Skip to content

GitLab

Unverified Commit 68cf4200 authored by Denise's avatar Denise Committed by GitHub
Browse files
Options

Merge pull request #152 from cbron/istio-mirror-images 

Istio 1.4.300
parents f2a33b9b a3cf28cb
Hide whitespace changes
Inline Side-by-side
Showing with 8497 additions and 0 deletions
charts/rancher-istio/1.4.300/charts/tracing/templates/deployment-jaeger.yaml 0 → 100755
View file @ 68cf4200
{{ if eq .Values.provider "jaeger" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-tracing
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: jaeger
template:
metadata:
labels:
app: jaeger
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
prometheus.io/scrape: "true"
prometheus.io/port: "14269"
{{- if .Values.jaeger.podAnnotations }}
{{ toYaml .Values.jaeger.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
containers:
- name: jaeger
image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 9411
- containerPort: 16686
- containerPort: 14250
- containerPort: 14267
- containerPort: 14268
- containerPort: 14269
- containerPort: 5775
protocol: UDP
- containerPort: 6831
protocol: UDP
- containerPort: 6832
protocol: UDP
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if eq .Values.jaeger.spanStorageType "badger" }}
- name: BADGER_EPHEMERAL
value: "false"
- name: SPAN_STORAGE_TYPE
value: "badger"
- name: BADGER_DIRECTORY_VALUE
value: "/badger/data"
- name: BADGER_DIRECTORY_KEY
value: "/badger/key"
{{- end }}
- name: COLLECTOR_ZIPKIN_HTTP_PORT
value: "9411"
- name: MEMORY_MAX_TRACES
value: "{{ .Values.jaeger.memory.max_traces }}"
- name: QUERY_BASE_PATH
value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }}
livenessProbe:
httpGet:
path: /
port: 14269
readinessProbe:
httpGet:
path: /
port: 14269
{{- if eq .Values.jaeger.spanStorageType "badger" }}
volumeMounts:
- name: data
mountPath: /badger
{{- end }}
resources:
{{- if .Values.jaeger.resources }}
{{ toYaml .Values.jaeger.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- if eq .Values.jaeger.spanStorageType "badger" }}
volumes:
- name: data
{{- if .Values.jaeger.persist }}
persistentVolumeClaim:
claimName: istio-jaeger-pvc
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{ end }}
charts/rancher-istio/1.4.300/charts/tracing/templates/deployment-zipkin.yaml 0 → 100755
View file @ 68cf4200
{{ if eq .Values.provider "zipkin" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-tracing
namespace: {{ .Release.Namespace }}
labels:
app: zipkin
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: zipkin
template:
metadata:
labels:
app: zipkin
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
{{- if .Values.zipkin.podAnnotations }}
{{ toYaml .Values.zipkin.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
containers:
- name: zipkin
image: "{{ template "system_default_registry" . }}{{ .Values.zipkin.repository }}:{{ .Values.zipkin.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.zipkin.queryPort }}
livenessProbe:
initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }}
tcpSocket:
port: {{ .Values.zipkin.queryPort }}
readinessProbe:
initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }}
httpGet:
path: /health
port: {{ .Values.zipkin.queryPort }}
resources:
{{- if .Values.zipkin.resources }}
{{ toYaml .Values.zipkin.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: QUERY_PORT
value: "{{ .Values.zipkin.queryPort }}"
- name: JAVA_OPTS
value: "-XX:ConcGCThreads={{ .Values.zipkin.node.cpus }} -XX:ParallelGCThreads={{ .Values.zipkin.node.cpus }} -Djava.util.concurrent.ForkJoinPool.common.parallelism={{ .Values.zipkin.node.cpus }} -Xms{{ .Values.zipkin.javaOptsHeap }}M -Xmx{{ .Values.zipkin.javaOptsHeap }}M -XX:+UseG1GC -server"
- name: STORAGE_METHOD
value: "mem"
- name: ZIPKIN_STORAGE_MEM_MAXSPANS
value: "{{ .Values.zipkin.maxSpans }}"
affinity:
{{- include "nodeaffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{ end }}
charts/rancher-istio/1.4.300/charts/tracing/templates/ingress.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- if .Values.ingress.hosts }}
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} /{{ $.Values.provider }} {{ end }}
backend:
serviceName: tracing
servicePort: 80
{{- end -}}
{{- else }}
- http:
paths:
- path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }}
backend:
serviceName: tracing
servicePort: 80
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
charts/rancher-istio/1.4.300/charts/tracing/templates/pvc.yaml 0 → 100755
View file @ 68cf4200
{{- if eq .Values.provider "jaeger" }}
{{- if .Values.jaeger.persist }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: istio-jaeger-pvc
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
storageClassName: {{ .Values.jaeger.storageClassName }}
accessModes:
- {{ .Values.jaeger.accessMode }}
resources:
requests:
storage: 5Gi
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/tracing/templates/service-jaeger.yaml 0 → 100755
View file @ 68cf4200
{{ if eq .Values.provider "jaeger" }}
apiVersion: v1
kind: List
metadata:
name: jaeger-services
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
items:
- apiVersion: v1
kind: Service
metadata:
name: jaeger-query
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
app: jaeger
jaeger-infra: jaeger-service
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- name: query-http
port: 16686
protocol: TCP
targetPort: 16686
selector:
app: jaeger
- apiVersion: v1
kind: Service
metadata:
name: jaeger-collector
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
jaeger-infra: collector-service
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- name: jaeger-collector-tchannel
port: 14267
protocol: TCP
targetPort: 14267
- name: jaeger-collector-http
port: 14268
targetPort: 14268
protocol: TCP
- name: jaeger-collector-grpc
port: 14250
targetPort: 14250
protocol: TCP
selector:
app: jaeger
type: ClusterIP
- apiVersion: v1
kind: Service
metadata:
name: jaeger-agent
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
jaeger-infra: agent-service
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- name: agent-zipkin-thrift
port: 5775
protocol: UDP
targetPort: 5775
- name: agent-compact
port: 6831
protocol: UDP
targetPort: 6831
- name: agent-binary
port: 6832
protocol: UDP
targetPort: 6832
clusterIP: None
selector:
app: jaeger
{{ end }}
charts/rancher-istio/1.4.300/charts/tracing/templates/service.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: List
metadata:
name: tracing-services
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
items:
- apiVersion: v1
kind: Service
metadata:
name: zipkin
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- port: {{ .Values.zipkin.queryPort }}
targetPort: {{ .Values.zipkin.queryPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: {{ .Values.provider }}
- apiVersion: v1
kind: Service
metadata:
name: tracing
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
app: {{ .Values.provider }}
chart: {{ template "tracing.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
type: {{ .Values.service.type }}
ports:
- name: http-query
port: {{ .Values.service.externalPort }}
protocol: TCP
{{ if eq .Values.provider "jaeger" }}
targetPort: 16686
{{ else }}
targetPort: {{ .Values.zipkin.queryPort }}
{{ end}}
selector:
app: {{ .Values.provider }}
charts/rancher-istio/1.4.300/charts/tracing/templates/tests/test-tracing-connection.yaml 0 → 100755
View file @ 68cf4200
{{- if .Values.global.enableHelmTest }}
apiVersion: v1
kind: Pod
metadata:
name: {{ .Release.Name }}-{{ .Values.provider }}-test
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}-test
chart: {{ template "tracing.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
sidecar.istio.io/inject: "false"
helm.sh/hook: test-success
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: "{{ .Values.provider }}-test"
image: "{{ template "system_default_registry" . }}{{ .Values.global.curl.repository }}:{{ .Values.global.curl.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
command: ['curl']
{{- if eq .Values.provider "jaeger" }}
args: ['http://tracing:80{{ .Values.jaeger.contextPath}}']
{{- else }}
args: ['http://tracing:80']
{{- end }}
restartPolicy: Never
affinity:
{{- include "nodeaffinity" . | indent 4 }}
{{- include "podAntiAffinity" . | indent 4 }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 2 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 2 }}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/charts/tracing/values.yaml 0 → 100755
View file @ 68cf4200
#
# addon jaeger tracing configuration
#
enabled: false
provider: jaeger
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
jaeger:
podAnnotations: {}
memory:
max_traces: 50000
# spanStorageType value can be "memory" and "badger" for all-in-one image
spanStorageType: badger
persist: false
storageClassName: ""
accessMode: ReadWriteMany
zipkin:
podAnnotations: {}
probeStartupDelay: 200
queryPort: 9411
resources:
limits:
cpu: 300m
memory: 900Mi
requests:
cpu: 150m
memory: 900Mi
javaOptsHeap: 700
# From: https://github.com/openzipkin/zipkin/blob/master/zipkin-server/src/main/resources/zipkin-server-shared.yml#L51
# Maximum number of spans to keep in memory. When exceeded, oldest traces (and their spans) will be purged.
# A safe estimate is 1K of memory per span (each span with 2 annotations + 1 binary annotation), plus
# 100 MB for a safety buffer. You'll need to verify in your own environment.
maxSpans: 500000
node:
cpus: 2
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 80
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
# - tracing.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: tracing-tls
# hosts:
# - tracing.local
charts/rancher-istio/1.4.300/example-values/README.md 0 → 100755
View file @ 68cf4200
# Example Values
These files provide various example values for different Istio setups.
To use them, [read the docs](https://istio.io/docs/setup/kubernetes/helm-install/) and add the flag `--values example-file.yaml`.
charts/rancher-istio/1.4.300/example-values/values-istio-dns-cert.yaml 0 → 100755
View file @ 68cf4200
global:
certificates:
- secretName: dns.istio-galley-service-account
dnsNames: [istio-galley.istio-system.svc, istio-galley.istio-system]
- secretName: dns.istio-sidecar-injector-service-account
dnsNames: [istio-sidecar-injector.istio-system.svc, istio-sidecar-injector.istio-system]
charts/rancher-istio/1.4.300/example-values/values-istio-example-sds-vault.yaml 0 → 100755
View file @ 68cf4200
global:
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
nodeagent:
enabled: true
repository: rancher/istio-node-agent-k8s
tag: 1.4.3
env:
# The IP address and the port number of a publicly accessible example Vault server.
CA_ADDR: "https://34.83.129.211:8200"
CA_PROVIDER: "VaultCA"
VALID_TOKEN: true
# The IP address and the port number of a publicly accessible example Vault server.
VAULT_ADDR: "https://34.83.129.211:8200"
VAULT_AUTH_PATH: "auth/kubernetes/login"
VAULT_ROLE: "istio-cert"
VAULT_SIGN_CSR_PATH: "istio_ca/sign/istio-pki-role"
VAULT_TLS_ROOT_CERT: '-----BEGIN CERTIFICATE-----\nMIIC3jCCAcagAwIBAgIRAO1S7vuRQmo2He+RtBq3fv8wDQYJKoZIhvcNAQELBQAw\nEDEOMAwGA1UEChMFVmF1bHQwIBcNMTkwNDI3MTY1ODE1WhgPMjExOTA0MDMxNjU4\nMTVaMBAxDjAMBgNVBAoTBVZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA7/CTbnENEIvFZg9hmVtYnOx3OfMy/GNCuP7sqtAeVVTopAKKkcAAWQck\nrhpBooEGpCugNxXGNCuJh/2nu0AfGFRfdafwSJRoI6yHwQouDm0o4r3h9uL3tu5N\nD+x9j+eejbFsoZVn84CxGkEB6oyeXYHjc6eWh3PFGMtKuOQD4pezvDH0yNCx5waK\nhtPuYtl0ebfdbyh+WQuptO+Q9VSaQNqE3ipZ461y8PduwRRll241W0gQB2iasX03\nD36F2ZrMz3KEVRVKM1yCUDCy2RPJqkXPdnVMWmDGbe8Uw69zr25JltzuRZFT9HL3\nY1RnMTecmSc4ikTUHcMhFX3PYbfR5wIDAQABozEwLzAOBgNVHQ8BAf8EBAMCBaAw\nDAYDVR0TAQH/BAIwADAPBgNVHREECDAGhwQiU4HTMA0GCSqGSIb3DQEBCwUAA4IB\nAQCdLh6olDVQB71LD6srbfAE4EsxLEBbIRnv7Nf1S0KQwgW/QxK8DHBwJBxJkr1N\nzgEPx86f2Fo2UsY9m6rvgP3+iquyMsKi0ooUah3y3LSnONuZcdfSTl/HYd38S6Dp\nVkVOZ7781xxpFVUqQ5voQX1Y1Ipn5qw0FyIcNYWLkNX+iMf1b9kpEIWQNhRC/Yiv\nTS0VA/BzQemGyf2UB6QsuZLH+JFEZnzU859qURnNIITa1Wf4YUtka5Sp1kDnEll3\nwj4IlXKU+Wl1CzxJyn4SSQAXy/Lb08ZKrF/YSzcIISnRX5j+wa8ApOSwwA/B7iaT\nTWz1g+RlV9qHap70eIjPsQvb\n-----END CERTIFICATE-----'
charts/rancher-istio/1.4.300/example-values/values-istio-gateways.yaml 0 → 100755
View file @ 68cf4200
# Common settings.
global:
# Omit the istio-sidecar-injector configmap when generate a
# standalone gateway. Gateways may be created in namespaces other
# than `istio-system` and we don't want to re-create the injector
# configmap in those.
omitSidecarInjectorConfigMap: true
# Istio control plane namespace: This specifies where the Istio control
# plane was installed earlier. Modify this if you installed the control
# plane in a different namespace than istio-system.
istioNamespace: istio-system
proxy:
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
#
# Gateways Configuration
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
# You can add more gateways in addition to the defaults but make sure those are uniquely named
# and that NodePorts are not conflicting.
# Disable specific gateway by setting the `enabled` to false.
#
gateways:
enabled: true
custom-gateway:
enabled: true
labels:
app: custom-gateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
#requests:
# cpu: 1800m
# memory: 256Mi
cpu:
targetAverageUtilization: 80
loadBalancerIP: ""
loadBalancerSourceRanges: {}
externalIPs: []
serviceAnnotations: {}
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
ports:
## You can add custom gateway ports
- port: 80
targetPort: 80
name: http2
# nodePort: 31380
- port: 443
name: https
# nodePort: 31390
- port: 31400
name: tcp
# nodePort: 31400
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
# Addon ports for kiali are enabled in gateway - but will only redirect if
# the gateway configuration for the various components are enabled.
- port: 15029
targetPort: 15029
name: http2-kiali
# Telemetry-related ports are enabled in gateway - but will only redirect if
# the gateway configuration for the various components are enabled.
- port: 15030
targetPort: 15030
name: http2-prometheus
- port: 15031
targetPort: 15031
name: http2-grafana
- port: 15032
targetPort: 15032
name: http2-tracing
secretVolumes:
- name: customgateway-certs
secretName: istio-customgateway-certs
mountPath: /etc/istio/customgateway-certs
- name: customgateway-ca-certs
secretName: istio-customgateway-ca-certs
mountPath: /etc/istio/customgateway-ca-certs
# all other components are disabled except the gateways
security:
enabled: false
sidecarInjectorWebhook:
enabled: false
galley:
enabled: false
mixer:
policy:
enabled: false
telemetry:
enabled: false
pilot:
enabled: false
grafana:
enabled: false
prometheus:
enabled: false
tracing:
enabled: false
kiali:
enabled: false
certmanager:
enabled: false
charts/rancher-istio/1.4.300/example-values/values-istio-googleca.yaml 0 → 100755
View file @ 68cf4200
global:
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
# For GoogleCA, the aud field need to be set to the trustDomain, which is also set at the
# installation/configuration time, e.g. by running helm template.
token:
aud: ""
trustDomain: ""
useMCP: true
nodeagent:
enabled: true
repository: rancher/istio-node-agent-k8s
tag: 1.4.3
env:
CA_PROVIDER: "GoogleCA"
CA_ADDR: "meshca.googleapis.com:443"
PLUGINS: "GoogleTokenExchange"
GKE_CLUSTER_URL: ""
charts/rancher-istio/1.4.300/example-values/values-istio-meshexpansion-gateways.yaml 0 → 100755
View file @ 68cf4200
global:
# Provides dns resolution for global services
podDNSSearchNamespaces:
- global
multiCluster:
enabled: true
controlPlaneSecurityEnabled: true
meshExpansion:
enabled: true
# Multicluster with gateways requires a root CA
# Cluster local CAs are bootstrapped with the root CA.
security:
selfSigned: false
# Provides dns resolution for service entries of form
# name.namespace.global
istiocoredns:
enabled: true
gateways:
istio-egressgateway:
enabled: true
env:
# Needed to route traffic via egress gateway if desired.
ISTIO_META_REQUESTED_NETWORK_VIEW: "external"
charts/rancher-istio/1.4.300/example-values/values-istio-multicluster-gateways.yaml 0 → 100755
View file @ 68cf4200
global:
# Provides dns resolution for global services
podDNSSearchNamespaces:
- global
- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
multiCluster:
enabled: true
controlPlaneSecurityEnabled: true
# Multicluster with gateways requires a root CA
# Cluster local CAs are bootstrapped with the root CA.
security:
selfSigned: false
# Provides dns resolution for service entries of form
# name.namespace.global
istiocoredns:
enabled: true
gateways:
istio-egressgateway:
enabled: true
env:
# Needed to route traffic via egress gateway if desired.
ISTIO_META_REQUESTED_NETWORK_VIEW: "external"
charts/rancher-istio/1.4.300/files/injection-template.yaml 0 → 100755
View file @ 68cf4200
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{- if not .Values.istio_cni.enabled }}
- name: istio-init
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- else }}
image: "{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}"
{{- end }}
command:
- istio-iptables
- "-p"
- "15001"
- "-z"
- "15006"
- "-u"
- 1337
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
- "-d"
- "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
{{- if .Values.global.proxy.init.resources }}
resources:
{{ toYaml .Values.global.proxy.init.resources | indent 4 }}
{{- else }}
resources: {}
{{- end }}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
restartPolicy: Always
{{- end }}
{{ end -}}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.enableCoreDumpImage }}"
{{- else }}
image: "{{ .Values.global.proxy.enableCoreDumpImage }}"
{{- end }}
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
{{- end }}
containers:
- name: istio-proxy
{{- if .Values.global.systemDefaultRegistry }}
image: "{{ .Values.global.systemDefaultRegistry }}/{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}"
{{- else }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.repository}}:{{ .Values.global.proxy.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --configPath
- "{{ .ProxyConfig.ConfigPath }}"
- --binaryPath
- "{{ .ProxyConfig.BinaryPath }}"
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --drainDuration
- "{{ formatDuration .ProxyConfig.DrainDuration }}"
- --parentShutdownDuration
- "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}"
- --discoveryAddress
- "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}"
{{- if eq .Values.global.proxy.tracer "lightstep" }}
- --lightstepAddress
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}"
- --lightstepAccessToken
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}"
- --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }}
- --lightstepCacertPath
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}"
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
- --zipkinAddress
- "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}"
{{- else if eq .Values.global.proxy.tracer "datadog" }}
- --datadogAgentAddress
- "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}"
{{- end }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
- --dnsRefreshRate
- {{ .Values.global.proxy.dnsRefreshRate }}
- --connectTimeout
- "{{ formatDuration .ProxyConfig.ConnectTimeout }}"
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- "{{ .ProxyConfig.StatsdUdpAddress }}"
{{- end }}
{{- if .Values.global.proxy.envoyMetricsService.enabled }}
- --envoyMetricsService
- '{{ protoToJSON .ProxyConfig.EnvoyMetricsService }}'
{{- end }}
{{- if .Values.global.proxy.envoyAccessLogService.enabled }}
- --envoyAccessLogService
- '{{ protoToJSON .ProxyConfig.EnvoyAccessLogService }}'
{{- end }}
- --proxyAdminPort
- "{{ .ProxyConfig.ProxyAdminPort }}"
{{ if gt .ProxyConfig.Concurrency 0 -}}
- --concurrency
- "{{ .ProxyConfig.Concurrency }}"
{{ end -}}
- --controlPlaneAuthPolicy
- "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}"
{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" (valueOrDefault .Values.global.proxy.statusPort 0 )) `0`) }}
- --statusPort
- "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}"
- --applicationPorts
- "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}"
{{- end }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
{{- if .Values.global.mtls.auto }}
- name: ISTIO_AUTO_MTLS_ENABLED
value: "true"
{{- end }}
{{- if eq .Values.global.proxy.tracer "datadog" }}
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
{{- end }}
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: {{ $.Values.global.sds.enabled }}
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{ if .ObjectMeta.Labels }}
- name: ISTIO_METAJSON_LABELS
value: |
{{ toJSON .ObjectMeta.Labels }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: {{ .DeploymentMeta.Name }}
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.sds.customTokenDirectory }}
- name: ISTIO_META_SDS_TOKEN_PATH
value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken"
{{- end }}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if .Values.global.trustDomain }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.trustDomain }}"
{{- end }}
{{- if eq .Values.global.proxy.tracer "stackdriver" }}
- name: STACKDRIVER_TRACING_ENABLED
value: "true"
- name: STACKDRIVER_TRACING_DEBUG
value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetDebug }}"
{{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }}
- name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS
value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }}"
{{- end }}
{{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }}
- name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES
value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }}"
{{- end }}
{{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }}
- name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS
value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }}"
{{- end }}
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` (valueOrDefault .Values.global.proxy.statusPort 0 )) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
add:
- NET_ADMIN
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
runAsGroup: 1337
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
resources:
{{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end}}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{ else -}}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 4 }}
{{- end }}
{{ end -}}
volumeMounts:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- mountPath: /var/run/sds
name: sds-uds-path
readOnly: true
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- if .Values.global.sds.customTokenDirectory }}
- mountPath: "{{ .Values.global.sds.customTokenDirectory -}}"
name: custom-sds-token
readOnly: true
{{- end }}
{{- else }}
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{- end }}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
- emptyDir:
medium: Memory
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- name: sds-uds-path
hostPath:
path: /var/run/sds
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- if .Values.global.sds.customTokenDirectory }}
- name: custom-sds-token
secret:
secretName: sdstokensecret
{{- end }}
{{- else }}
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 2 }}
{{ end }}
{{ end }}
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.podDNSSearchNamespaces }}
dnsConfig:
searches:
{{- range .Values.global.podDNSSearchNamespaces }}
- {{ render . }}
{{- end }}
{{- end }}
podRedirectAnnot:
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{- end }}
traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
charts/rancher-istio/1.4.300/questions.yaml 0 → 100644
View file @ 68cf4200
labels:
rancher.istio.v1.4.300: 1.4.3
rancher_min_version: 2.3.4-rc1
charts/rancher-istio/1.4.300/requirements.yaml 0 → 100755
View file @ 68cf4200
dependencies:
- name: sidecarInjectorWebhook
version: 1.4.3
condition: sidecarInjectorWebhook.enabled
- name: security
version: 1.4.3
condition: security.enabled
- name: gateways
version: 1.4.3
condition: gateways.enabled
- name: mixer
version: 1.4.3
condition: or mixer.policy.enabled mixer.telemetry.enabled
- name: nodeagent
version: 1.4.3
condition: nodeagent.enabled
- name: pilot
version: 1.4.3
condition: pilot.enabled
- name: grafana
version: 1.4.3
condition: grafana.enabled
- name: prometheus
version: 1.4.3
condition: prometheus.enabled
- name: tracing
version: 1.4.3
condition: tracing.enabled
- name: galley
version: 1.4.3
condition: galley.enabled
- name: kiali
version: 1.4.3
condition: kiali.enabled
- name: istiocoredns
version: 1.4.3
condition: istiocoredns.enabled
- name: certmanager
version: 1.4.3
condition: certmanager.enabled
charts/rancher-istio/1.4.300/templates/NOTES.txt 0 → 100755
View file @ 68cf4200
Thank you for installing {{ .Chart.Name | title }}.
Your release is named {{ .Release.Name | title }}.
To get started running application with Istio, execute the following steps:
{{- if index .Values "sidecarInjectorWebhook" "enabled" }}
1. Label namespace that application object will be deployed to by the following command (take default namespace as an example)
$ kubectl label namespace default istio-injection=enabled
$ kubectl get namespace -L istio-injection
2. Deploy your applications
$ kubectl apply -f <your-application>.yaml
{{- else }}
1. Download the latest release package to get sidecar injection tool
$ curl -L https://git.io/getLatestIstio | sh -
$ mv istio-* istio-latest
$ export PATH="$PATH:$PWD/istio-latest/bin"
2. Deploy your application by manually injecting envoy sidecar with `istioctl kube-inject`
$ kubectl apply -f <(istioctl kube-inject -f <your-application>.yaml)
{{- end }}
For more information on running Istio, visit:
https://istio.io/
charts/rancher-istio/1.4.300/templates/_affinity.tpl 0 → 100755
View file @ 68cf4200
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{- define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .Values.global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .Values.global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .Values.podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if or .Values.podAntiAffinityTermLabelSelector}}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .Values.podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/templates/_helpers.tpl 0 → 100755
View file @ 68cf4200
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "istio.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "istio.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "istio.chart" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a fully qualified configmap name.
*/}}
{{- define "istio.configmap.fullname" -}}
{{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
charts/rancher-istio/1.4.300/templates/_podDisruptionBudget.tpl 0 → 100755
View file @ 68cf4200
{{- define "podDisruptionBudget.spec" }}
minAvailable: 1
{{- end }}
charts/rancher-istio/1.4.300/templates/clusterrole.yaml 0 → 100755
View file @ 68cf4200
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: istio-reader
rules:
- apiGroups: ['']
resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"]
verbs: ['get', 'watch', 'list']
- apiGroups: ["extensions", "apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
charts/rancher-istio/1.4.300/templates/clusterrolebinding.yaml 0 → 100755
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-multi
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader
subjects:
- kind: ServiceAccount
name: istio-multi
namespace: {{ .Release.Namespace }}
charts/rancher-istio/1.4.300/templates/configmap.yaml 0 → 100755
View file @ 68cf4200
{{- if or .Values.pilot.enabled .Values.global.istioRemote }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "istio.name" . }}
chart: {{ template "istio.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
mesh: |-
# Set the following variable to true to disable policy checks by Mixer.
# Note that metrics will still be reported to Mixer.
{{- if .Values.mixer.policy.enabled }}
disablePolicyChecks: {{ .Values.global.disablePolicyChecks }}
{{- else }}
disablePolicyChecks: true
{{- end }}
disableMixerHttpReports: false
{{- if .Values.mixer.telemetry.reportBatchMaxEntries }}
# reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server
reportBatchMaxEntries: {{ .Values.mixer.telemetry.reportBatchMaxEntries }}
{{- end }}
{{- if .Values.mixer.telemetry.reportBatchMaxTime }}
# reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server
reportBatchMaxTime: {{ .Values.mixer.telemetry.reportBatchMaxTime }}
{{- end }}
{{- if .Values.mixer.telemetry.sessionAffinityEnabled }}
# sidecarToTelemetrySessionAffinity will create a STRICT_DNS type cluster for istio-telemetry.
sidecarToTelemetrySessionAffinity: {{ .Values.mixer.telemetry.sessionAffinityEnabled }}
{{- end }}
# Set enableTracing to false to disable request tracing.
enableTracing: {{ .Values.global.enableTracing }}
# Set accessLogFile to empty string to disable access log.
accessLogFile: "{{ .Values.global.proxy.accessLogFile }}"
# If accessLogEncoding is TEXT, value will be used directly as the log format
# example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n"
# If AccessLogEncoding is JSON, value will be parsed as map[string]string
# example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}'
# Leave empty to use default log format
accessLogFormat: {{ .Values.global.proxy.accessLogFormat | quote }}
# Set accessLogEncoding to JSON or TEXT to configure sidecar access log
accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}'
enableEnvoyAccessLogService: {{ .Values.global.proxy.envoyAccessLogService.enabled }}
{{- if .Values.global.istioRemote }}
{{- if .Values.global.remotePolicyAddress }}
{{- if .Values.global.createRemoteSvcEndpoints }}
mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004
{{- else }}
mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004
{{- end }}
{{- end }}
{{- if .Values.global.remoteTelemetryAddress }}
{{- if .Values.global.createRemoteSvcEndpoints }}
mixerReportServer: istio-telemetry.{{ .Release.Namespace }}:15004
{{- else }}
mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004
{{- end }}
{{- end }}
{{- else }}
{{- if .Values.mixer.policy.enabled }}
{{- if .Values.global.controlPlaneSecurityEnabled }}
mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004
{{- else }}
mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091
{{- end }}
{{- end }}
{{- if .Values.mixer.telemetry.enabled }}
{{- if .Values.global.controlPlaneSecurityEnabled }}
mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004
{{- else }}
mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }}
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
# Default is false which means the traffic is denied when the client is unable to connect to Mixer.
policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }}
{{- end }}
{{- if .Values.gateways.enabled }}
# Let Pilot give ingresses the public IP of the Istio ingressgateway
ingressService: istio-ingressgateway
{{- end }}
# Default connect timeout for dynamic clusters generated by Pilot and returned via XDS
connectTimeout: 10s
# Automatic protocol detection uses a set of heuristics to
# determine whether the connection is using TLS or not (on the
# server side), as well as the application protocol being used
# (e.g., http vs tcp). These heuristics rely on the client sending
# the first bits of data. For server first protocols like MySQL,
# MongoDB, etc., Envoy will timeout on the protocol detection after
# the specified period, defaulting to non mTLS plain TCP
# traffic. Set this field to tweak the period that Envoy will wait
# for the client to send the first bits of data. (MUST BE >=1ms)
protocolDetectionTimeout: {{ .Values.global.proxy.protocolDetectionTimeout }}
# DNS refresh rate for Envoy clusters of type STRICT_DNS
dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }}
# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
sdsUdsPath: {{ .Values.global.sds.udsPath | quote }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: {{ .Values.global.trustDomain | quote }}
# The trust domain aliases represent the aliases of trust_domain.
# For example, if we have
# trustDomain: td1
# trustDomainAliases: [“td2”, "td3"]
# Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
# or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
trustDomainAliases:
{{- range .Values.global.trustDomainAliases }}
- {{ . | quote }}
{{- end }}
# If true, automatically configure client side mTLS settings to match the corresponding service's
# server side mTLS authentication policy, when destination rule for that service does not specify
# TLS settings.
enableAutoMtls: {{ .Values.global.mtls.auto }}
# Set the default behavior of the sidecar for handling outbound traffic from the application:
# ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
# services or ServiceEntries for the destination port
# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
# as those defined through ServiceEntries
outboundTrafficPolicy:
mode: {{ .Values.global.outboundTrafficPolicy.mode }}
{{- if .Values.global.localityLbSetting.enabled }}
localityLbSetting:
{{ toYaml .Values.global.localityLbSetting | trim | indent 6 }}
{{- end }}
# The namespace to treat as the administrative root namespace for istio
# configuration.
{{- if .Values.global.configRootNamespace }}
rootNamespace: {{ .Values.global.configRootNamespace }}
{{- else }}
rootNamespace: {{ .Release.Namespace }}
{{- end }}
# Configures DNS certificates provisioned through Chiron linked into Pilot.
certificates:
{{ toYaml .Values.global.certificates | trim | indent 6 }}
{{- if .Values.global.defaultConfigVisibilitySettings }}
defaultServiceExportTo:
{{- range .Values.global.defaultConfigVisibilitySettings }}
- {{ . | quote }}
{{- end }}
defaultVirtualServiceExportTo:
{{- range .Values.global.defaultConfigVisibilitySettings }}
- {{ . | quote }}
{{- end }}
defaultDestinationRuleExportTo:
{{- range .Values.global.defaultConfigVisibilitySettings }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- if $.Values.global.useMCP }}
configSources:
- address: istio-galley.{{ $.Release.Namespace }}.svc:9901
{{- if .Values.pilot.configSource.subscribedResources }}
subscribedResources:
- {{ .Values.pilot.configSource.subscribedResources }}
{{- end}}
{{- if $.Values.global.controlPlaneSecurityEnabled}}
tlsSettings:
mode: ISTIO_MUTUAL
{{- end }}
{{- end }}
defaultConfig:
#
# TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters
# defined in Envoy's configuration file
connectTimeout: 10s
#
### ADVANCED SETTINGS #############
# Where should envoy's configuration be stored in the istio-proxy container
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# The pseudo service name used for Envoy.
serviceCluster: istio-proxy
# These settings that determine how long an old Envoy
# process should be kept alive after an occasional reload.
drainDuration: 45s
parentShutdownDuration: 1m0s
#
# The mode used to redirect inbound connections to Envoy. This setting
# has no effect on outbound traffic: iptables REDIRECT is always used for
# outbound connections.
# If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
# The "REDIRECT" mode loses source addresses during redirection.
# If "TPROXY", use iptables TPROXY to redirect to Envoy.
# The "TPROXY" mode preserves both the source and destination IP
# addresses and ports, so that they can be used for advanced filtering
# and manipulation.
# The "TPROXY" mode also configures the sidecar to run with the
# CAP_NET_ADMIN capability, which is required to use TPROXY.
#interceptionMode: REDIRECT
#
# Port where Envoy listens (on local host) for admin commands
# You can exec into the istio-proxy container in a pod and
# curl the admin port (curl http://localhost:15000/) to obtain
# diagnostic information from Envoy. See
# https://lyft.github.io/envoy/docs/operations/admin.html
# for more details
proxyAdminPort: 15000
#
# Set concurrency to a specific number to control the number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core.
concurrency: {{ .Values.global.proxy.concurrency }}
#
{{- if eq .Values.global.proxy.tracer "lightstep" }}
tracing:
lightstep:
# Address of the LightStep Satellite pool
address: {{ .Values.global.tracer.lightstep.address }}
# Access Token used to communicate with the Satellite pool
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
# Whether communication with the Satellite pool should be secure
secure: {{ .Values.global.tracer.lightstep.secure }}
# Path to the file containing the cacert to use when verifying TLS
cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
tracing:
zipkin:
# Address of the Zipkin collector
{{- if .Values.global.tracer.zipkin.address }}
address: {{ .Values.global.tracer.zipkin.address }}
{{- else if .Values.global.remoteZipkinAddress }}
address: {{ .Values.global.remoteZipkinAddress }}:9411
{{- else }}
address: zipkin.{{ .Release.Namespace }}:9411
{{- end }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
tracing:
datadog:
# Address of the Datadog Agent
address: {{ .Values.global.tracer.datadog.address }}
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
tracing:
stackdriver: {}
{{- end }}
{{- if .Values.global.proxy.envoyStatsd.enabled }}
#
# Statsd metrics collector converts statsd metrics into Prometheus metrics.
statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }}
{{- end }}
{{- if .Values.global.proxy.envoyMetricsService.enabled }}
#
# Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API.
envoyMetricsService:
address: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }}
{{- if .Values.global.proxy.envoyMetricsService.tlsSettings }}
tlsSettings:
{{ toYaml .Values.global.proxy.envoyMetricsService.tlsSettings | trim | indent 10 }}
{{- end}}
{{- if .Values.global.proxy.envoyMetricsService.tcpKeepalive }}
tcpKeepalive:
{{ toYaml .Values.global.proxy.envoyMetricsService.tcpKeepalive | trim | indent 10 }}
{{- end}}
{{- end}}
{{- if .Values.global.proxy.envoyAccessLogService.enabled }}
#
# Envoy's AccessLog Service pushes access logs to a remote collector via the Access Log Service gRPC API.
envoyAccessLogService:
address: {{ .Values.global.proxy.envoyAccessLogService.host }}:{{ .Values.global.proxy.envoyAccessLogService.port }}
{{- if .Values.global.proxy.envoyAccessLogService.tlsSettings }}
tlsSettings:
{{ toYaml .Values.global.proxy.envoyAccessLogService.tlsSettings | trim | indent 10 }}
{{- end}}
{{- if .Values.global.proxy.envoyAccessLogService.tcpKeepalive }}
tcpKeepalive:
{{ toYaml .Values.global.proxy.envoyAccessLogService.tcpKeepalive | trim | indent 10 }}
{{- end}}
{{- end}}
{{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }}
{{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }}
{{- if .Values.global.controlPlaneSecurityEnabled }}
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: MUTUAL_TLS
#
# Address where istio Pilot service is running
{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
discoveryAddress: {{ $defPilotHostname }}:15011
{{- else }}
discoveryAddress: {{ $pilotAddress }}:15011
{{- end }}
{{- else }}
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: NONE
#
# Address where istio Pilot service is running
{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
discoveryAddress: {{ $defPilotHostname }}:15010
{{- else }}
discoveryAddress: {{ $pilotAddress }}:15010
{{- end }}
{{- end }}
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
{{- if .Values.global.meshNetworks }}
networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
{{- else }}
networks: {}
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/templates/crd-10.yaml 0 → 100644
View file @ 68cf4200
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: mixer
chart: istio
heritage: Tiller
istio: core
package: istio.io.mixer
release: istio
name: attributemanifests.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Describes the rules used to configure Mixer''s policy and
telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html'
properties:
attributes:
additionalProperties:
properties:
description:
description: A human-readable description of the attribute's purpose.
format: string
type: string
valueType:
description: The type of data carried by this attribute.
enum:
- VALUE_TYPE_UNSPECIFIED
- STRING
- INT64
- DOUBLE
- BOOL
- TIMESTAMP
- IP_ADDRESS
- EMAIL_ADDRESS
- URI
- DNS_NAME
- DURATION
- STRING_MAP
type: string
type: object
description: The set of attributes this Istio component will be responsible
for producing at runtime.
type: object
name:
description: Name of the component producing these attributes.
format: string
type: string
revision:
description: The revision of this document.
format: string
type: string
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-pilot
heritage: Tiller
istio: rbac
release: istio
name: clusterrbacconfigs.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ClusterRbacConfig
plural: clusterrbacconfigs
singular: clusterrbacconfig
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for Role Based Access Control. See more details
at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html'
properties:
enforcementMode:
enum:
- ENFORCED
- PERMISSIVE
type: string
exclusion:
description: A list of services or namespaces that should not be enforced
by Istio RBAC policies.
properties:
namespaces:
description: A list of namespaces.
items:
format: string
type: string
type: array
services:
description: A list of services.
items:
format: string
type: string
type: array
type: object
inclusion:
description: A list of services or namespaces that should be enforced
by Istio RBAC policies.
properties:
namespaces:
description: A list of namespaces.
items:
format: string
type: string
type: array
services:
description: A list of services.
items:
format: string
type: string
type: array
type: object
mode:
description: Istio RBAC mode.
enum:
- "OFF"
- "ON"
- ON_WITH_INCLUSION
- ON_WITH_EXCLUSION
type: string
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: destinationrules.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.host
description: The name of a service from the service registry
name: Host
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
shortNames:
- dr
singular: destinationrule
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting load balancing, outlier detection,
etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule.html'
properties:
exportTo:
description: A list of namespaces to which this destination rule is
exported.
items:
format: string
type: string
type: array
host:
description: The name of a service from the service registry.
format: string
type: string
subsets:
items:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
name:
description: Name of the subset.
format: string
type: string
trafficPolicy:
description: Traffic policies that apply to this subset.
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests
to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection
to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream
connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutiveErrors:
format: int32
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
portLevelSettings:
description: Traffic policies specific to individual ports.
items:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP
requests to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a
backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per
connection to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP
upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on
the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer
algorithms.
oneOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutiveErrors:
format: int32
type: integer
interval:
description: Time interval between ejection sweep
analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
port:
properties:
number:
type: integer
type: object
tls:
description: TLS related settings for connections to
the upstream service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server
during TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during
TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: object
type: array
trafficPolicy:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should be upgraded
to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests to
a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection pool
connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection to
a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections to
a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutiveErrors:
format: int32
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
portLevelSettings:
description: Traffic policies specific to individual ports.
items:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests
to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection
to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream
connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutiveErrors:
format: int32
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
port:
properties:
number:
type: integer
type: object
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during
TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during TLS
handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: envoyfilters.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: EnvoyFilter
plural: envoyfilters
singular: envoyfilter
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Customizing Envoy configuration generated by Istio. See more
details at: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html'
properties:
configPatches:
description: One or more patches with match conditions.
items:
properties:
applyTo:
enum:
- INVALID
- LISTENER
- FILTER_CHAIN
- NETWORK_FILTER
- HTTP_FILTER
- ROUTE_CONFIGURATION
- VIRTUAL_HOST
- HTTP_ROUTE
- CLUSTER
type: string
match:
description: Match on listener/route configuration/cluster.
oneOf:
- required:
- listener
- required:
- routeConfiguration
- required:
- cluster
properties:
cluster:
description: Match on envoy cluster attributes.
properties:
name:
description: The exact name of the cluster to match.
format: string
type: string
portNumber:
description: The service port for which this cluster was
generated.
type: integer
service:
description: The fully qualified service name for this
cluster.
format: string
type: string
subset:
description: The subset associated with the service.
format: string
type: string
type: object
context:
description: The specific config generation context to match
on.
enum:
- ANY
- SIDECAR_INBOUND
- SIDECAR_OUTBOUND
- GATEWAY
type: string
listener:
description: Match on envoy listener attributes.
properties:
filterChain:
description: Match a specific filter chain in a listener.
properties:
applicationProtocols:
description: Applies only to sidecars.
format: string
type: string
filter:
description: The name of a specific filter to apply
the patch to.
properties:
name:
description: The filter name to match on.
format: string
type: string
subFilter:
properties:
name:
description: The filter name to match on.
format: string
type: string
type: object
type: object
name:
description: The name assigned to the filter chain.
format: string
type: string
sni:
description: The SNI value used by a filter chain's
match condition.
format: string
type: string
transportProtocol:
description: Applies only to SIDECAR_INBOUND context.
format: string
type: string
type: object
name:
description: Match a specific listener by its name.
format: string
type: string
portName:
format: string
type: string
portNumber:
type: integer
type: object
proxy:
description: Match on properties associated with a proxy.
properties:
metadata:
additionalProperties:
format: string
type: string
type: object
proxyVersion:
format: string
type: string
type: object
routeConfiguration:
description: Match on envoy HTTP route configuration attributes.
properties:
gateway:
format: string
type: string
name:
description: Route configuration name to match on.
format: string
type: string
portName:
description: Applicable only for GATEWAY context.
format: string
type: string
portNumber:
type: integer
vhost:
properties:
name:
format: string
type: string
route:
description: Match a specific route within the virtual
host.
properties:
action:
description: Match a route with specific action
type.
enum:
- ANY
- ROUTE
- REDIRECT
- DIRECT_RESPONSE
type: string
name:
format: string
type: string
type: object
type: object
type: object
type: object
patch:
description: The patch to apply along with the operation.
properties:
operation:
description: Determines how the patch should be applied.
enum:
- INVALID
- MERGE
- ADD
- REMOVE
- INSERT_BEFORE
- INSERT_AFTER
type: string
value:
description: The JSON config of the object being patched.
type: object
type: object
type: object
type: array
filters:
items:
properties:
filterConfig:
type: object
filterName:
description: The name of the filter to instantiate.
format: string
type: string
filterType:
description: The type of filter to instantiate.
enum:
- INVALID
- HTTP
- NETWORK
type: string
insertPosition:
description: Insert position in the filter chain.
properties:
index:
description: Position of this filter in the filter chain.
enum:
- FIRST
- LAST
- BEFORE
- AFTER
type: string
relativeTo:
format: string
type: string
type: object
listenerMatch:
properties:
address:
description: One or more IP addresses to which the listener
is bound.
items:
format: string
type: string
type: array
listenerProtocol:
description: Selects a class of listeners for the same protocol.
enum:
- ALL
- HTTP
- TCP
type: string
listenerType:
description: Inbound vs outbound sidecar listener or gateway
listener.
enum:
- ANY
- SIDECAR_INBOUND
- SIDECAR_OUTBOUND
- GATEWAY
type: string
portNamePrefix:
format: string
type: string
portNumber:
type: integer
type: object
type: object
type: array
workloadLabels:
additionalProperties:
format: string
type: string
description: Deprecated.
type: object
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: gateways.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Gateway
plural: gateways
shortNames:
- gw
singular: gateway
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting edge load balancer. See more details
at: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html'
properties:
selector:
additionalProperties:
format: string
type: string
type: object
servers:
description: A list of server specifications.
items:
properties:
bind:
format: string
type: string
defaultEndpoint:
format: string
type: string
hosts:
description: One or more hosts exposed by this gateway.
items:
format: string
type: string
type: array
port:
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
tls:
description: Set of TLS related options that govern the server's
behavior.
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
cipherSuites:
description: 'Optional: If specified, only support the specified
cipher list.'
items:
format: string
type: string
type: array
credentialName:
format: string
type: string
httpsRedirect:
type: boolean
maxProtocolVersion:
description: 'Optional: Maximum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
minProtocolVersion:
description: 'Optional: Minimum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
mode:
enum:
- PASSTHROUGH
- SIMPLE
- MUTUAL
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
serverCertificate:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
verifyCertificateHash:
items:
format: string
type: string
type: array
verifyCertificateSpki:
items:
format: string
type: string
type: array
type: object
type: object
type: array
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
name: httpapispecbindings.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
api_specs:
items:
properties:
name:
description: The short name of the HTTPAPISpec.
format: string
type: string
namespace:
description: Optional namespace of the HTTPAPISpec.
format: string
type: string
type: object
type: array
apiSpecs:
items:
properties:
name:
description: The short name of the HTTPAPISpec.
format: string
type: string
namespace:
description: Optional namespace of the HTTPAPISpec.
format: string
type: string
type: object
type: array
services:
description: One or more services to map the listed HTTPAPISpec onto.
items:
properties:
domain:
description: Domain suffix used to construct the service FQDN
in implementations that support such specification.
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: Optional one or more labels that uniquely identify
the service version.
type: object
name:
description: The short name of the service such as "foo".
format: string
type: string
namespace:
description: Optional namespace of the service.
format: string
type: string
service:
description: The service FQDN.
format: string
type: string
type: object
type: array
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
name: httpapispecs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
api_keys:
items:
oneOf:
- required:
- query
- required:
- header
- required:
- cookie
properties:
cookie:
format: string
type: string
header:
description: API key is sent in a request header.
format: string
type: string
query:
description: API Key is sent as a query parameter.
format: string
type: string
type: object
type: array
apiKeys:
items:
oneOf:
- required:
- query
- required:
- header
- required:
- cookie
properties:
cookie:
format: string
type: string
header:
description: API key is sent in a request header.
format: string
type: string
query:
description: API Key is sent as a query parameter.
format: string
type: string
type: object
type: array
attributes:
properties:
attributes:
additionalProperties:
oneOf:
- required:
- stringValue
- required:
- int64Value
- required:
- doubleValue
- required:
- boolValue
- required:
- bytesValue
- required:
- timestampValue
- required:
- durationValue
- required:
- stringMapValue
properties:
boolValue:
type: boolean
bytesValue:
format: binary
type: string
doubleValue:
format: double
type: number
durationValue:
type: string
int64Value:
format: int64
type: integer
stringMapValue:
properties:
entries:
additionalProperties:
format: string
type: string
description: Holds a set of name/value pairs.
type: object
type: object
stringValue:
format: string
type: string
timestampValue:
format: dateTime
type: string
type: object
description: A map of attribute name to its value.
type: object
type: object
patterns:
description: List of HTTP patterns to match.
items:
oneOf:
- required:
- uriTemplate
- required:
- regex
properties:
attributes:
properties:
attributes:
additionalProperties:
oneOf:
- required:
- stringValue
- required:
- int64Value
- required:
- doubleValue
- required:
- boolValue
- required:
- bytesValue
- required:
- timestampValue
- required:
- durationValue
- required:
- stringMapValue
properties:
boolValue:
type: boolean
bytesValue:
format: binary
type: string
doubleValue:
format: double
type: number
durationValue:
type: string
int64Value:
format: int64
type: integer
stringMapValue:
properties:
entries:
additionalProperties:
format: string
type: string
description: Holds a set of name/value pairs.
type: object
type: object
stringValue:
format: string
type: string
timestampValue:
format: dateTime
type: string
type: object
description: A map of attribute name to its value.
type: object
type: object
httpMethod:
format: string
type: string
regex:
format: string
type: string
uriTemplate:
format: string
type: string
type: object
type: array
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
name: meshpolicies.authentication.istio.io
spec:
group: authentication.istio.io
names:
categories:
- istio-io
- authentication-istio-io
kind: MeshPolicy
listKind: MeshPolicyList
plural: meshpolicies
singular: meshpolicy
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Authentication policy for Istio services. See more details
at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html'
properties:
originIsOptional:
type: boolean
origins:
description: List of authentication methods that can be used for origin
authentication.
items:
properties:
jwt:
description: Jwt params for the method.
properties:
audiences:
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
jwt_headers:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtHeaders:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtParams:
description: JWT is sent in a query parameter.
items:
format: string
type: string
type: array
trigger_rules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
triggerRules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
type: object
type: object
type: array
peerIsOptional:
type: boolean
peers:
description: List of authentication methods that can be used for peer
authentication.
items:
oneOf:
- required:
- mtls
- required:
- jwt
properties:
jwt:
properties:
audiences:
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
jwt_headers:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtHeaders:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtParams:
description: JWT is sent in a query parameter.
items:
format: string
type: string
type: array
trigger_rules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
triggerRules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
type: object
mtls:
description: Set if mTLS is used.
properties:
allowTls:
description: WILL BE DEPRECATED, if set, will translates to
`TLS_PERMISSIVE` mode.
type: boolean
mode:
description: Defines the mode of mTLS authentication.
enum:
- STRICT
- PERMISSIVE
type: string
type: object
type: object
type: array
principalBinding:
description: Define whether peer or origin identity should be use for
principal.
enum:
- USE_PEER
- USE_ORIGIN
type: string
targets:
description: List rules to select workloads that the policy should be
applied on.
items:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
name:
description: The name must be a short name from the service registry.
format: string
type: string
ports:
description: Specifies the ports.
items:
oneOf:
- required:
- number
- required:
- name
properties:
name:
format: string
type: string
number:
type: integer
type: object
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
name: policies.authentication.istio.io
spec:
group: authentication.istio.io
names:
categories:
- istio-io
- authentication-istio-io
kind: Policy
plural: policies
singular: policy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Authentication policy for Istio services. See more details
at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html'
properties:
originIsOptional:
type: boolean
origins:
description: List of authentication methods that can be used for origin
authentication.
items:
properties:
jwt:
description: Jwt params for the method.
properties:
audiences:
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
jwt_headers:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtHeaders:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtParams:
description: JWT is sent in a query parameter.
items:
format: string
type: string
type: array
trigger_rules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
triggerRules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
type: object
type: object
type: array
peerIsOptional:
type: boolean
peers:
description: List of authentication methods that can be used for peer
authentication.
items:
oneOf:
- required:
- mtls
- required:
- jwt
properties:
jwt:
properties:
audiences:
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
jwt_headers:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtHeaders:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtParams:
description: JWT is sent in a query parameter.
items:
format: string
type: string
type: array
trigger_rules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
triggerRules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
type: object
mtls:
description: Set if mTLS is used.
properties:
allowTls:
description: WILL BE DEPRECATED, if set, will translates to
`TLS_PERMISSIVE` mode.
type: boolean
mode:
description: Defines the mode of mTLS authentication.
enum:
- STRICT
- PERMISSIVE
type: string
type: object
type: object
type: array
principalBinding:
description: Define whether peer or origin identity should be use for
principal.
enum:
- USE_PEER
- USE_ORIGIN
type: string
targets:
description: List rules to select workloads that the policy should be
applied on.
items:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
name:
description: The name must be a short name from the service registry.
format: string
type: string
ports:
description: Specifies the ports.
items:
oneOf:
- required:
- number
- required:
- name
properties:
name:
format: string
type: string
number:
type: integer
type: object
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
name: quotaspecbindings.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
quotaSpecs:
items:
properties:
name:
description: The short name of the QuotaSpec.
format: string
type: string
namespace:
description: Optional namespace of the QuotaSpec.
format: string
type: string
type: object
type: array
services:
description: One or more services to map the listed QuotaSpec onto.
items:
properties:
domain:
description: Domain suffix used to construct the service FQDN
in implementations that support such specification.
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: Optional one or more labels that uniquely identify
the service version.
type: object
name:
description: The short name of the service such as "foo".
format: string
type: string
namespace:
description: Optional namespace of the service.
format: string
type: string
service:
description: The service FQDN.
format: string
type: string
type: object
type: array
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
name: quotaspecs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: Determines the quotas used for individual requests.
properties:
rules:
description: A list of Quota rules.
items:
properties:
match:
description: If empty, match all request.
items:
properties:
clause:
additionalProperties:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
description: Map of attribute names to StringMatch type.
type: object
type: object
type: array
quotas:
description: The list of quotas to charge.
items:
properties:
charge:
format: int32
type: integer
quota:
format: string
type: string
type: object
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: mixer
chart: istio
heritage: Tiller
istio: rbac
package: istio.io.mixer
release: istio
name: rbacconfigs.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: RbacConfig
plural: rbacconfigs
singular: rbacconfig
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for Role Based Access Control. See more details
at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html'
properties:
enforcementMode:
enum:
- ENFORCED
- PERMISSIVE
type: string
exclusion:
description: A list of services or namespaces that should not be enforced
by Istio RBAC policies.
properties:
namespaces:
description: A list of namespaces.
items:
format: string
type: string
type: array
services:
description: A list of services.
items:
format: string
type: string
type: array
type: object
inclusion:
description: A list of services or namespaces that should be enforced
by Istio RBAC policies.
properties:
namespaces:
description: A list of namespaces.
items:
format: string
type: string
type: array
services:
description: A list of services.
items:
format: string
type: string
type: array
type: object
mode:
description: Istio RBAC mode.
enum:
- "OFF"
- "ON"
- ON_WITH_INCLUSION
- ON_WITH_EXCLUSION
type: string
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: mixer
chart: istio
heritage: Tiller
istio: core
package: istio.io.mixer
release: istio
name: rules.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: rule
plural: rules
singular: rule
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Describes the rules used to configure Mixer''s policy and
telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html'
properties:
actions:
description: The actions that will be executed when match evaluates
to `true`.
items:
properties:
handler:
description: Fully qualified name of the handler to invoke.
format: string
type: string
instances:
items:
format: string
type: string
type: array
name:
description: A handle to refer to the results of the action.
format: string
type: string
type: object
type: array
match:
description: Match is an attribute based predicate.
format: string
type: string
requestHeaderOperations:
items:
properties:
name:
description: Header name literal value.
format: string
type: string
operation:
description: Header operation type.
enum:
- REPLACE
- REMOVE
- APPEND
type: string
values:
description: Header value expressions.
items:
format: string
type: string
type: array
type: object
type: array
responseHeaderOperations:
items:
properties:
name:
description: Header name literal value.
format: string
type: string
operation:
description: Header operation type.
enum:
- REPLACE
- REMOVE
- APPEND
type: string
values:
description: Header value expressions.
items:
format: string
type: string
type: array
type: object
type: array
sampling:
properties:
random:
description: Provides filtering of actions based on random selection
per request.
properties:
attributeExpression:
description: Specifies an attribute expression to use to override
the numerator in the `percent_sampled` field.
format: string
type: string
percentSampled:
description: The default sampling rate, expressed as a percentage.
properties:
denominator:
description: Specifies the denominator.
enum:
- HUNDRED
- TEN_THOUSAND
type: string
numerator:
description: Specifies the numerator.
type: integer
type: object
useIndependentRandomness:
description: By default sampling will be based on the value
of the request header `x-request-id`.
type: boolean
type: object
rateLimit:
properties:
maxUnsampledEntries:
description: Number of entries to allow during the `sampling_duration`
before sampling is enforced.
format: int64
type: integer
samplingDuration:
description: Window in which to enforce the sampling rate.
type: string
samplingRate:
description: The rate at which to sample entries once the unsampled
limit has been reached.
format: int64
type: integer
type: object
type: object
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: serviceentries.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.hosts
description: The hosts associated with the ServiceEntry
name: Hosts
type: string
- JSONPath: .spec.location
description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL
or MESH_INTERNAL)
name: Location
type: string
- JSONPath: .spec.resolution
description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
name: Resolution
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: ServiceEntry
listKind: ServiceEntryList
plural: serviceentries
shortNames:
- se
singular: serviceentry
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting service registry. See more details
at: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry.html'
properties:
addresses:
description: The virtual IP addresses associated with the service.
items:
format: string
type: string
type: array
endpoints:
description: One or more endpoints associated with the service.
items:
properties:
address:
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: One or more labels associated with the endpoint.
type: object
locality:
description: The locality associated with the endpoint.
format: string
type: string
network:
format: string
type: string
ports:
additionalProperties:
type: integer
description: Set of ports associated with the endpoint.
type: object
weight:
description: The load balancing weight associated with the endpoint.
type: integer
type: object
type: array
exportTo:
description: A list of namespaces to which this service is exported.
items:
format: string
type: string
type: array
hosts:
description: The hosts associated with the ServiceEntry.
items:
format: string
type: string
type: array
location:
enum:
- MESH_EXTERNAL
- MESH_INTERNAL
type: string
ports:
description: The ports associated with the external service.
items:
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
type: array
resolution:
description: Service discovery mode for the hosts.
enum:
- NONE
- STATIC
- DNS
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: mixer
chart: istio
heritage: Tiller
istio: rbac
package: istio.io.mixer
release: istio
name: servicerolebindings.rbac.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.roleRef.name
description: The name of the ServiceRole object being referenced
name: Reference
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ServiceRoleBinding
plural: servicerolebindings
singular: servicerolebinding
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for Role Based Access Control. See more details
at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html'
properties:
actions:
items:
properties:
constraints:
description: Optional.
items:
properties:
key:
description: Key of the constraint.
format: string
type: string
values:
description: List of valid values for the constraint.
items:
format: string
type: string
type: array
type: object
type: array
hosts:
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
notHosts:
items:
format: string
type: string
type: array
notMethods:
items:
format: string
type: string
type: array
notPaths:
items:
format: string
type: string
type: array
notPorts:
items:
format: int32
type: integer
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
items:
format: int32
type: integer
type: array
services:
description: A list of service names.
items:
format: string
type: string
type: array
type: object
type: array
mode:
enum:
- ENFORCED
- PERMISSIVE
type: string
role:
format: string
type: string
roleRef:
description: Reference to the ServiceRole object.
properties:
kind:
description: The type of the role being referenced.
format: string
type: string
name:
description: The name of the ServiceRole object being referenced.
format: string
type: string
type: object
subjects:
description: List of subjects that are assigned the ServiceRole object.
items:
properties:
group:
format: string
type: string
groups:
items:
format: string
type: string
type: array
ips:
items:
format: string
type: string
type: array
names:
items:
format: string
type: string
type: array
namespaces:
items:
format: string
type: string
type: array
notGroups:
items:
format: string
type: string
type: array
notIps:
items:
format: string
type: string
type: array
notNames:
items:
format: string
type: string
type: array
notNamespaces:
items:
format: string
type: string
type: array
properties:
additionalProperties:
format: string
type: string
description: Optional.
type: object
user:
description: Optional.
format: string
type: string
type: object
type: array
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: mixer
chart: istio
heritage: Tiller
istio: rbac
package: istio.io.mixer
release: istio
name: serviceroles.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ServiceRole
plural: serviceroles
singular: servicerole
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for Role Based Access Control. See more details
at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html'
properties:
rules:
description: The set of access rules (permissions) that the role has.
items:
properties:
constraints:
description: Optional.
items:
properties:
key:
description: Key of the constraint.
format: string
type: string
values:
description: List of valid values for the constraint.
items:
format: string
type: string
type: array
type: object
type: array
hosts:
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
notHosts:
items:
format: string
type: string
type: array
notMethods:
items:
format: string
type: string
type: array
notPaths:
items:
format: string
type: string
type: array
notPorts:
items:
format: int32
type: integer
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
items:
format: int32
type: integer
type: array
services:
description: A list of service names.
items:
format: string
type: string
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: virtualservices.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.gateways
description: The names of gateways and sidecars that should apply these routes
name: Gateways
type: string
- JSONPath: .spec.hosts
description: The destination hosts to which traffic is being sent
name: Hosts
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
shortNames:
- vs
singular: virtualservice
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting label/content routing, sni routing,
etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service.html'
properties:
exportTo:
description: A list of namespaces to which this virtual service is exported.
items:
format: string
type: string
type: array
gateways:
description: The names of gateways and sidecars that should apply these
routes.
items:
format: string
type: string
type: array
hosts:
description: The destination hosts to which traffic is being sent.
items:
format: string
type: string
type: array
http:
description: An ordered list of route rules for HTTP traffic.
items:
properties:
appendHeaders:
additionalProperties:
format: string
type: string
type: object
appendRequestHeaders:
additionalProperties:
format: string
type: string
type: object
appendResponseHeaders:
additionalProperties:
format: string
type: string
type: object
corsPolicy:
description: Cross-Origin Resource Sharing policy (CORS).
properties:
allowCredentials:
nullable: true
type: boolean
allowHeaders:
items:
format: string
type: string
type: array
allowMethods:
description: List of HTTP methods allowed to access the resource.
items:
format: string
type: string
type: array
allowOrigin:
description: The list of origins that are allowed to perform
CORS requests.
items:
format: string
type: string
type: array
exposeHeaders:
items:
format: string
type: string
type: array
maxAge:
type: string
type: object
fault:
description: Fault injection policy to apply on HTTP traffic at
the client side.
properties:
abort:
oneOf:
- properties:
percent: {}
required:
- httpStatus
- properties:
percent: {}
required:
- grpcStatus
- properties:
percent: {}
required:
- http2Error
properties:
grpcStatus:
format: string
type: string
http2Error:
format: string
type: string
httpStatus:
description: HTTP status code to use to abort the Http
request.
format: int32
type: integer
percent:
description: Percentage of requests to be aborted with
the error code provided (0-100).
format: int32
type: integer
percentage:
description: Percentage of requests to be aborted with
the error code provided.
properties:
value:
format: double
type: number
type: object
type: object
delay:
oneOf:
- properties:
percent: {}
required:
- fixedDelay
- properties:
percent: {}
required:
- exponentialDelay
properties:
exponentialDelay:
type: string
fixedDelay:
description: Add a fixed delay before forwarding the request.
type: string
percent:
description: Percentage of requests on which the delay
will be injected (0-100).
format: int32
type: integer
percentage:
description: Percentage of requests on which the delay
will be injected.
properties:
value:
format: double
type: number
type: object
type: object
type: object
headers:
properties:
request:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
response:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
match:
items:
properties:
authority:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
gateways:
items:
format: string
type: string
type: array
headers:
additionalProperties:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
type: object
ignoreUriCase:
description: Flag to specify whether the URI matching should
be case-insensitive.
type: boolean
method:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
name:
description: The name assigned to a match.
format: string
type: string
port:
description: Specifies the ports on the host that is being
addressed.
type: integer
queryParams:
additionalProperties:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
description: Query parameters for matching.
type: object
scheme:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
sourceLabels:
additionalProperties:
format: string
type: string
type: object
uri:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
type: object
type: array
mirror:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being
addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
mirror_percent:
description: Percentage of the traffic to be mirrored by the `mirror`
field.
nullable: true
type: integer
mirrorPercent:
description: Percentage of the traffic to be mirrored by the `mirror`
field.
nullable: true
type: integer
name:
description: The name assigned to the route for debugging purposes.
format: string
type: string
redirect:
description: A http rule can either redirect or forward (default)
traffic.
properties:
authority:
format: string
type: string
redirectCode:
type: integer
uri:
format: string
type: string
type: object
removeRequestHeaders:
items:
format: string
type: string
type: array
removeResponseHeaders:
items:
format: string
type: string
type: array
retries:
description: Retry policy for HTTP requests.
properties:
attempts:
description: Number of retries for a given request.
format: int32
type: integer
perTryTimeout:
description: Timeout per retry attempt for a given request.
type: string
retryOn:
description: Specifies the conditions under which retry takes
place.
format: string
type: string
type: object
rewrite:
description: Rewrite HTTP URIs and Authority headers.
properties:
authority:
description: rewrite the Authority/Host header with this value.
format: string
type: string
uri:
format: string
type: string
type: object
route:
description: A http rule can either redirect or forward (default)
traffic.
items:
properties:
appendRequestHeaders:
additionalProperties:
format: string
type: string
description: Use of `append_request_headers` is deprecated.
type: object
appendResponseHeaders:
additionalProperties:
format: string
type: string
description: Use of `append_response_headers` is deprecated.
type: object
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
headers:
properties:
request:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
response:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
removeRequestHeaders:
description: Use of `remove_request_headers` is deprecated.
items:
format: string
type: string
type: array
removeResponseHeaders:
description: Use of `remove_response_header` is deprecated.
items:
format: string
type: string
type: array
weight:
format: int32
type: integer
type: object
type: array
timeout:
description: Timeout for HTTP requests.
type: string
websocketUpgrade:
description: Deprecated.
type: boolean
type: object
type: array
tcp:
description: An ordered list of route rules for opaque TCP traffic.
items:
properties:
match:
items:
properties:
destinationSubnets:
description: IPv4 or IPv6 ip addresses of destination with
optional subnet.
items:
format: string
type: string
type: array
gateways:
description: Names of gateways where the rule should be
applied to.
items:
format: string
type: string
type: array
port:
description: Specifies the port on the host that is being
addressed.
type: integer
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceSubnet:
description: IPv4 or IPv6 ip address of source with optional
subnet.
format: string
type: string
type: object
type: array
route:
description: The destination to which the connection should be
forwarded to.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
type: object
type: array
tls:
items:
properties:
match:
items:
properties:
destinationSubnets:
description: IPv4 or IPv6 ip addresses of destination with
optional subnet.
items:
format: string
type: string
type: array
gateways:
description: Names of gateways where the rule should be
applied to.
items:
format: string
type: string
type: array
port:
description: Specifies the port on the host that is being
addressed.
type: integer
sniHosts:
description: SNI (server name indicator) to match on.
items:
format: string
type: string
type: array
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceSubnet:
description: IPv4 or IPv6 ip address of source with optional
subnet.
format: string
type: string
type: object
type: array
route:
description: The destination to which the connection should be
forwarded to.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: adapters.config.istio.io
labels:
app: mixer
package: adapter
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
group: config.istio.io
names:
kind: adapter
plural: adapters
singular: adapter
categories:
- istio-io
- policy-istio-io
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: instances.config.istio.io
labels:
app: mixer
package: instance
istio: mixer-instance
chart: istio
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
group: config.istio.io
names:
kind: instance
plural: instances
singular: instance
categories:
- istio-io
- policy-istio-io
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: templates.config.istio.io
labels:
app: mixer
package: template
istio: mixer-template
chart: istio
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
group: config.istio.io
names:
kind: template
plural: templates
singular: template
categories:
- istio-io
- policy-istio-io
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: handlers.config.istio.io
labels:
app: mixer
package: handler
istio: mixer-handler
chart: istio
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
group: config.istio.io
names:
kind: handler
plural: handlers
singular: handler
categories:
- istio-io
- policy-istio-io
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
charts/rancher-istio/1.4.300/templates/crd-11.yaml 0 → 100644
View file @ 68cf4200
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Sidecar
plural: sidecars
singular: sidecar
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting network reachability of a sidecar.
See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html'
properties:
egress:
items:
properties:
bind:
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
hosts:
items:
format: string
type: string
type: array
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
type: object
type: array
ingress:
items:
properties:
bind:
description: The ip to which the listener should be bound.
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
defaultEndpoint:
format: string
type: string
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
type: object
type: array
outboundTrafficPolicy:
description: This allows to configure the outbound traffic policy.
properties:
mode:
enum:
- REGISTRY_ONLY
- ALLOW_ANY
type: string
type: object
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
charts/rancher-istio/1.4.300/templates/crd-14.yaml 0 → 100644
View file @ 68cf4200
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
heritage: Tiller
istio: security
release: istio
name: authorizationpolicies.security.istio.io
annotations:
helm.sh/hook: crd-install
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for access control on workloads. See more details
at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html'
properties:
rules:
description: Optional.
items:
properties:
from:
description: Optional.
items:
properties:
source:
description: Source specifies the source of a request.
properties:
ipBlocks:
description: Optional.
items:
format: string
type: string
type: array
namespaces:
description: Optional.
items:
format: string
type: string
type: array
principals:
description: Optional.
items:
format: string
type: string
type: array
requestPrincipals:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
to:
description: Optional.
items:
properties:
operation:
description: Operation specifies the operation of a request.
properties:
hosts:
description: Optional.
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
when:
description: Optional.
items:
properties:
key:
description: The name of an Istio attribute.
format: string
type: string
values:
description: The allowed values for the attribute.
items:
format: string
type: string
type: array
type: object
type: array
type: object
type: array
selector:
description: Optional.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
type: object
versions:
- name: v1beta1
served: true
storage: true
charts/rancher-istio/1.4.300/templates/crd-certmanager-10.yaml 0 → 100644
View file @ 68cf4200
{{- if .Values.certmanager.enabled }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: Issuer
plural: issuers
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.secretName
name: Secret
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
type: string
priority: 1
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
priority: 1
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
scope: Namespaced
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs
{{- end }}
charts/rancher-istio/1.4.300/templates/crd-certmanager-11.yaml 0 → 100644
View file @ 68cf4200
{{- if .Values.certmanager.enabled }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: orders.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
type: string
priority: 1
- JSONPath: .status.reason
name: Reason
type: string
priority: 1
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: Order
plural: orders
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: challenges.certmanager.k8s.io
labels:
app: certmanager
chart: certmanager
heritage: Tiller
release: istio
annotations:
helm.sh/resource-policy: keep
helm.sh/hook: crd-install
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.dnsName
name: Domain
type: string
- JSONPath: .status.reason
name: Reason
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: Challenge
plural: challenges
scope: Namespaced
{{- end }}
charts/rancher-istio/1.4.300/templates/endpoints.yaml 0 → 100755
View file @ 68cf4200
{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
apiVersion: v1
kind: Endpoints
metadata:
name: istio-pilot
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15003
name: http-old-discovery # mTLS or non-mTLS depending on auth setting
- port: 15005
name: https-discovery # always mTLS
- port: 15007
name: http-discovery # always plain-text
- port: 15010
name: grpc-xds # direct
- port: 15011
name: https-xds # mTLS or non-mTLS depending on auth setting
- port: 8080
name: http-legacy-discovery # direct
- port: 15014
name: http-monitoring
{{- end }}
{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }}
---
apiVersion: v1
kind: Endpoints
metadata:
name: istio-policy
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePolicyAddress }}
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 15014
{{- end }}
{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }}
---
apiVersion: v1
kind: Endpoints
metadata:
name: istio-telemetry
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remoteTelemetryAddress }}
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 15014
- name: prometheus
port: 42422
{{- end }}
charts/rancher-istio/1.4.300/templates/install-custom-resources.sh.tpl 0 → 100755
View file @ 68cf4200
{{ define "install-custom-resources.sh.tpl" }}
#!/bin/sh
set -x
if [ "$#" -ne "1" ]; then
echo "first argument should be path to custom resource yaml"
exit 1
fi
pathToResourceYAML=${1}
kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
if [ "$?" -eq 0 ]; then
echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
while true; do
kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null
if [ "$?" -eq 0 ]; then
break
fi
sleep 1
done
kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley
if [ "$?" -ne 0 ]; then
echo "istio-galley deployment rollout status check failed"
exit 1
fi
echo "istio-galley deployment ready for configuration validation"
fi
sleep 5
kubectl apply -f ${pathToResourceYAML}
{{ end }}
charts/rancher-istio/1.4.300/templates/istio-service-rbac.yaml 0 → 100644
View file @ 68cf4200
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
name: istio-service-reader
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["http:kiali:20001", "http:tracing:80", "http:grafana:80", "http:prometheus-http:80"]
verbs: ["get", "watch", "list"]
---
{{- if .Values.global.members }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-istio-service
namespace: {{ .Release.Namespace }}
subjects:
{{- range $member := .Values.global.members }}
- kind: {{ $member.kind }}
name: {{ $member.name }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
roleRef:
kind: Role
name: istio-service-reader
apiGroup: rbac.authorization.k8s.io
{{- end }}
\ No newline at end of file
charts/rancher-istio/1.4.300/templates/service.yaml 0 → 100755
View file @ 68cf4200
{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
apiVersion: v1
kind: Service
metadata:
name: istio-pilot
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15003
name: http-old-discovery # mTLS or non-mTLS depending on auth setting
- port: 15005
name: https-discovery # always mTLS
- port: 15007
name: http-discovery # always plain-text
- port: 15010
name: grpc-xds # direct
- port: 15011
name: https-xds # mTLS or non-mTLS depending on auth setting
- port: 8080
name: http-legacy-discovery # direct
- port: 15014
name: http-monitoring
clusterIP: None
{{- end }}
{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }}
---
apiVersion: v1
kind: Service
metadata:
name: istio-policy
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 15014
clusterIP: None
{{- end }}
{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }}
---
apiVersion: v1
kind: Service
metadata:
name: istio-telemetry
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 15014
- name: prometheus
port: 42422
clusterIP: None
{{- end }}
charts/rancher-istio/1.4.300/templates/serviceaccount.yaml 0 → 100755
View file @ 68cf4200
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-multi
namespace: {{ .Release.Namespace }}
charts/rancher-istio/1.4.300/templates/sidecar-injector-configmap.yaml 0 → 100755
View file @ 68cf4200
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "istio.name" . }}
chart: {{ template "istio.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
istio: sidecar-injector
data:
values: |-
{{ .Values | toJson }}
config: |-
policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
template: |-
{{ .Files.Get "files/injection-template.yaml" | trim | indent 6 }}
injectedAnnotations:
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
"{{ $key }}": "{{ $val }}"
{{- end }}
{{- end }}
charts/rancher-istio/1.4.300/test-values/README.md 0 → 100755
View file @ 68cf4200
# Test Values
These files are intended to be used to install Istio for E2E tests.
The rendered files can be generated with `make generate_e2e_yaml`.
These files will all have `values-e2e.yaml` applied to them *first*, so if there are settings there that should not be included in the test the must be overridden.
charts/rancher-istio/1.4.300/test-values/values-e2e.yaml 0 → 100755
View file @ 68cf4200
# This file overrides values for e2e testing.
global:
proxy:
concurrency: 0
resources:
requests:
cpu: 10m
memory: 40Mi
accessLogFile: "/dev/stdout"
enableCoreDump: true
disablePolicyChecks: false
outboundTrafficPolicy:
mode: REGISTRY_ONLY
prometheus:
scrapeInterval: 5s
gateways:
istio-ingressgateway:
autoscaleMax: 1
resources:
requests:
cpu: 10m
memory: 40Mi
limits:
cpu: 100m
memory: 128Mi
# Disable the specific nodePort mappings for testing
# These occasionally cause port conflict flakes (#14190)
# Lacking a good way to override just part of a list, this is copied from
# the prod values.yaml with nodePort omitted
ports:
- port: 15020
targetPort: 15020
name: status-port
- port: 80
targetPort: 80
name: http2
- port: 443
name: https
- port: 31400
name: tcp
- port: 15029
targetPort: 15029
name: https-kiali
- port: 15030
targetPort: 15030
name: https-prometheus
- port: 15031
targetPort: 15031
name: https-grafana
- port: 15032
targetPort: 15032
name: https-tracing
- port: 15443
targetPort: 15443
name: tls
istio-egressgateway:
enabled: true
autoscaleMax: 1
resources:
requests:
cpu: 10m
memory: 40Mi
limits:
cpu: 100m
memory: 128Mi
mixer:
policy:
enabled: true
replicaCount: 2
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 100Mi
limits:
cpu: 100m
memory: 100Mi
telemetry:
enabled: true
loadshedding:
mode: disabled
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 100m
memory: 100Mi
adapters:
stdio:
enabled: true
kiali:
enabled: true
sidecarInjectorWebhook:
rewriteAppHTTPProbe: true
charts/rancher-istio/1.4.300/test-values/values-istio-auth-mcp.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio-auth.yaml with MCP enabled
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
useMCP: true
charts/rancher-istio/1.4.300/test-values/values-istio-auth-multicluster.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio-auth-multicluster.yaml, used for CI/CD.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
proxy:
accessLogFile: "/dev/stdout"
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# In a multiple cluster environment, citadel uses the same root certificate in all the clusters
security:
selfSigned: false
charts/rancher-istio/1.4.300/test-values/values-istio-auth-non-mcp.yaml 0 → 100755
View file @ 68cf4200
global:
mtls:
enabled: true
controlPlaneSecurityEnabled: true
useMCP: false
charts/rancher-istio/1.4.300/test-values/values-istio-auth-sds.yaml 0 → 100755
View file @ 68cf4200
global:
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
token:
aud: "istio-ca"
proxy:
enableCoreDump: true
nodeagent:
enabled: true
repository: rancher/istio-node-agent-k8s
tag: 1.4.3
env:
CA_PROVIDER: "Citadel"
CA_ADDR: "istio-citadel:8060"
VALID_TOKEN: true
charts/rancher-istio/1.4.300/test-values/values-istio-auth.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio-auth.yaml for automated CI/CD test, using v1/alpha1
# or v2/alpha3 with 'gradual migration' (using env variable at inject time).
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
charts/rancher-istio/1.4.300/test-values/values-istio-dns-cert.yaml 0 → 100755
View file @ 68cf4200
global:
certificates:
- dnsNames: [istio-pilot.istio-system.svc, istio-pilot.istio-system]
- secretName: dns.istio-galley-service-account
dnsNames: [istio-galley.istio-system.svc, istio-galley.istio-system]
- secretName: dns.istio-sidecar-injector-service-account
dnsNames: [istio-sidecar-injector.istio-system.svc, istio-sidecar-injector.istio-system]
charts/rancher-istio/1.4.300/test-values/values-istio-mcp.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio.yaml with MCP enabled
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
useMCP: true
charts/rancher-istio/1.4.300/test-values/values-istio-multicluster-split-horizon.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio-multicluster-split-horizon.yaml, used for CI/CD.
global:
controlPlaneSecurityEnabled: true
mtls:
enabled: true
proxy:
accessLogFile: "/dev/stdout"
outboundTrafficPolicy:
mode: ALLOW_ANY
meshExpansion:
enabled: true
meshNetworks:
network2:
endpoints:
- fromRegistry: N2_REGISTRY_TOKEN
gateways:
- address: 0.0.0.0
port: 443
security:
selfSigned: false
gateways:
istio-egressgateway:
enabled: false
charts/rancher-istio/1.4.300/test-values/values-istio-multicluster.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio-multicluster.yaml, used for CI/CD.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
proxy:
accessLogFile: "/dev/stdout"
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# In a multiple cluster environment, citadel uses the same root certificate in all the clusters
security:
selfSigned: false
charts/rancher-istio/1.4.300/test-values/values-istio-one-namespace-auth.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio.yaml used for deprecated CI/CD testing.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Restrict the applications in one namespace the controller manages
oneNamespace: true
charts/rancher-istio/1.4.300/test-values/values-istio-one-namespace-trust-domain.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio.yaml used for deprecated CI/CD testing.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
# Default is 10s second
refreshInterval: 1s
# The trust domain corresponds to the trust root of a system
trustDomain: test.local
# Restrict the applications in one namespace the controller manages
oneNamespace: true
charts/rancher-istio/1.4.300/test-values/values-istio-one-namespace.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio.yaml used for deprecated CI/CD testing.
global:
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Restrict the applications in one namespace the controller manages
oneNamespace: true
charts/rancher-istio/1.4.300/test-values/values-istio.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio.yaml for automated CI/CD test, using v1/alpha1
# or v2/alpha3 with 'gradual migration' (using env variable at inject time).
# global:
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with private docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
charts/rancher-istio/1.4.300/values-istio-demo.yaml 0 → 100755
View file @ 68cf4200
# This is used to generate istio.yaml for minimal, demo mode.
# It is shipped with the release, used for bookinfo or quick installation of istio.
# Includes components used in the demo, defaults to alpha3 rules.
global:
controlPlaneSecurityEnabled: false
proxy:
accessLogFile: "/dev/stdout"
resources:
requests:
cpu: 10m
memory: 40Mi
disablePolicyChecks: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
sidecarInjectorWebhook:
enabled: true
# If true, webhook or istioctl injector will rewrite PodSpec for liveness
# health check to redirect request to sidecar. This makes liveness check work
# even when mTLS is enabled.
rewriteAppHTTPProbe: false
pilot:
autoscaleEnabled: false
traceSampling: 100.0
resources:
requests:
cpu: 10m
memory: 100Mi
mixer:
policy:
enabled: true
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 100Mi
telemetry:
enabled: true
autoscaleEnabled: false
resources:
requests:
cpu: 50m
memory: 100Mi
adapters:
stdio:
enabled: true
grafana:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
createDemoSecret: true
gateways:
istio-ingressgateway:
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 40Mi
istio-egressgateway:
enabled: true
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 40Mi
charts/rancher-istio/1.4.300/values-istio-minimal.yaml 0 → 100755
View file @ 68cf4200
#
# Minimal Istio Configuration: https://istio.io/docs/setup/kubernetes/additional-setup/config-profiles/
#
pilot:
enabled: true
sidecar: false
gateways:
enabled: false
security:
enabled: false
sidecarInjectorWebhook:
enabled: false
galley:
enabled: false
mixer:
policy:
enabled: false
telemetry:
enabled: false
prometheus:
enabled: false
# Common settings.
global:
proxy:
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
useMCP: false
charts/rancher-istio/1.4.300/values-istio-remote.yaml 0 → 100755
View file @ 68cf4200
gateways:
enabled: false
galley:
enabled: false
mixer:
policy:
enabled: false
telemetry:
enabled: false
pilot:
enabled: false
configSource:
subscribedResources:
security:
enabled: true
createMeshPolicy: false
prometheus:
enabled: false
global:
istioRemote: true
enableTracing: false
# Sets an identifier for the remote network to be used for Split Horizon EDS. The network will be sent
# to the Pilot when connected by the sidecar and will affect the results returned in EDS requests.
# Based on the network identifier Pilot will return all local endpoints + endpoints of gateways to
# other networks.
#
# Must match the names in the meshNetworks section in the Istio local.
network: ""
charts/rancher-istio/1.4.300/values-istio-sds-auth-control-plane-auth-disabled.yaml 0 → 100755
View file @ 68cf4200
global:
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
token:
aud: "istio-ca"
nodeagent:
enabled: true
repository: rancher/istio-node-agent-k8s
tag: 1.4.3
env:
CA_PROVIDER: "Citadel"
CA_ADDR: "istio-citadel:8060"
VALID_TOKEN: true
charts/rancher-istio/1.4.300/values-istio-sds-auth.yaml 0 → 100755
View file @ 68cf4200
global:
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
token:
aud: "istio-ca"
nodeagent:
enabled: true
repository: rancher/istio-node-agent-k8s
tag: 1.4.3
env:
CA_PROVIDER: "Citadel"
CA_ADDR: "istio-citadel:8060"
VALID_TOKEN: true
charts/rancher-istio/1.4.300/values.yaml 0 → 100755
View file @ 68cf4200
# Top level istio values file has the following sections.
#
# global: This file is the authoritative and exhaustive source for the global section.
#
# chart sections: Every subdirectory inside the charts/ directory has a top level
# configuration key in this file. This file overrides the values specified
# by the charts/${chartname}/values.yaml.
# Check the chart level values file for exhaustive list of configuration options.
#
# Gateways Configuration, refer to the charts/gateways/values.yaml
# for detailed configuration
#
gateways:
enabled: true
istio-ingressgateway:
labels:
release: cluster-istio
#
# sidecar-injector webhook configuration, refer to the
# charts/sidecarInjectorWebhook/values.yaml for detailed configuration
#
sidecarInjectorWebhook:
repository: rancher/istio-sidecar_injector
tag: 1.4.3
enabled: true
#
# galley configuration, refer to charts/galley/values.yaml
# for detailed configuration
#
galley:
repository: rancher/istio-galley
tag: 1.4.3
enabled: true
#
# mixer configuration
#
# @see charts/mixer/values.yaml for all values
mixer:
repository: rancher/istio-mixer
tag: 1.4.3
policy:
# if policy is enabled the global.disablePolicyChecks has affect.
enabled: true
telemetry:
enabled: true
#
# pilot configuration
#
# @see charts/pilot/values.yaml
pilot:
repository: rancher/istio-pilot
tag: 1.4.3
enabled: true
#
# security configuration
#
security:
repository: rancher/istio-citadel
tag: 1.4.3
enabled: true
#
# nodeagent configuration
#
nodeagent:
enabled: false
#
# addon grafana configuration
#
grafana:
repository: rancher/grafana-grafana
tag: 6.3.6
enabled: false
#
# addon prometheus configuration
#
prometheus:
repository: rancher/prom-prometheus
tag: v2.12.0
enabled: false
#
# addon jaeger tracing configuration
#
tracing:
jaeger:
repository: rancher/jaegertracing-all-in-one
tag: 1.14
zipkin:
repository: rancher/openzipkin-zipkin
tag: 2.14.2
enabled: false
#
# addon kiali tracing configuration
#
kiali:
repository: rancher/kiali-kiali
tag: v1.9
contextPath: /
dashboard:
jaegerURL: http://tracing.istio-system:80
grafanaURL: http://access-grafana.cattle-prometheus:80
auth:
strategy: anonymous
enabled: false
prometheusAddr: http://access-prometheus.cattle-prometheus:80
#
# addon certmanager configuration
#
certmanager:
enabled: false
image:
repository: rancher/jetstack-cert-manager-controller
tag: v0.8.1
#
# Istio CNI plugin enabled
# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately.
# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect
# settings for the istio-proxy.
#
istio_cni:
enabled: false
# addon Istio CoreDNS configuration
#
istiocoredns:
image:
repository: rancher/coredns-coredns
tag: 1.6.2
pluginImage:
repository: rancher/istio-coredns-plugin
tag: 0.2-istio-1.1
enabled: false
# Common settings used among istio subcharts.
global:
# Specify rancher clusterId of external tracing config
# https://github.com/istio/istio.io/issues/4146#issuecomment-493543032
rancher:
clusterId:
systemDefaultRegistry: ""
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: docker.io/rancher
# Default tag for Istio images.
tag: 1.4.3
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
kubectl:
repository: rancher/istio-kubectl
tag: 1.4.3
# monitoring port used by mixer, pilot, galley and sidecar injector
monitoringPort: 15014
k8sIngress:
enabled: false
# Gateway used for k8s Ingress resources. By default it is
# using 'istio:ingressgateway' that will be installed by setting
# 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'
# flags to true.
gatewayName: ingressgateway
# enableHttps will add port 443 on the ingress.
# It REQUIRES that the certificates are installed in the
# expected secrets - enabling this option without certificates
# will result in LDS rejection and the ingress will not work.
enableHttps: false
curl:
repository: rancher/pstauffer-curl
tag: v1.0.3
proxy:
# Configuration for the proxy init container
init:
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
# use fully qualified image names for alternate path to proxy.
repository: rancher/istio-proxyv2
tag: 1.4.3
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Resources for the sidecar.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
# Controls number of Proxy worker threads.
# If set to 0, then start worker thread for each CPU thread/core.
concurrency: 2
# Configures the access log for each sidecar.
# Options:
# "" - disables access log
# "/dev/stdout" - enables access log
accessLogFile: ""
# Configure how and what fields are displayed in sidecar access log. Setting to
# empty string will result in default log format
accessLogFormat: ""
# Configure the access log for sidecar to JSON or TEXT.
accessLogEncoding: TEXT
# Configure envoy gRPC access log service.
envoyAccessLogService:
enabled: false
host: # example: accesslog-service.istio-system
port: # example: 15000
tlsSettings:
mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
clientCertificate: # example: /etc/istio/als/cert-chain.pem
privateKey: # example: /etc/istio/als/key.pem
caCertificates: # example: /etc/istio/als/root-cert.pem
sni: # example: als.somedomain
subjectAltNames: []
# - als.somedomain
tcpKeepalive:
probes: 3
time: 10s
interval: 10s
# Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: ""
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
componentLogLevel: ""
# Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS
# This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.
dnsRefreshRate: 300s
# Automatic protocol detection uses a set of heuristics to
# determine whether the connection is using TLS or not (on the
# server side), as well as the application protocol being used
# (e.g., http vs tcp). These heuristics rely on the client sending
# the first bits of data. For server first protocols like MySQL,
# MongoDB, etc., Envoy will timeout on the protocol detection after
# the specified period, defaulting to non mTLS plain TCP
# traffic. Set this field to tweak the period that Envoy will wait
# for the client to send the first bits of data. (MUST BE >=1ms)
protocolDetectionTimeout: 100ms
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Image used to enable core dumps. This is only used, when "enableCoreDump" is set to true.
enableCoreDumpImage: ubuntu:xenial
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
excludeOutboundPorts: ""
# pod internal interfaces
kubevirtInterfaces: ""
# istio ingress capture whitelist
# examples:
# Redirect no inbound traffic to Envoy: --includeInboundPorts=""
# Redirect all inbound traffic to Envoy: --includeInboundPorts="*"
# Redirect only selected ports: --includeInboundPorts="80,8080"
includeInboundPorts: "*"
excludeInboundPorts: ""
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
# Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector
# via the Metrics Service gRPC API. This contains detailed stats information emitted directly
# by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also
# available to scrape via the Envoy admin port at either /stats or /stats/prometheus.
#
# See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto
# for details about Envoy's Metrics Service API.
#
# Disabled by default.
envoyMetricsService:
enabled: false
host: # example: metrics-service.istio-system
port: # example: 15000
tlsSettings:
mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
clientCertificate: # example: /etc/istio/ms/cert-chain.pem
privateKey: # example: /etc/istio/ms/key.pem
caCertificates: # example: /etc/istio/ms/root-cert.pem
sni: # example: ms.somedomain
subjectAltNames: []
# - ms.somedomain
tcpKeepalive:
probes: 3
time: 10s
interval: 10s
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
tracer: "zipkin"
proxy_init:
# Base name for the istio-init container, used to configure iptables.
repository: rancher/istio-proxyv2
tag: 1.4.3
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
# TODO: Switch to Always as default, and override in the local tests.
imagePullPolicy: IfNotPresent
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
# disablePolicyChecks disables mixer policy checks.
# if mixer.policy.enabled==true then disablePolicyChecks has affect.
# Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
disablePolicyChecks: true
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
# Default is false which means the traffic is denied when the client is unable to connect to Mixer.
policyCheckFailOpen: false
# EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
enableTracing: true
# Configuration for each of the supported tracers
tracer:
# Configuration for envoy to send trace data to LightStep.
# Disabled by default.
# address: the <host>:<port> of the satellite pool
# accessToken: required for sending data to the pool
# secure: specifies whether data should be sent with TLS
# cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is
# required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination
# namespace with the key matching the base of the provided cacertPath and the value being the cacert itself.
#
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
secure: true # example: true|false
cacertPath: "" # example: /etc/lightstep/cacert.pem
zipkin:
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
# zipkin service (port 9411) in the same namespace as the other istio components.
address: ""
datadog:
# Host:Port for submitting traces to the Datadog agent.
address: "$(HOST_IP):8126"
stackdriver:
# enables trace output to stdout.
debug: false
# The global default max number of attributes per span.
maxNumberOfAttributes: 200
# The global default max number of annotation events per span.
maxNumberOfAnnotations: 200
# The global default max number of message events per span.
maxNumberOfMessageEvents: 200
# Default mtls policy. If true, mtls between services will be enabled by default.
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
# If set to true, and a given service does not have a corresponding DestinationRule configured,
# or its DestinationRule does not have TLSSettings specified, Istio configures client side
# TLS configuration automatically, based on the server side mTLS authentication policy and the
# availibity of sidecars.
auto: false
# Lists the secrets you need to use to pull Istio images from a private registry.
imagePullSecrets: []
# - private-registry-key
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Default node selector to be applied to all deployments so that all pods can be
# constrained to run a particular nodes. Each component can overwrite these default
# values by adding its node selector block in the relevant section below and setting
# the desired values.
defaultNodeSelector: {}
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Whether to perform server-side validation of configuration.
configValidation: true
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
# podDNSSearchNamespaces:
# - global
# - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plaintext pilot ports
# will be exposed on an internal gateway
useILB: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# enable pod distruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: false
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
# Use the Mesh Control Protocol (MCP) for configuring Mixer and
# Pilot. Requires galley (`--set galley.enabled=true`).
useMCP: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
# Indicate the domain used in SPIFFE identity URL
# The default depends on the environment.
# kubernetes: cluster.local
# else: default dns domain
trustDomain: ""
# The trust domain aliases represent the aliases of trust_domain.
# For example, if we have
# trustDomain: td1
# trustDomainAliases: [“td2”, "td3"]
# Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
# or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
trustDomainAliases: []
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Set the default behavior of the sidecar for handling outbound traffic from the application:
# ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
# services or ServiceEntries for the destination port
# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
# as those defined through ServiceEntries
# ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests
# to services outside of the mesh without any ServiceEntry.
# REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY.
outboundTrafficPolicy:
mode: ALLOW_ANY
# The namespace where globally shared configurations should be present.
# DestinationRules that apply to the entire mesh (e.g., enabling mTLS),
# default Sidecar configs, etc. should be added to this namespace.
# configRootNamespace: istio-config
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
# defaultConfigVisibilitySettings:
#- '*'
nodeagent:
repository: rancher/istio-node-agent-k8s
tag: 1.4.3
sds:
# SDS enabled. IF set to true, mTLS certificates for the sidecars will be
# distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
enabled: false
udsPath: ""
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (only
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443
#
meshNetworks: {}
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Specifies the global locality load balancing settings.
# Locality-weighted load balancing allows administrators to control the distribution of traffic to
# endpoints based on the localities of where the traffic originates and where it will terminate.
# Either failover or distribute configuration can be set, but not both. If neither are provided
# failover mode will be used.
#
# localityLbSetting:
# enabled: true
# distribute:
# - from: "us-central1/*"
# to:
# "us-central1/*": 80
# "us-central2/*": 20
#
# localityLbSetting:
# enabled: true
# failover:
# - from: us-east
# to: eu-west
# - from: us-west
# to: us-east
localityLbSetting:
enabled: true
# Specifies whether helm test is enabled or not.
# This field is set to false by default, so 'helm template ...'
# will ignore the helm test yaml files when generating the template
enableHelmTest: false
# Configures DNS certificates provisioned through Chiron linked into Pilot.
# The DNS names in this file are all hard-coded; please ensure the namespaces
# in dnsNames are consistent with those of your services.
# Example:
# certificates:
# - secretName: dns.istio-galley-service-account
# dnsNames: [istio-galley.istio-system.svc, istio-galley.istio-system]
# - secretName: dns.istio-sidecar-injector-service-account
# dnsNames: [istio-sidecar-injector.istio-system.svc, istio-sidecar-injector.istio-system]
certificates: []
# Configure whether Operator manages webhook configurations. The current behavior
# of Galley and Sidecar Injector is that they manage their own webhook configurations.
# When this option is set as true, Istio Operator, instead of webhooks, manages the
# webhook configurations. When this option is set as false, webhooks manage their
# own webhook configurations.
operatorManageWebhooks: false
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment