Merge pull request #150 from rancher/dev

v2.3.4

charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml

@@ -87,7 +87,11 @@ data:
         value: /tmp/results
       - name: CHROOT_DIR
         value: /node
-      {{- if .Values.debug }}
+      {{- if .Values.overrideBenchmarkVersion }}
+      - name: OVERRIDE_BENCHMARK_VERSION
+        value: {{ .Values.overrideBenchmarkVersion }}
+      {{- end }}
+      {{- if .Values.debugWorker }}
       - name: DEBUG
         value: "true"
       - name: DEBUG_TIME_IN_SEC

charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml

@@ -32,8 +32,10 @@ spec:
     - name: {{ .Chart.Name }}
       restartPolicy: Never
       env:
-        - name: SKIP
-          value: {{ .Values.skip }}
+        {{- if .Values.overrideBenchmarkVersion }}
+        - name: OVERRIDE_BENCHMARK_VERSION
+          value: {{ .Values.overrideBenchmarkVersion }}
+        {{- end }}
         - name: SONOBUOY_NS
           value: {{ .Release.Namespace }}
         - name: SONOBUOY_POD_NAME
@@ -46,6 +48,12 @@ spec:
         - name: OUTPUT_CONFIGMAPNAME
           value: {{ .Release.Name }}
         {{- end }}
+        {{- if .Values.debugMaster }}
+        - name: DEBUG
+          value: "true"
+        - name: DEBUG_TIME_IN_SEC
+          value: {{ .Values.debugTime }}
+        {{- end }}
       image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
       imagePullPolicy: {{ .Values.image.pullPolicy }}
       ports:

charts/rancher-cis-benchmark/v0.0.1/values.yaml

@@ -6,19 +6,21 @@ replicaCount: 1
 
 # if owner is specified, it's used for the name of the configmap for results
 owner: ""
-# skip is used specify which tests to skip
-skip: ""
 # skipConfigMapName is used to specify the name of cm where the skip info is stored
 # skip has higher precedence than what's specified in the configmap
 skipConfigMapName: ""
+# overrideBenchmarkVersion is used to override the default benchmark version used for
+# a particular k8s version
+overrideBenchmarkVersion: ""
 
 # when debug=true, the plugin pods sleep for the time specified
-debug: false
+debugMaster: false
+debugWorker: false
 debugTime: "infinity"
 
 image:
   repository: rancher/security-scan
-  tag: v0.1.2
+  tag: v0.1.6
   pullPolicy: Always
 
 nameOverride: ""

charts/rancher-istio/0.1.0/questions.yml

 labels:
   rancher.istio.v0.1.0: 1.3.1
 rancher_min_version: 2.3.0-rc1
-
+rancher_max_version: 2.3.3

charts/rancher-istio/0.1.1/questions.yml

 labels:
   rancher.istio.v0.1.1: 1.3.3
 rancher_min_version: 2.3.0-rc1
-
+rancher_max_version: 2.3.3

charts/rancher-istio/1.4.3/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/rancher-istio/1.4.3/Chart.yaml

+apiVersion: v1
+appVersion: 1.4.3
+description: Helm chart for all istio components
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
+keywords:
+- istio
+- security
+- sidecarInjectorWebhook
+- mixer
+- pilot
+- galley
+name: rancher-istio
+sources:
+- http://github.com/istio/istio
+tillerVersion: '>=2.7.2-0'
+version: 1.4.3

charts/rancher-istio/1.4.3/README.md

+# Istio
+
+[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
+
+The documentation here is for developers only, please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/install/helm/) for all other uses.
+
+## Introduction
+
+This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Chart Details
+
+This chart can install multiple Istio components as subcharts:
+- ingressgateway
+- egressgateway
+- sidecarInjectorWebhook
+- galley
+- mixer
+- pilot
+- security(citadel)
+- grafana
+- prometheus
+- tracing(jaeger)
+- kiali
+
+To enable or disable each component, change the corresponding `enabled` flag.
+
+## Prerequisites
+
+- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required
+- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required
+- If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order.
+- The `istio-init` chart must be run to completion prior to install the `istio` chart.
+
+## Resources Required
+
+The chart deploys pods that consume minimum resources as specified in the resources configuration parameter.
+
+## Installing the Chart
+
+1. If a service account has not already been installed for Tiller, install one:
+
+    ```bash
+    $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
+    ```
+
+1. Install Tiller on your cluster with the service account:
+
+    ```bash
+    $ helm init --service-account tiller
+    ```
+
+1. Set and create the namespace where Istio was installed:
+
+    ```bash
+    $ NAMESPACE=istio-system
+    $ kubectl create ns $NAMESPACE
+    ```
+
+1. If you are enabling `kiali`, you need to create the secret that contains the username and passphrase for `kiali` dashboard:
+
+    ```bash
+    $ echo -n 'admin' | base64
+    YWRtaW4=
+    $ echo -n '1f2d1e2e67df' | base64
+    MWYyZDFlMmU2N2Rm
+    $ cat <<EOF | kubectl apply -f -
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: kiali
+      namespace: $NAMESPACE
+      labels:
+        app: kiali
+    type: Opaque
+    data:
+      username: YWRtaW4=
+      passphrase: MWYyZDFlMmU2N2Rm
+    EOF
+    ```
+
+1. If you are using security mode for Grafana, create the secret first as follows:
+
+    - Encode username, you can change the username to the name as you want:
+
+        ```bash
+        $ echo -n 'admin' | base64
+        YWRtaW4=
+        ```
+
+    - Encode passphrase, you can change the passphrase to the passphrase as you want:
+
+        ```bash
+        $ echo -n '1f2d1e2e67df' | base64
+        MWYyZDFlMmU2N2Rm
+        ```
+
+    - Create secret for Grafana:
+
+        ```bash
+        $ cat <<EOF | kubectl apply -f -
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: grafana
+          namespace: $NAMESPACE
+          labels:
+            app: grafana
+        type: Opaque
+        data:
+          username: YWRtaW4=
+          passphrase: MWYyZDFlMmU2N2Rm
+        EOF
+        ```
+
+1. To install the chart with the release name `istio` in namespace $NAMESPACE you defined above:
+
+    - With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
+
+        ```bash
+        $ helm install istio --name istio --namespace $NAMESPACE
+        ```
+
+    - Without the sidecar injection webhook:
+
+        ```bash
+        $ helm install istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false
+        ```
+
+## Configuration
+
+The Helm chart ships with reasonable defaults.  There may be circumstances in which defaults require overrides.
+To override Helm values, use `--set key=value` argument during the `helm install` command.  Multiple `--set` operations may be used in the same Helm operation.
+
+Helm charts expose configuration options which are currently in alpha.  The currently exposed options can be found [here](https://istio.io/docs/reference/config/installation-options/).
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio` release but continue to track the release:
+
+```bash
+$ helm delete istio
+```
+
+To uninstall/delete the `istio` release completely and make its name free for later use:
+
+```bash
+$ helm delete --purge istio
+```

charts/rancher-istio/1.4.3/charts/certmanager/Chart.yaml

+apiVersion: v1
+appVersion: 0.6.2
+description: A Helm chart for Kubernetes
+name: certmanager
+tillerVersion: '>=2.7.2'
+version: 1.4.3

charts/rancher-istio/1.4.3/charts/certmanager/templates/NOTES.txt

+certmanager has been deployed successfully!
+
+More information on the different types of issuers and how to configure them
+can be found in our documentation:
+
+https://cert-manager.readthedocs.io/en/latest/reference/issuers.html
\ No newline at end of file

charts/rancher-istio/1.4.3/charts/certmanager/templates/_helpers.tpl

+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "certmanager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "certmanager.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "certmanager.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

charts/rancher-istio/1.4.3/charts/certmanager/templates/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: certmanager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: certmanager
+    chart: {{ template "certmanager.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: certmanager
+  template:
+    metadata:
+      labels:
+        app: certmanager
+        chart: {{ template "certmanager.chart" . }}
+        heritage: {{ .Release.Service }}
+        release: {{ .Release.Name }}
+        {{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+        {{- end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: certmanager
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+      containers:
+      - name: certmanager
+        image: "{{ .Values.hub }}/{{ .Values.image }}:{{ .Values.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        args:
+        - --cluster-resource-namespace=$(POD_NAMESPACE)
+        - --leader-election-namespace=$(POD_NAMESPACE)
+      {{- if .Values.extraArgs }}
+{{ toYaml .Values.extraArgs | indent 8 }}
+      {{- end }}
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+      {{- if .Values.podDnsPolicy }}
+      dnsPolicy: {{ .Values.podDnsPolicy }}
+      {{- end }}
+      {{- if .Values.podDnsConfig }}
+      dnsConfig:
+{{ toYaml .Values.podDnsConfig | indent 8 }}
+      {{- end }}
+      affinity:
+      {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- else if .Values.global.defaultTolerations }}
+      tolerations:
+{{ toYaml .Values.global.defaultTolerations | indent 6 }}
+      {{- end }}

charts/rancher-istio/1.4.3/charts/certmanager/templates/issuer.yaml

+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: certmanager
+    chart: {{ template "certmanager.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: {{ .Values.email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    http01: {}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: certmanager
+    chart: {{ template "certmanager.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: {{ .Values.email }}
+    privateKeySecretRef:
+      name: letsencrypt
+    http01: {}

charts/rancher-istio/1.4.3/charts/certmanager/templates/poddisruptionbudget.yaml

+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: certmanager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: certmanager
+    chart: {{ template "certmanager.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    version: {{ .Chart.Version }}
+    {{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 4 }}
+    {{- end }}
+spec:
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
+{{- end }}
+  selector:
+    matchLabels:
+      app: certmanager
+      release: {{ .Release.Name }}
+{{- end }}

charts/rancher-istio/1.4.3/charts/certmanager/templates/rbac.yaml

+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: certmanager
+  labels:
+    app: certmanager
+    chart: {{ template "certmanager.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["configmaps", "secrets", "events", "services", "pods"]
+    verbs: ["*"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: certmanager
+  labels:
+    app: certmanager
+    chart: {{ template "certmanager.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: certmanager
+subjects:
+  - name: certmanager
+    namespace: {{ .Release.Namespace }}
+    kind: ServiceAccount

charts/rancher-istio/1.4.3/charts/certmanager/templates/serviceaccount.yaml

+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: certmanager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: certmanager
+    chart: {{ template "certmanager.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}

charts/rancher-istio/1.4.3/charts/certmanager/values.yaml

+# Certmanager uses ACME to sign certificates. Since Istio gateways are
+# mounting the TLS secrets the Certificate CRDs must be created in the
+# istio-system namespace. Once the certificate has been created, the
+# gateway must be updated by adding 'secretVolumes'. After the gateway
+# restart, DestinationRules can be created using the ACME-signed certificates.
+enabled: false
+replicaCount: 1
+hub: quay.io/jetstack
+image: cert-manager-controller
+tag: v0.8.1
+resources: {}
+nodeSelector: {}
+tolerations: []
+podAnnotations: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+#    "requiredDuringSchedulingIgnoredDuringExecution"
+#    "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote "hard" vs. "soft" requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+#   operator: In
+#   values: S1,S2
+#   topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# "security" and value "S1".
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []

charts/rancher-istio/1.4.3/charts/galley/Chart.yaml

+apiVersion: v1
+appVersion: 1.4.3
+description: Helm chart for galley deployment
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
+keywords:
+- istio
+- galley
+name: galley
+sources:
+- http://github.com/istio/istio
+tillerVersion: '>=2.7.2'
+version: 1.4.3

charts/rancher-istio/1.4.3/charts/galley/templates/_helpers.tpl

+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "galley.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "galley.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "galley.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

charts/rancher-istio/1.4.3/charts/galley/templates/clusterrole.yaml

+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-galley-{{ .Release.Namespace }}
+  labels:
+    app: {{ template "galley.name" . }}
+    chart: {{ template "galley.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+rules:
+  # For reading Istio resources
+- apiGroups: [
+  "authentication.istio.io",
+  "config.istio.io",
+  "networking.istio.io",
+  "rbac.istio.io",
+  "security.istio.io"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+  # For updating Istio resource statuses
+- apiGroups: [
+  "authentication.istio.io",
+  "config.istio.io",
+  "networking.istio.io",
+  "rbac.istio.io",
+  "security.istio.io"]
+  resources: ["*/status"]
+  verbs: ["update"]
+{{- if not .Values.global.operatorManageWebhooks }}
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations"]
+  verbs: ["*"]
+{{- end }}
+- apiGroups: ["extensions","apps"]
+  resources: ["deployments"]
+  resourceNames: ["istio-galley"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["pods", "nodes", "services", "endpoints", "namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+  resources: ["deployments/finalizers"]
+  resourceNames: ["istio-galley"]
+  verbs: ["update"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list", "watch"]

charts/rancher-istio/1.4.3/charts/galley/templates/clusterrolebinding.yaml

+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-galley-admin-role-binding-{{ .Release.Namespace }}
+  labels:
+    app: {{ template "galley.name" . }}
+    chart: {{ template "galley.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-galley-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-galley-service-account
+    namespace: {{ .Release.Namespace }}

charts/rancher-istio/1.4.3/charts/galley/templates/configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-galley-configuration
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "galley.name" . }}
+    chart: {{ template "galley.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    istio: galley
+data:
+{{- if .Values.global.configValidation }}
+  validatingwebhookconfiguration.yaml: |-
+    {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}}
+{{- end}}

charts/rancher-istio/1.4.3/charts/galley/templates/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-galley
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "galley.name" . }}
+    chart: {{ template "galley.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    istio: galley
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      istio: galley
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "galley.name" . }}
+        chart: {{ template "galley.chart" . }}
+        heritage: {{ .Release.Service }}
+        release: {{ .Release.Name }}
+        istio: galley
+      annotations:
+        sidecar.istio.io/inject: "false"
+         {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: istio-galley-service-account
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+      containers:
+        - name: galley
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
+{{- end }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+          ports:
+          - containerPort: 443
+          - containerPort: {{ .Values.global.monitoringPort }}
+          - containerPort: 9901
+          command:
+          - /usr/local/bin/galley
+          - server
+          - --meshConfigFile=/etc/mesh-config/mesh
+          - --livenessProbeInterval=1s
+          - --livenessProbePath=/healthliveness
+          - --readinessProbePath=/healthready
+          - --readinessProbeInterval=1s
+          - --deployment-namespace={{ .Release.Namespace }}
+{{- if $.Values.global.controlPlaneSecurityEnabled}}
+          - --insecure=false
+{{- else }}
+          - --insecure=true
+{{- end }}
+{{- if .Values.enableServiceDiscovery }}
+          - --enableServiceDiscovery=true
+{{- end }}
+{{- if not $.Values.global.useMCP }}
+          - --enable-server=false
+{{- end }}
+{{- if not $.Values.global.configValidation }}
+          - --enable-validation=false
+{{- end }}
+{{- if .Values.global.operatorManageWebhooks }}
+          - --enable-reconcileWebhookConfiguration=false
+{{- else }}
+          - --enable-reconcileWebhookConfiguration=true
+{{- end }}
+          - --validation-webhook-config-file
+          - /etc/config/validatingwebhookconfiguration.yaml
+          - --monitoringPort={{ .Values.global.monitoringPort }}
+{{- if $.Values.global.logging.level }}
+          - --log_output_level={{ $.Values.global.logging.level }}
+{{- end}}
+{{- if .Values.enableAnalysis }}
+          - --enableAnalysis=true
+{{- end }}
+{{- if .Values.global.certificates }}
+          - --validation.tls.clientCertificate=/etc/dnscerts/cert-chain.pem
+          - --validation.tls.privateKey=/etc/dnscerts/key.pem
+          - --validation.tls.caCertificates=/etc/dnscerts/root-cert.pem
+{{- end }}
+          volumeMounts:
+          - name: certs
+            mountPath: /etc/certs
+            readOnly: true
+{{- if .Values.global.certificates }}
+          - name: dnscerts
+            mountPath: /etc/dnscerts
+            readOnly: true
+{{- end }}
+          - name: config
+            mountPath: /etc/config
+            readOnly: true
+          - name: mesh-config
+            mountPath: /etc/mesh-config
+            readOnly: true
+          livenessProbe:
+            exec:
+              command:
+                - /usr/local/bin/galley
+                - probe
+                - --probe-path=/healthliveness
+                - --interval=10s
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          readinessProbe:
+            exec:
+              command:
+                - /usr/local/bin/galley
+                - probe
+                - --probe-path=/healthready
+                - --interval=10s
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+      volumes:
+      - name: certs
+        secret:
+          secretName: istio.istio-galley-service-account
+{{- if .Values.global.certificates }}
+      - name: dnscerts
+        secret:
+          secretName: dns.istio-galley-service-account
+{{- end }}
+      - name: config
+        configMap:
+          name: istio-galley-configuration
+      - name: mesh-config
+        configMap:
+          name: istio
+      affinity:
+      {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}
+      {{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- else if .Values.global.defaultTolerations }}
+      tolerations:
+{{ toYaml .Values.global.defaultTolerations | indent 6 }}
+      {{- end }}
\ No newline at end of file

charts/rancher-istio/1.4.3/charts/galley/templates/poddisruptionbudget.yaml

+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: istio-galley
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "galley.name" . }}
+    chart: {{ template "galley.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    istio: galley
+spec:
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
+{{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "galley.name" . }}
+      release: {{ .Release.Name }}
+      istio: galley
+{{- end }}

charts/rancher-istio/1.4.3/charts/galley/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-galley
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "galley.name" . }}
+    chart: {{ template "galley.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    istio: galley
+spec:
+  ports:
+  - port: 443
+    name: https-validation
+  - port: {{ .Values.global.monitoringPort }}
+    name: http-monitoring
+  - port: 9901
+    name: grpc-mcp
+  selector:
+    istio: galley

charts/rancher-istio/1.4.3/charts/galley/templates/serviceaccount.yaml

+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: istio-galley-service-account
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "galley.name" . }}
+    chart: {{ template "galley.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}

charts/rancher-istio/1.4.3/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl

+{{ define "validatingwebhookconfiguration.yaml.tpl" }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-galley
+  labels:
+    app: {{ template "galley.name" . }}
+    chart: {{ template "galley.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    istio: galley
+webhooks:
+  - name: pilot.validation.istio.io
+    clientConfig:
+      service:
+        name: istio-galley
+        namespace: {{ .Release.Namespace }}
+        path: "/admitpilot"
+      caBundle: ""
+    rules:
+      - operations:
+        - CREATE
+        - UPDATE
+        apiGroups:
+        - config.istio.io
+        apiVersions:
+        - v1alpha2
+        resources:
+        - httpapispecs
+        - httpapispecbindings
+        - quotaspecs
+        - quotaspecbindings
+      - operations:
+        - CREATE
+        - UPDATE
+        apiGroups:
+        - rbac.istio.io
+        apiVersions:
+        - "*"
+        resources:
+        - "*"
+      - operations:
+        - CREATE
+        - UPDATE
+        apiGroups:
+        - security.istio.io
+        apiVersions:
+        - "*"
+        resources:
+        - "*"
+      - operations:
+        - CREATE
+        - UPDATE
+        apiGroups:
+        - authentication.istio.io
+        apiVersions:
+        - "*"
+        resources:
+        - "*"
+      - operations:
+        - CREATE
+        - UPDATE
+        apiGroups:
+        - networking.istio.io
+        apiVersions:
+        - "*"
+        resources:
+        - destinationrules
+        - envoyfilters
+        - gateways
+        - serviceentries
+        - sidecars
+        - virtualservices
+    failurePolicy: Fail
+    sideEffects: None
+  - name: mixer.validation.istio.io
+    clientConfig:
+      service:
+        name: istio-galley
+        namespace: {{ .Release.Namespace }}
+        path: "/admitmixer"
+      caBundle: ""
+    rules:
+      - operations:
+        - CREATE
+        - UPDATE
+        apiGroups:
+        - config.istio.io
+        apiVersions:
+        - v1alpha2
+        resources:
+        - rules
+        - attributemanifests
+        - circonuses
+        - deniers
+        - fluentds
+        - kubernetesenvs
+        - listcheckers
+        - memquotas
+        - noops
+        - opas
+        - prometheuses
+        - rbacs
+        - solarwindses
+        - stackdrivers
+        - cloudwatches
+        - dogstatsds
+        - statsds
+        - stdios
+        - apikeys
+        - authorizations
+        - checknothings
+        # - kuberneteses
+        - listentries
+        - logentries
+        - metrics
+        - quotas
+        - reportnothings
+        - tracespans
+        - adapters
+        - handlers
+        - instances
+        - templates
+        - zipkins
+    failurePolicy: Fail
+    sideEffects: None
+{{- end }}

charts/rancher-istio/1.4.3/charts/galley/values.yaml

+#
+# galley configuration
+#
+enabled: true
+replicaCount: 1
+rollingMaxSurge: 100%
+rollingMaxUnavailable: 25%
+image: galley
+nodeSelector: {}
+tolerations: []
+podAnnotations: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+#    "requiredDuringSchedulingIgnoredDuringExecution"
+#    "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote "hard" vs. "soft" requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+#   operator: In
+#   values: S1,S2
+#   topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# "security" and value "S1".
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+# Enable service discovery processing in Galley
+enableServiceDiscovery: false
+
+# Enable analysis and status update in Galley
+enableAnalysis: false

charts/rancher-istio/1.4.3/charts/gateways/Chart.yaml

+apiVersion: v1
+appVersion: 1.4.3
+description: Helm chart for deploying Istio gateways
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
+keywords:
+- istio
+- ingressgateway
+- egressgateway
+- gateways
+name: gateways
+sources:
+- http://github.com/istio/istio
+tillerVersion: '>=2.7.2'
+version: 1.4.3

charts/rancher-istio/1.4.3/charts/gateways/templates/_affinity.tpl

+{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
+
+{{- define "gatewaynodeaffinity" }}
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    {{- include "gatewayNodeAffinityRequiredDuringScheduling" . }}
+    preferredDuringSchedulingIgnoredDuringExecution:
+    {{- include "gatewayNodeAffinityPreferredDuringScheduling" . }}
+{{- end }}
+
+{{- define "gatewayNodeAffinityRequiredDuringScheduling" }}
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: beta.kubernetes.io/arch
+          operator: In
+          values:
+        {{- range $key, $val := .root.Values.global.arch }}
+          {{- if gt ($val | int) 0 }}
+          - {{ $key | quote }}
+          {{- end }}
+        {{- end }}
+        {{- $nodeSelector := default .root.Values.global.defaultNodeSelector .nodeSelector -}}
+        {{- range $key, $val := $nodeSelector }}
+        - key: {{ $key }}
+          operator: In
+          values:
+          - {{ $val | quote }}
+        {{- end }}
+{{- end }}
+
+{{- define "gatewayNodeAffinityPreferredDuringScheduling" }}
+  {{- range $key, $val := .root.Values.global.arch }}
+    {{- if gt ($val | int) 0 }}
+    - weight: {{ $val | int }}
+      preference:
+        matchExpressions:
+        - key: beta.kubernetes.io/arch
+          operator: In
+          values:
+          - {{ $key | quote }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- define "gatewaypodAntiAffinity" }}
+{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
+  podAntiAffinity:
+    {{- if .podAntiAffinityLabelSelector }}
+    requiredDuringSchedulingIgnoredDuringExecution:
+    {{- include "gatewaypodAntiAffinityRequiredDuringScheduling" . }}
+    {{- end }}
+    {{- if .podAntiAffinityTermLabelSelector }}
+    preferredDuringSchedulingIgnoredDuringExecution:
+    {{- include "gatewaypodAntiAffinityPreferredDuringScheduling" . }}
+    {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gatewaypodAntiAffinityRequiredDuringScheduling" }}
+    {{- range $index, $item := .podAntiAffinityLabelSelector }}
+    - labelSelector:
+        matchExpressions:
+        - key: {{ $item.key }}
+          operator: {{ $item.operator }}
+          {{- if $item.values }}
+          values:
+          {{- $vals := split "," $item.values }}
+          {{- range $i, $v := $vals }}
+          - {{ $v | quote }}
+          {{- end }}
+          {{- end }}
+      topologyKey: {{ $item.topologyKey }}
+    {{- end }}
+{{- end }}
+
+{{- define "gatewaypodAntiAffinityPreferredDuringScheduling" }}
+    {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
+    - podAffinityTerm:
+        labelSelector:
+          matchExpressions:
+          - key: {{ $item.key }}
+            operator: {{ $item.operator }}
+            {{- if $item.values }}
+            values:
+            {{- $vals := split "," $item.values }}
+            {{- range $i, $v := $vals }}
+            - {{ $v | quote }}
+            {{- end }}
+            {{- end }}
+        topologyKey: {{ $item.topologyKey }}
+      weight: 100
+    {{- end }}
+{{- end }}

charts/rancher-istio/1.4.3/charts/gateways/templates/_helpers.tpl

+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gateway.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gateway.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gateway.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

charts/rancher-istio/1.4.3/charts/gateways/templates/autoscale.yaml

+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ $key }}
+  namespace: {{ $spec.namespace | default $.Release.Namespace }}
+  labels:
+    chart: {{ template "gateway.chart" $ }}
+    heritage: {{ $.Release.Service }}
+    release: {{ $.Release.Name }}
+    {{- range $key, $val := $spec.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+spec:
+  maxReplicas: {{ $spec.autoscaleMax }}
+  minReplicas: {{ $spec.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ $key }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }}
+---
+{{- end }}
+{{- end }}
+{{- end }}

charts/rancher-istio/1.4.3/charts/gateways/templates/poddisruptionbudget.yaml

+{{- range $key, $spec := .Values }}
+{{- if and (ne $key "enabled") }}
+{{- if $spec.enabled }}
+{{- if $.Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ $key }}
+  namespace: {{ $spec.namespace | default $.Release.Namespace }}
+  labels:
+    chart: {{ template "gateway.chart" $ }}
+    heritage: {{ $.Release.Service }}
+    release: {{ $.Release.Name }}
+    {{- range $key, $val := $spec.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+spec:
+{{- if $.Values.global.defaultPodDisruptionBudget.enabled }}
+{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }}
+{{- end }}
+  selector:
+    matchLabels:
+      release: {{ $.Release.Name }}
+      {{- range $key, $val := $spec.labels }}
+      {{ $key }}: {{ $val }}
+      {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/rancher-istio/1.4.3/charts/gateways/templates/preconfigured.yaml

+{{- if .Values.global.k8sIngress.enabled }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istio-autogenerated-k8s-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gateway.name" . }}
+    chart: {{ template "gateway.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  selector:
+    istio: {{ .Values.global.k8sIngress.gatewayName }}
+  servers:
+  - port:
+      number: 80
+      protocol: HTTP2
+      name: http
+    hosts:
+    - "*"
+{{ if .Values.global.k8sIngress.enableHttps }}
+  - port:
+      number: 443
+      protocol: HTTPS
+      name: https-default
+    tls:
+      mode: SIMPLE
+      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+      privateKey: /etc/istio/ingressgateway-certs/tls.key
+    hosts:
+    - "*"
+{{ end }}    
+---    
+{{ end }}
+
+{{- if .Values.global.meshExpansion.enabled }}
+{{- if .Values.global.meshExpansion.useILB }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: meshexpansion-ilb-gateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gateway.name" . }}
+    chart: {{ template "gateway.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  selector:
+    istio: ilbgateway
+  servers:
+  - port:
+      number: 15011
+      protocol: TCP
+      name: tcp-pilot
+    hosts:
+    - "*"
+  - port:
+      number: 8060
+      protocol: TCP
+      name: tcp-citadel
+    hosts:
+    - "*"
+  - port:
+      number: 15004
+      name: tls-mixer
+      protocol: TLS
+    tls:
+      mode: AUTO_PASSTHROUGH
+    hosts:
+    - "*"
+---
+{{- else }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: meshexpansion-gateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gateway.name" . }}
+    chart: {{ template "gateway.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  selector:
+  {{- range $key, $spec := .Values }}
+  {{- if eq $key "istio-ingressgateway" }}
+  {{- if $spec.enabled }}
+    {{- range $key, $val := $spec.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  servers:
+  - port:
+      number: 15011
+      protocol: TCP
+      name: tcp-pilot
+    hosts:
+    - "*"
+  - port:
+      number: 8060
+      protocol: TCP
+      name: tcp-citadel
+    hosts:
+    - "*"
+  - port:
+      number: 15004
+      name: tls-mixer
+      protocol: TLS
+    tls:
+      mode: AUTO_PASSTHROUGH
+    hosts:
+    - "*"
+---
+{{- end }}
+{{- end }}
+
+{{- if .Values.global.multiCluster.enabled }}
+{{- if (index .Values "istio-egressgateway" "enabled") }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istio-multicluster-egressgateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gateway.name" . }}
+    chart: {{ template "gateway.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  selector:
+  {{- range $key, $spec := .Values }}
+  {{- if eq $key "istio-egressgateway" }}
+  {{- if $spec.enabled }}
+    {{- range $key, $val := $spec.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  servers:
+  - hosts:
+    - "*.global"
+    port:
+      name: tls
+      number: 15443
+      protocol: TLS
+    tls:
+      mode: AUTO_PASSTHROUGH
+{{- end }}
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istio-multicluster-ingressgateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gateway.name" . }}
+    chart: {{ template "gateway.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  selector:
+  {{- range $key, $spec := .Values }}
+  {{- if eq $key "istio-ingressgateway" }}
+  {{- if $spec.enabled }}
+    {{- range $key, $val := $spec.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  servers:
+  - hosts:
+    - "*.global"
+    port:
+      name: tls
+      number: 15443
+      protocol: TLS
+    tls:
+      mode: AUTO_PASSTHROUGH
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: istio-multicluster-ingressgateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gateway.name" . }}
+    chart: {{ template "gateway.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  workloadLabels:
+  {{- range $key, $spec := .Values }}
+  {{- if eq $key "istio-ingressgateway" }}
+  {{- if $spec.enabled }}
+    {{- range $key, $val := $spec.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  filters:
+  - listenerMatch:
+      portNumber: 15443
+      listenerType: GATEWAY
+    insertPosition:
+      index: AFTER
+      relativeTo: envoy.filters.network.sni_cluster
+    filterName: envoy.filters.network.tcp_cluster_rewrite
+    filterType: NETWORK
+    filterConfig:
+      cluster_pattern: "\\.global$"
+      cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
+---
+## To ensure all traffic to *.global is using mTLS
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: istio-multicluster-destinationrule
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gateway.name" . }}
+    chart: {{ template "gateway.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  host: "*.global"
+  {{- if .Values.global.defaultConfigVisibilitySettings }}
+  exportTo:
+  - '*'
+  {{- end }}
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+---
+{{- end }}

charts/rancher-istio/1.4.3/charts/gateways/templates/role.yaml

+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+{{- if ($spec.sds) and (eq $spec.sds.enabled true) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $key }}-sds
+  namespace: {{ $spec.namespace | default $.Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/rancher-istio/1.4.3/charts/gateways/templates/rolebindings.yaml

+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+{{- if ($spec.sds) and (eq $spec.sds.enabled true) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $key }}-sds
+  namespace: {{ $spec.namespace | default $.Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $key }}-sds
+subjects:
+- kind: ServiceAccount
+  name: {{ $key }}-service-account
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/rancher-istio/1.4.3/charts/gateways/templates/service.yaml

+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $key }}
+  namespace: {{ $spec.namespace | default $.Release.Namespace }}
+  annotations:
+    {{- range $key, $val := $spec.serviceAnnotations }}
+    {{ $key }}: {{ $val | quote }}
+    {{- end }}
+  labels:
+    chart: {{ template "gateway.chart" $ }}
+    heritage: {{ $.Release.Service }}
+    release: {{ $.Release.Name }}
+    {{- range $key, $val := $spec.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+spec:
+{{- if $spec.loadBalancerIP }}
+  loadBalancerIP: "{{ $spec.loadBalancerIP }}"
+{{- end }}
+{{- if $spec.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml $spec.loadBalancerSourceRanges | indent 4 }}
+{{- end }}
+{{- if $spec.externalTrafficPolicy }}
+  externalTrafficPolicy: {{$spec.externalTrafficPolicy }}
+{{- end }}
+{{- if $spec.externalIPs }}
+  externalIPs:
+{{ toYaml $spec.externalIPs | indent 4 }}
+{{- end }}
+  type: {{ .type }}
+  selector:
+    release: {{ $.Release.Name }}
+    {{- range $key, $val := $spec.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  ports:
+    {{- range $key, $val := $spec.ports }}
+    -
+      {{- range $pkey, $pval := $val }}
+      {{ $pkey}}: {{ $pval }}
+      {{- end }}
+    {{- end }}
+    {{- if $.Values.global.meshExpansion.enabled }}
+    {{- range $key, $val := $spec.meshExpansionPorts }}
+    -
+      {{- range $pkey, $pval := $val }}
+      {{ $pkey}}: {{ $pval }}
+      {{- end }}
+    {{- end }}
+    {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}

charts/rancher-istio/1.4.3/charts/gateways/templates/serviceaccount.yaml

+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if $.Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range $.Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ $key }}-service-account
+  namespace: {{ $spec.namespace | default $.Release.Namespace }}
+  labels:
+    app: {{ $spec.labels.app }}
+    chart: {{ template "gateway.chart" $ }}
+    heritage: {{ $.Release.Service }}
+    release: {{ $.Release.Name }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+

charts/rancher-istio/1.4.3/charts/gateways/values.yaml

+#
+# Gateways Configuration
+# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
+# You can add more gateways in addition to the defaults but make sure those are uniquely named
+# and that NodePorts are not conflicting.
+# Disable specifc gateway by setting the `enabled` to false.
+#
+enabled: true
+
+istio-ingressgateway:
+  enabled: true
+  #
+  # Secret Discovery Service (SDS) configuration for ingress gateway.
+  #
+  sds:
+    # If true, ingress gateway fetches credentials from SDS server to handle TLS connections.
+    enabled: false
+    # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
+    # This server runs in the same pod as ingress gateway.
+    image: node-agent-k8s
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 2000m
+        memory: 1024Mi
+
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  # specify replicaCount when autoscaleEnabled: false
+  # replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+  cpu:
+    targetAverageUtilization: 80
+  loadBalancerIP: ""
+  loadBalancerSourceRanges: []
+  externalIPs: []
+  serviceAnnotations: {}
+  podAnnotations: {}
+  type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
+  #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
+  ports:
+    ## You can add custom gateway ports
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+  - port: 15020
+    targetPort: 15020
+    name: status-port
+  - port: 80
+    targetPort: 80
+    name: http2
+    nodePort: 31380
+  - port: 443
+    name: https
+    nodePort: 31390
+  # Example of a port to add. Remove if not needed
+  - port: 31400
+    name: tcp
+    nodePort: 31400
+  ### PORTS FOR UI/metrics #####
+  ## Disable if not needed
+  - port: 15029
+    targetPort: 15029
+    name: https-kiali
+  - port: 15030
+    targetPort: 15030
+    name: https-prometheus
+  - port: 15031
+    targetPort: 15031
+    name: https-grafana
+  - port: 15032
+    targetPort: 15032
+    name: https-tracing
+    # This is the port where sni routing happens
+  - port: 15443
+    targetPort: 15443
+    name: tls
+  #### MESH EXPANSION PORTS  ########
+  # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
+  # to pilot/citadel if global.meshExpansion settings are enabled.
+  # Delete these ports if mesh expansion is not enabled, to avoid
+  # exposing unnecessary ports on the web.
+  # You can remove these ports if you are not using mesh expansion
+  meshExpansionPorts:
+  - port: 15011
+    targetPort: 15011
+    name: tcp-pilot-grpc-tls
+  - port: 15004
+    targetPort: 15004
+    name: tcp-mixer-grpc-tls
+  - port: 8060
+    targetPort: 8060
+    name: tcp-citadel-grpc-tls
+  - port: 853
+    targetPort: 853
+    name: tcp-dns-tls
+  ####### end MESH EXPANSION PORTS ######
+  ##############
+  secretVolumes:
+  - name: ingressgateway-certs
+    secretName: istio-ingressgateway-certs
+    mountPath: /etc/istio/ingressgateway-certs
+  - name: ingressgateway-ca-certs
+    secretName: istio-ingressgateway-ca-certs
+    mountPath: /etc/istio/ingressgateway-ca-certs
+  ### Advanced options ############
+
+  # Ports to explicitly check for readiness. If configured, the readiness check will expect a
+  # listener on these ports. A comma separated list is expected, such as "80,443".
+  #
+  # Warning: If you do not have a gateway configured for the ports provided, this check will always
+  # fail. This is intended for use cases where you always expect to have a listener on the port,
+  # such as 80 or 443 in typical setups.
+  applicationPorts: ""
+
+  env:
+    # A gateway with this mode ensures that pilot generates an additional
+    # set of clusters for internal services but without Istio mTLS, to
+    # enable cross cluster routing.
+    ISTIO_META_ROUTER_MODE: "sni-dnat"
+  nodeSelector: {}
+  tolerations: []
+
+  # Specify the pod anti-affinity that allows you to constrain which nodes
+  # your pod is eligible to be scheduled based on labels on pods that are
+  # already running on the node rather than based on labels on nodes.
+  # There are currently two types of anti-affinity:
+  #    "requiredDuringSchedulingIgnoredDuringExecution"
+  #    "preferredDuringSchedulingIgnoredDuringExecution"
+  # which denote "hard" vs. "soft" requirements, you can define your values
+  # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+  # correspondingly.
+  # For example:
+  # podAntiAffinityLabelSelector:
+  # - key: security
+  #   operator: In
+  #   values: S1,S2
+  #   topologyKey: "kubernetes.io/hostname"
+  # This pod anti-affinity rule says that the pod requires not to be scheduled
+  # onto a node if that node is already running a pod with label having key
+  # "security" and value "S1".
+  podAntiAffinityLabelSelector: []
+  podAntiAffinityTermLabelSelector: []
+
+istio-egressgateway:
+  enabled: false
+  labels:
+    app: istio-egressgateway
+    istio: egressgateway
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  # specify replicaCount when autoscaleEnabled: false
+  # replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+  cpu:
+    targetAverageUtilization: 80
+  serviceAnnotations: {}
+  podAnnotations: {}
+  type: ClusterIP #change to NodePort or LoadBalancer if need be
+  ports:
+  - port: 80
+    name: http2
+  - port: 443
+    name: https
+    # This is the port where sni routing happens
+  - port: 15443
+    targetPort: 15443
+    name: tls
+  secretVolumes:
+  - name: egressgateway-certs
+    secretName: istio-egressgateway-certs
+    mountPath: /etc/istio/egressgateway-certs
+  - name: egressgateway-ca-certs
+    secretName: istio-egressgateway-ca-certs
+    mountPath: /etc/istio/egressgateway-ca-certs
+  #### Advanced options ########
+  env:
+    # Set this to "external" if and only if you want the egress gateway to
+    # act as a transparent SNI gateway that routes mTLS/TLS traffic to
+    # external services defined using service entries, where the service
+    # entry has resolution set to DNS, has one or more endpoints with
+    # network field set to "external". By default its set to "" so that
+    # the egress gateway sees the same set of endpoints as the sidecars
+    # preserving backward compatibility
+    # ISTIO_META_REQUESTED_NETWORK_VIEW: ""
+    # A gateway with this mode ensures that pilot generates an additional
+    # set of clusters for internal services but without Istio mTLS, to
+    # enable cross cluster routing.
+    ISTIO_META_ROUTER_MODE: "sni-dnat"
+  nodeSelector: {}
+  tolerations: []
+  
+  # Specify the pod anti-affinity that allows you to constrain which nodes
+  # your pod is eligible to be scheduled based on labels on pods that are
+  # already running on the node rather than based on labels on nodes.
+  # There are currently two types of anti-affinity:
+  #    "requiredDuringSchedulingIgnoredDuringExecution"
+  #    "preferredDuringSchedulingIgnoredDuringExecution"
+  # which denote "hard" vs. "soft" requirements, you can define your values
+  # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+  # correspondingly.
+  # For example:
+  # podAntiAffinityLabelSelector:
+  # - key: security
+  #   operator: In
+  #   values: S1,S2
+  #   topologyKey: "kubernetes.io/hostname"
+  # This pod anti-affinity rule says that the pod requires not to be scheduled
+  # onto a node if that node is already running a pod with label having key
+  # "security" and value "S1".
+  podAntiAffinityLabelSelector: []
+  podAntiAffinityTermLabelSelector: []
+
+# Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
+# for mesh expansion. It exposes the mtls ports for Pilot,CA as well
+# as non-mtls ports to support upgrades and gradual transition.
+istio-ilbgateway:
+  enabled: false
+  labels:
+    app: istio-ilbgateway
+    istio: ilbgateway
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  # specify replicaCount when autoscaleEnabled: false
+  # replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+  cpu:
+    targetAverageUtilization: 80
+  resources:
+    requests:
+      cpu: 800m
+      memory: 512Mi
+    #limits:
+    #  cpu: 1800m
+    #  memory: 256Mi
+  loadBalancerIP: ""
+  serviceAnnotations:
+    cloud.google.com/load-balancer-type: "internal"
+  podAnnotations: {}
+  type: LoadBalancer
+  ports:
+  ## You can add custom gateway ports - google ILB default quota is 5 ports,
+  - port: 15011
+    name: grpc-pilot-mtls
+  # Insecure port - only for migration from 0.8. Will be removed in 1.1
+  - port: 15010
+    name: grpc-pilot
+  - port: 8060
+    targetPort: 8060
+    name: tcp-citadel-grpc-tls
+  # Port 5353 is forwarded to kube-dns
+  - port: 5353
+    name: tcp-dns
+  secretVolumes:
+  - name: ilbgateway-certs
+    secretName: istio-ilbgateway-certs
+    mountPath: /etc/istio/ilbgateway-certs
+  - name: ilbgateway-ca-certs
+    secretName: istio-ilbgateway-ca-certs
+    mountPath: /etc/istio/ilbgateway-ca-certs
+  nodeSelector: {}
+  tolerations: []

charts/rancher-istio/1.4.3/charts/grafana/Chart.yaml

+apiVersion: v1
+appVersion: 1.4.3
+description: A Helm chart for Kubernetes
+name: grafana
+tillerVersion: '>=2.7.2'
+version: 1.4.3

charts/rancher-istio/1.4.3/charts/grafana/fix_datasources.sh

+#!/bin/bash
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+UX=$(uname)
+
+for db in "${THIS_DIR}"/dashboards/*.json; do
+    if [[ ${UX} == "Darwin" ]]; then
+        # shellcheck disable=SC2016
+        sed -i '' 's/${DS_PROMETHEUS}/Prometheus/g' "$db"
+    else
+        # shellcheck disable=SC2016
+        sed -i 's/${DS_PROMETHEUS}/Prometheus/g' "$db"
+    fi
+done

charts/rancher-istio/1.4.3/charts/grafana/templates/_helpers.tpl

+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "grafana.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "grafana.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "grafana.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

charts/rancher-istio/1.4.3/charts/grafana/templates/configmap-custom-resources.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-grafana-custom-resources
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "grafana.name" . }}
+    chart: {{ template "grafana.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    istio: grafana
+data:
+  custom-resources.yaml: |-
+    {{- include "grafana-default.yaml.tpl" . | indent 4}}
+  run.sh: |-
+    {{- include "install-custom-resources.sh.tpl" . | indent 4}}

charts/rancher-istio/1.4.3/charts/grafana/templates/configmap-dashboards.yaml

+{{- $files := .Files }}
+{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }}
+{{- $filename := trimSuffix (ext $path) (base $path) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-grafana-configuration-dashboards-{{ $filename }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app: {{ template "grafana.name" $ }}
+    chart: {{ template "grafana.chart" $ }}
+    heritage: {{ $.Release.Service }}
+    release: {{ $.Release.Name }}
+    istio: grafana
+data:
+  {{ base $path }}: '{{ $files.Get $path }}'
+---
+{{- end }}

charts/rancher-istio/1.4.3/charts/grafana/templates/configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-grafana
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "grafana.name" . }}
+    chart: {{ template "grafana.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    istio: grafana
+data:
+{{- if .Values.datasources }}
+  {{- range $key, $value := .Values.datasources }}
+  {{ $key }}: |
+{{ toYaml $value | indent 4 }}
+  {{- end -}}
+{{- end -}}
+
+{{- if .Values.dashboardProviders }}
+  {{- range $key, $value := .Values.dashboardProviders }}
+  {{ $key }}: |
+{{ toYaml $value | indent 4 }}
+  {{- end -}}
+{{- end -}}

charts/rancher-istio/1.4.3/charts/grafana/templates/grafana-ports-mtls.yaml

+{{ define "grafana-default.yaml.tpl" }}
+apiVersion: authentication.istio.io/v1alpha1
+kind: Policy
+metadata:
+  name: grafana-ports-mtls-disabled
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "grafana.name" . }}
+    chart: {{ template "grafana.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  targets:
+  - name: grafana
+    ports:
+    - number: {{ .Values.service.externalPort }}
+{{- end }}

charts/rancher-istio/1.4.3/charts/grafana/templates/ingress.yaml

+{{- if .Values.ingress.enabled -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: grafana
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "grafana.name" . }}
+    chart: {{ template "grafana.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    {{- range $key, $value := .Values.ingress.annotations }}
+      {{ $key }}: {{ $value | quote }}
+    {{- end }}
+spec:
+  rules:
+{{- if .Values.ingress.hosts }}
+    {{- range $host := .Values.ingress.hosts }}
+    - host: {{ $host }}
+      http:
+        paths:
+          - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }}
+            backend:
+              serviceName: grafana
+              servicePort: 3000
+    {{- end -}}
+{{- else }}
+    - http:
+        paths:
+          - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }}
+            backend:
+              serviceName: grafana
+              servicePort: 3000
+{{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+  {{- end -}}
+{{- end -}}

charts/rancher-istio/1.4.3/charts/grafana/templates/pvc.yaml

+{{- if .Values.persist }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: istio-grafana-pvc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "grafana.name" . }}
+    chart: {{ template "grafana.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  storageClassName: {{ .Values.storageClassName }}
+  accessModes:
+    - {{ .Values.accessMode }}
+  resources:
+    requests:
+      storage: 5Gi
+{{- end }}