templates/configmap.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
prometheus.yml: |-
global:
scrape_interval: {{ .Values.scrapeInterval }}
scrape_configs:
- job_name: 'istio-mesh'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-telemetry;prometheus
# Scrape config for envoy stats
- job_name: 'envoy-stats'
metrics_path: /stats/prometheus
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_container_port_name]
action: keep
regex: '.*-envoy-prom'
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:15090
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
- job_name: 'istio-policy'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-policy;http-monitoring
- job_name: 'istio-telemetry'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-telemetry;http-monitoring
- job_name: 'pilot'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-pilot;http-monitoring
- job_name: 'galley'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-galley;http-monitoring
- job_name: 'citadel'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-citadel;http-monitoring
# scrape config for API servers
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: kubernetes;https
# scrape config for nodes (kubelet)
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
# Scrape config for Kubelet cAdvisor.
#
# This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
# (those whose names begin with 'container_') have been removed from the
# Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
# retrieve those metrics.
#
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
# HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
# in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
# the --cadvisor-port=0 Kubelet flag).
#
# This job is not necessary and should be removed in Kubernetes 1.6 and
# earlier versions, or it will cause the metrics to be scraped twice.
- job_name: 'kubernetes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
# scrape config for service endpoints.
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job.
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
# Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http"
- source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme]
action: keep
regex: ((;.*)|(.*;http))
- source_labels: [__meta_kubernetes_pod_annotation_istio_mtls]
action: drop
regex: (true)
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
- job_name: 'kubernetes-pods-istio-secure'
scheme: https
tls_config:
ca_file: /etc/istio-certs/root-cert.pem
cert_file: /etc/istio-certs/cert-chain.pem
key_file: /etc/istio-certs/key.pem
insecure_skip_verify: true # prometheus does not support secure naming.
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
# sidecar status annotation is added by sidecar injector and
# istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
- source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
action: keep
regex: (([^;]+);([^;]*))|(([^;]*);(true))
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
action: drop
regex: (http)
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__] # Only keep address that is host:port
action: keep # otherwise an extra target with ':443' is added for https scheme
regex: ([^:]+):(\d+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
\ No newline at end of file
charts/rancher-istio/1.4.300/charts/prometheus/templates/deployment.yaml 0 → 100755
View file @ 68cf4200
# TODO: the original template has service account, roles, etc
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: prometheus
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: prometheus
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- '--storage.tsdb.retention={{ .Values.retention }}'
- '--config.file=/etc/prometheus/prometheus.yml'
ports:
- containerPort: 9090
name: http
livenessProbe:
httpGet:
path: /-/healthy
port: 9090
readinessProbe:
httpGet:
path: /-/ready
port: 9090
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumeMounts:
- name: config-volume
mountPath: /etc/prometheus
- mountPath: /etc/istio-certs
name: istio-certs
volumes:
- name: config-volume
configMap:
name: prometheus
- name: istio-certs
secret:
defaultMode: 420
{{- if not .Values.security.enabled }}
optional: true
{{- end }}
secretName: istio.default
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
charts/rancher-istio/1.4.300/charts/prometheus/templates/ingress.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- if .Values.ingress.hosts }}
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }}
backend:
serviceName: prometheus
servicePort: 9090
{{- end -}}
{{- else }}
- http:
paths:
- path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }}
backend:
serviceName: prometheus
servicePort: 9090
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/prometheus/templates/service.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: Service
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
annotations:
prometheus.io/scrape: 'true'
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
app: prometheus
ports:
- name: http-prometheus
protocol: TCP
port: 9090
{{- if .Values.service.nodePort.enabled }}
# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs.
---
apiVersion: v1
kind: Service
metadata:
name: prometheus-nodeport
namespace: {{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
type: NodePort
ports:
- port: 9090
nodePort: {{ .Values.service.nodePort.port }}
name: http-prometheus
selector:
app: prometheus
{{- end }}
charts/rancher-istio/1.4.300/charts/prometheus/templates/serviceaccount.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ template "prometheus.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
charts/rancher-istio/1.4.300/charts/prometheus/templates/tests/test-prometheus-connection.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.enableHelmTest }}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "prometheus.fullname" . }}-test
namespace: {{ .Release.Namespace }}
labels:
app: prometheus-test
chart: {{ template "prometheus.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: prometheus
annotations:
sidecar.istio.io/inject: "false"
helm.sh/hook: test-success
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: "{{ template "prometheus.fullname" . }}-test"
image: {{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1']
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 2 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 2 }}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/prometheus/values.yaml 0 → 100755
View file @ 68cf4200
#
# addon prometheus configuration
#
enabled: true
replicaCount: 1
retention: 6h
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# Controls the frequency of prometheus scraping
scrapeInterval: 15s
contextPath: /prometheus
ingress:
enabled: false
## Used to create an Ingress record.
hosts:
- prometheus.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: prometheus-tls
# hosts:
# - prometheus.local
service:
annotations: {}
nodePort:
enabled: false
port: 32090
security:
enabled: true
charts/rancher-istio/1.4.300/charts/security/Chart.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
appVersion: 1.4.3
description: Helm chart for istio authentication
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
keywords:
- istio
- security
name: security
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.3
charts/rancher-istio/1.4.300/charts/security/templates/_helpers.tpl 0 → 100755
View file @ 68cf4200
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "security.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "security.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "security.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/security/templates/clusterrole.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-citadel-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "watch", "list", "update", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts", "services", "namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
charts/rancher-istio/1.4.300/charts/security/templates/clusterrolebinding.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-citadel-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-citadel-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-citadel-service-account
namespace: {{ .Release.Namespace }}
charts/rancher-istio/1.4.300/charts/security/templates/configmap.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-security-custom-resources
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
data:
custom-resources.yaml: |-
{{- if .Values.global.mtls.enabled }}
{{- include "security-default.yaml.tpl" . | indent 4}}
{{- else }}
{{- include "security-permissive.yaml.tpl" . | indent 4}}
{{- end }}
run.sh: |-
{{- include "install-custom-resources.sh.tpl" . | indent 4}}
charts/rancher-istio/1.4.300/charts/security/templates/create-custom-resources-job.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.createMeshPolicy }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-security-post-install-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-security-post-install-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.istio.io"] # needed to create security destination rules
resources: ["*"]
verbs: ["*"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-security-post-install-role-binding-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-security-post-install-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-security-post-install-account
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
template:
metadata:
name: istio-security-post-install
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-security-post-install-account
containers:
- name: kubectl
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
imagePullPolicy: IfNotPresent
command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
volumeMounts:
- mountPath: "/tmp/security"
name: tmp-configmap-security
volumes:
- name: tmp-configmap-security
configMap:
name: istio-security-custom-resources
restartPolicy: OnFailure
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/security/templates/deployment.yaml 0 → 100755
View file @ 68cf4200
# istio CA watching all namespaces
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-citadel
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
istio: citadel
strategy:
rollingUpdate:
maxSurge: {{ .Values.rollingMaxSurge }}
maxUnavailable: {{ .Values.rollingMaxUnavailable }}
template:
metadata:
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
annotations:
sidecar.istio.io/inject: "false"
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: istio-citadel-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: citadel
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
{{- if .Values.global.sds.enabled }}
- --sds-enabled=true
{{- end }}
- --append-dns-names=true
- --grpc-port=8060
- --citadel-storage-namespace={{ .Release.Namespace }}
- --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }}
- --monitoring-port={{ .Values.global.monitoringPort }}
{{- if .Values.selfSigned }}
- --self-signed-ca=true
{{- else }}
- --self-signed-ca=false
- --signing-cert=/etc/cacerts/ca-cert.pem
- --signing-key=/etc/cacerts/ca-key.pem
- --root-cert=/etc/cacerts/root-cert.pem
- --cert-chain=/etc/cacerts/cert-chain.pem
{{- end }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
{{- if .Values.workloadCertTtl }}
- --workload-cert-ttl={{ .Values.workloadCertTtl }}
{{- end }}
{{- if .Values.citadelHealthCheck }}
- --liveness-probe-path=/tmp/ca.liveness # path to the liveness health check status file
- --liveness-probe-interval=60s # interval for health check file update
- --probe-check-interval=15s # interval for health status check
{{- end }}
env:
- name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT
value: "{{ .Values.enableNamespacesByDefault }}"
{{- if .Values.env }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
{{- end }}
{{- if .Values.citadelHealthCheck }}
livenessProbe:
exec:
command:
- /usr/local/bin/istio_ca
- probe
- --probe-path=/tmp/ca.liveness # path to the liveness health check status file
- --interval=125s # the maximum time gap allowed between the file mtime and the current sys clock
initialDelaySeconds: 60
periodSeconds: 60
{{- end }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
{{- if not .Values.selfSigned }}
volumeMounts:
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
volumes:
- name: cacerts
secret:
secretName: cacerts
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
charts/rancher-istio/1.4.300/charts/security/templates/enable-mesh-mtls.yaml 0 → 100755
View file @ 68cf4200
{{- define "security-default.yaml.tpl" }}
# These policy and destination rules effectively enable mTLS for all services in the mesh. For now,
# they are added to Istio installation yaml for backward compatible. In future, they should be in
# a separated yaml file so that customer can enable mTLS independent from installation.
# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
peers:
- mtls: {}
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "default"
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
host: "*.local"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar.
# Customer should add similar destination rules for other services that don't have sidecar.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "api-server"
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
host: "kubernetes.default.svc.{{ .Values.global.proxy.clusterDomain }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: DISABLE
{{- end }}
charts/rancher-istio/1.4.300/charts/security/templates/enable-mesh-permissive.yaml 0 → 100755
View file @ 68cf4200
{{- define "security-permissive.yaml.tpl" }}
# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
peers:
- mtls:
mode: PERMISSIVE
{{- end }}
charts/rancher-istio/1.4.300/charts/security/templates/meshexpansion.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.meshExpansion.enabled }}
{{- if .Values.global.meshExpansion.useILB }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-citadel-ilb
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
spec:
hosts:
- istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-ilb-gateway
tcp:
- match:
- port: 8060
route:
- destination:
host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 8060
---
{{- else }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-citadel
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
spec:
hosts:
- istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 8060
route:
- destination:
host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 8060
---
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/security/templates/poddisruptionbudget.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-citadel
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
spec:
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
{{- end }}
selector:
matchLabels:
app: {{ template "security.name" . }}
release: {{ .Release.Name }}
istio: citadel
{{- end }}
charts/rancher-istio/1.4.300/charts/security/templates/service.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: Service
metadata:
# we use the normal name here (e.g. 'prometheus')
# as grafana is configured to use this as a data source
name: istio-citadel
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: citadel
spec:
ports:
- name: grpc-citadel
port: 8060
targetPort: 8060
protocol: TCP
- name: http-monitoring
port: {{ .Values.global.monitoringPort }}
selector:
istio: citadel
charts/rancher-istio/1.4.300/charts/security/templates/serviceaccount.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-citadel-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ template "security.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
charts/rancher-istio/1.4.300/charts/security/templates/tests/test-citadel-connection.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.enableHelmTest }}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "security.fullname" . }}-test
namespace: {{ .Release.Namespace }}
labels:
app: istio-citadel-test
chart: {{ template "security.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: citadel
annotations:
sidecar.istio.io/inject: "false"
helm.sh/hook: test-success
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: "{{ template "security.fullname" . }}-test"
image: "{{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:{{ .Values.global.monitoringPort }}/version && exit 0 || sleep 15; done; exit 1']
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 2 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 2 }}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/security/values.yaml 0 → 100755
View file @ 68cf4200
#
# security configuration
#
enabled: true
replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
selfSigned: true # indicate if self-signed CA is used.
createMeshPolicy: true
nodeSelector: {}
tolerations: []
podAnnotations: {}
# Enable health checking on the Citadel CSR signing API.
# https://istio.io/docs/tasks/security/health-check/
citadelHealthCheck: false
# 90*24hour = 2160h
workloadCertTtl: 2160h
# Environment variables that configure Citadel.
env: {}
# Determines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override
# labels are not found on a given namespace.
#
# For example: consider a namespace called "target", which has neither the "ca.istio.io/env"
# nor the "ca.istio.io/override" namespace labels. To decide whether or not to generate secrets
# for service accounts created in this "target" namespace, Citadel will defer to this option. If the value
# of this option is "true" in this case, secrets will be generated for the "target" namespace.
# If the value of this option is "false" Citadel will not generate secrets upon service account creation.
enableNamespacesByDefault: true
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/Chart.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
appVersion: 1.4.3
description: Helm chart for sidecar injector webhook deployment
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
keywords:
- istio
- sidecarInjectorWebhook
name: sidecarInjectorWebhook
sources:
- http://github.com/istio/istio
tillerVersion: '>=2.7.2'
version: 1.4.3
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/templates/_helpers.tpl 0 → 100755
View file @ 68cf4200
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "sidecar-injector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "sidecar-injector.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "sidecar-injector.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/templates/clusterrole.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-sidecar-injector-{{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: sidecar-injector
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
{{- if not .Values.global.operatorManageWebhooks }}
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
{{- end }}
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: sidecar-injector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-sidecar-injector-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-sidecar-injector-service-account
namespace: {{ .Release.Namespace }}
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/templates/deployment.yaml 0 → 100755
View file @ 68cf4200
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: sidecar-injector
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
istio: sidecar-injector
strategy:
rollingUpdate:
maxSurge: {{ .Values.rollingMaxSurge }}
maxUnavailable: {{ .Values.rollingMaxUnavailable }}
template:
metadata:
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: sidecar-injector
annotations:
sidecar.istio.io/inject: "false"
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: istio-sidecar-injector-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: sidecar-injector-webhook
image: "{{ template "system_default_registry" . }}{{ .Values.repository }}:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --caCertFile=/etc/istio/certs/root-cert.pem
- --tlsCertFile=/etc/istio/certs/cert-chain.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --healthCheckInterval=2s
- --healthCheckFile=/health
{{- if .Values.global.operatorManageWebhooks }}
- --reconcileWebhookConfig=false
{{- else }}
- --reconcileWebhookConfig=true
{{- end }}
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
readOnly: true
- name: certs
mountPath: /etc/istio/certs
readOnly: true
- name: inject-config
mountPath: /etc/istio/inject
readOnly: true
livenessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
readinessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumes:
- name: config-volume
configMap:
name: istio
- name: certs
secret:
{{- if .Values.global.certificates }}
secretName: dns.istio-sidecar-injector-service-account
{{- else }}
secretName: istio.istio-sidecar-injector-service-account
{{- end }}
- name: inject-config
configMap:
name: istio-sidecar-injector
items:
- key: config
path: config
- key: values
path: values
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml 0 → 100755
View file @ 68cf4200
{{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
webhooks:
- name: sidecar-injector.istio.io
clientConfig:
service:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
namespaceSelector:
{{- if .Values.enableNamespacesByDefault }}
matchExpressions:
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
- key: istio-injection
operator: NotIn
values:
- disabled
{{- else }}
matchLabels:
istio-injection: enabled
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
release: {{ .Release.Name }}
istio: sidecar-injector
spec:
{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
selector:
matchLabels:
app: {{ template "sidecar-injector.name" . }}
release: {{ .Release.Name }}
istio: sidecar-injector
{{- end }}
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/templates/service.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: Service
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: sidecar-injector
spec:
ports:
- port: 443
name: https-inject
- port: {{ .Values.global.monitoringPort }}
name: http-monitoring
selector:
istio: sidecar-injector
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-sidecar-injector-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ template "sidecar-injector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: sidecar-injector
charts/rancher-istio/1.4.300/charts/sidecarInjectorWebhook/values.yaml 0 → 100755
View file @ 68cf4200
#
# sidecar-injector webhook configuration
#
enabled: true
replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
enableNamespacesByDefault: false
nodeSelector: {}
tolerations: []
podAnnotations: {}
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# If true, webhook or istioctl injector will rewrite PodSpec for liveness
# health check to redirect request to sidecar. This makes liveness check work
# even when mTLS is enabled.
rewriteAppHTTPProbe: false
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
neverInjectSelector: []
alwaysInjectSelector: []
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
#
# annotations:
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
#
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
# injectedAnnotations:
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
injectedAnnotations: {}
charts/rancher-istio/1.4.300/charts/tracing/.helmignore 0 → 100755
View file @ 68cf4200
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
charts/rancher-istio/1.4.300/charts/tracing/Chart.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
appVersion: 1.5.1
description: A Helm chart for Kubernetes
name: tracing
tillerVersion: '>=2.7.2'
version: 1.4.3
charts/rancher-istio/1.4.300/charts/tracing/templates/_helpers.tpl 0 → 100755
View file @ 68cf4200
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "tracing.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "tracing.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "tracing.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment