diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 379f0c9548a2..2e9fb481520f 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -124,7 +124,7 @@ kubectl create clusterrolebinding cluster-admin-binding \ ### Deploy Istio ```shell -kubectl apply -f ./third_party/istio-0.8.0/istio.yaml +kubectl apply -f ./third_party/istio-1.0-prerelease/istio.yaml ``` Optionally label namespaces with `istio-injection=enabled`: @@ -133,7 +133,7 @@ Optionally label namespaces with `istio-injection=enabled`: kubectl label namespace default istio-injection=enabled ``` -Follow the [instructions](./docs/setting-up-ingress-static-ip.md) if you need +Follow the [instructions](./docs/setting-up-ingress-static-ip.md) if you need to set up static IP for Ingresses in the cluster. ### Deploy Build @@ -146,7 +146,7 @@ kubectl apply -f ./third_party/config/build/release.yaml This step includes building Knative Serving, creating and pushing developer images and deploying them to your Kubernetes cluster. -First, edit [config-network.yaml](config/config-network.yaml) as instructed within the file. +First, edit [config-network.yaml](config/config-network.yaml) as instructed within the file. If this file is edited and deployed after Knative Serving installation, the changes in it will be effective only for newly created revisions. @@ -216,7 +216,7 @@ ko delete --ignore-not-found=true \ -f config/monitoring/100-common \ -f config/ \ -f ./third_party/config/build/release.yaml \ - -f ./third_party/istio-0.8.0/istio.yaml + -f ./third_party/istio-1.0-prerelease/istio.yaml ``` ## Telemetry diff --git a/config/202-gateway.yaml b/config/202-gateway.yaml index 41936efdb228..8e4c75a69363 100644 --- a/config/202-gateway.yaml +++ b/config/202-gateway.yaml @@ -34,6 +34,8 @@ spec: protocol: HTTPS hosts: - "*" + tls: + mode: PASSTHROUGH --- # This is the Service definition for the ingress pods serving # Knative's shared Gateway. diff --git a/docs/creating-a-kubernetes-cluster.md b/docs/creating-a-kubernetes-cluster.md index 51a891b8902a..4e683db32497 100644 --- a/docs/creating-a-kubernetes-cluster.md +++ b/docs/creating-a-kubernetes-cluster.md @@ -143,13 +143,13 @@ To use a k8s cluster running in GKE: so deploy istio with `LoadBalancer` replaced by `NodePort`: ```bash - sed 's/LoadBalancer/NodePort/' third_party/istio-0.8.0/istio.yaml | kubectl apply -f - + sed 's/LoadBalancer/NodePort/' third_party/istio-1.0-prerelease/istio.yaml | kubectl apply -f - ``` (Then optionally [enable istio injection](../DEVELOPMENT.md#deploy-istio).) 1. [Deploy build](../DEVELOPMENT.md#deploy-build): - + ```shell kubectl apply -f ./third_party/config/build/release.yaml ``` diff --git a/hack/release.sh b/hack/release.sh index 8b5b965a64c8..f88396a1ea03 100755 --- a/hack/release.sh +++ b/hack/release.sh @@ -28,7 +28,7 @@ readonly SERVING_RELEASE_GCR # istio.yaml file to upload # We publish our own istio.yaml, so users don't need to use helm" -readonly ISTIO_YAML=./third_party/istio-0.8.0/istio.yaml +readonly ISTIO_YAML=./third_party/istio-1.0-prerelease/istio.yaml # Local generated yaml file. readonly OUTPUT_YAML=release.yaml # Local generated lite yaml file. diff --git a/pkg/controller/names.go b/pkg/controller/names.go index 86e1fdd5b4d0..646e8afd2996 100644 --- a/pkg/controller/names.go +++ b/pkg/controller/names.go @@ -29,9 +29,9 @@ func GetServingK8SServiceNameForObj(name string) string { } func GetRevisionHeaderName() string { - return "Knative-Serving-Revision" + return "knative-serving-revision" } func GetRevisionHeaderNamespace() string { - return "Knative-Serving-Namespace" + return "knative-serving-namespace" } diff --git a/pkg/controller/route/resources/virtual_service.go b/pkg/controller/route/resources/virtual_service.go index 7a19962f341d..937027b216dc 100644 --- a/pkg/controller/route/resources/virtual_service.go +++ b/pkg/controller/route/resources/virtual_service.go @@ -140,11 +140,11 @@ func makeVirtualServiceRoute(domains []string, ns string, targets []traffic.Revi }) } route := v1alpha3.HTTPRoute{ - Match: matches, - Route: weights, + Match: matches, + Route: weights, Timeout: DefaultRouteTimeout, AppendHeaders: map[string]string{ - IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, + IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, } // Add traffic rules for activator. diff --git a/pkg/controller/route/resources/virtual_service_test.go b/pkg/controller/route/resources/virtual_service_test.go index 48253ea82c17..5cc0f5651233 100644 --- a/pkg/controller/route/resources/virtual_service_test.go +++ b/pkg/controller/route/resources/virtual_service_test.go @@ -124,7 +124,7 @@ func TestMakeVirtualServiceSpec_CorrectRoutes(t *testing.T) { }}, Timeout: DefaultRouteTimeout, AppendHeaders: map[string]string{ - IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, + IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, }, { Match: []v1alpha3.HTTPMatchRequest{{ @@ -139,7 +139,7 @@ func TestMakeVirtualServiceSpec_CorrectRoutes(t *testing.T) { }}, Timeout: DefaultRouteTimeout, AppendHeaders: map[string]string{ - IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, + IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, }} routes := MakeVirtualService(r, &traffic.TrafficConfig{Targets: targets}).Spec.Http @@ -215,7 +215,7 @@ func TestMakeVirtualServiceRoute_Vanilla(t *testing.T) { }}, Timeout: DefaultRouteTimeout, AppendHeaders: map[string]string{ - IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, + IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, } if diff := cmp.Diff(&expected, route); diff != "" { @@ -255,7 +255,7 @@ func TestMakeVirtualServiceRoute_ZeroPercentTarget(t *testing.T) { }}, Timeout: DefaultRouteTimeout, AppendHeaders: map[string]string{ - IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, + IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, } if diff := cmp.Diff(&expected, route); diff != "" { @@ -302,7 +302,7 @@ func TestMakeVirtualServiceRoute_TwoTargets(t *testing.T) { }}, Timeout: DefaultRouteTimeout, AppendHeaders: map[string]string{ - IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, + IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, } if diff := cmp.Diff(&expected, route); diff != "" { @@ -337,8 +337,8 @@ func TestMakeVirtualServiceRoute_VanillaScaledToZero(t *testing.T) { Weight: 100, }}, AppendHeaders: map[string]string{ - "Knative-Serving-Revision": "revision", - "Knative-Serving-Namespace": "test-ns", + "knative-serving-revision": "revision", + "knative-serving-namespace": "test-ns", IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, Timeout: DefaultRouteTimeout, @@ -380,8 +380,8 @@ func TestMakeVirtualServiceRoute_TwoInactiveTargets(t *testing.T) { Weight: 100, }}, AppendHeaders: map[string]string{ - "Knative-Serving-Revision": "revision", - "Knative-Serving-Namespace": "test-ns", + "knative-serving-revision": "revision", + "knative-serving-namespace": "test-ns", IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, Timeout: DefaultRouteTimeout, @@ -424,7 +424,7 @@ func TestMakeVirtualServiceRoute_ZeroPercentNamedTargetScaledToZero(t *testing.T }}, Timeout: DefaultRouteTimeout, AppendHeaders: map[string]string{ - IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, + IstioTimeoutHackHeaderKey: IstioTimeoutHackHeaderValue, }, } if diff := cmp.Diff(&expected, route); diff != "" { diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh index 34992efa62ac..ea50b7e5fafe 100755 --- a/test/e2e-tests.sh +++ b/test/e2e-tests.sh @@ -32,7 +32,7 @@ [ -v KNATIVE_TEST_INFRA ] || exit 1 # Location of istio for the test cluster -readonly ISTIO_YAML=./third_party/istio-0.8.0/istio.yaml +readonly ISTIO_YAML=./third_party/istio-1.0-prerelease/istio.yaml # Helper functions. diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 276cb5d798ef..cd50bc03c07a 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -2,7 +2,6 @@ package e2e import ( "testing" - "time" "go.uber.org/zap" @@ -41,19 +40,6 @@ func TearDown(clients *test.Clients, names test.ResourceNames, logger *zap.Sugar if clients != nil { clients.Delete([]string{names.Route}, []string{names.Config}) } - - // There seems to be an Istio bug where if we delete / create - // VirtualServices too quickly we will hit pro-longed "No health - // upstream" causing timeouts. Adding this small sleep to - // sidestep the issue. - // - // Only perform this sleep if the test created a Route. - // - // TODO(#1376): Fix this when upstream fix is released. - if names.Route != "" { - logger.Info("Sleeping for 20 seconds after Route deletion to avoid hitting issue in #1376") - time.Sleep(20 * time.Second) - } } // CreateRouteAndConfig will create Route and Config objects using clients. diff --git a/test/e2e/helloworld_shell_test.go b/test/e2e/helloworld_shell_test.go index 1cc1d54f8caa..277a336878eb 100644 --- a/test/e2e/helloworld_shell_test.go +++ b/test/e2e/helloworld_shell_test.go @@ -50,14 +50,6 @@ func noStderrShell(name string, arg ...string) string { func cleanup(yamlFilename string, logger *zap.SugaredLogger) { exec.Command("kubectl", "delete", "-f", yamlFilename).Run() os.Remove(yamlFilename) - // There seems to be an Istio bug where if we delete / create - // VirtualServices too quickly we will hit pro-longed "No health - // upstream" causing timeouts. Adding this small sleep to - // sidestep the issue. - // - // TODO(#1376): Fix this when upstream fix is released. - logger.Info("Sleeping for 20 seconds after Route deletion to avoid hitting issue in #1376") - time.Sleep(20 * time.Second) } func TestHelloWorldFromShell(t *testing.T) { diff --git a/third_party/istio-0.8.0/BUILD.bazel b/third_party/istio-0.8.0/BUILD.bazel deleted file mode 100644 index 8b8c8ed9a4ab..000000000000 --- a/third_party/istio-0.8.0/BUILD.bazel +++ /dev/null @@ -1,11 +0,0 @@ -load("@k8s_object//:defaults.bzl", "k8s_object") -load("@io_bazel_rules_k8s//k8s:objects.bzl", "k8s_objects") - -package(default_visibility = ["//visibility:public"]) - -licenses(["notice"]) # Apache 2 - -k8s_object( - name = "istio", - template = "istio.yaml", -) diff --git a/third_party/istio-0.8.0/README.md b/third_party/istio-0.8.0/README.md deleted file mode 100644 index 8364894adae1..000000000000 --- a/third_party/istio-0.8.0/README.md +++ /dev/null @@ -1,9 +0,0 @@ -This istio.yaml file is is generated by running -``` -./download-istio.sh -``` - -Followed by: -(1) adding the `istio-system` namespace (see PATCH #1 in the file), and -(2) adding a Prestop sleep in the sidecar proxy, so that the proxy stays up a - little bit longer after Pod is being removed (see PATCH #2 in the file). diff --git a/third_party/istio-0.8.0/download-istio.sh b/third_party/istio-0.8.0/download-istio.sh deleted file mode 100644 index 7fcfd965be7e..000000000000 --- a/third_party/istio-0.8.0/download-istio.sh +++ /dev/null @@ -1,16 +0,0 @@ -# Download and unpack Istio -wget https://github.com/istio/istio/releases/download/0.8.0/istio-0.8.0-linux.tar.gz -tar xzf istio-0.8.0-linux.tar.gz -cd istio-0.8.0 - -# Create template -helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set global.proxy.image=proxyv2 \ - --set prometheus.enabled=false \ - install/kubernetes/helm/istio > ../istio.yaml - -# Clean up. -cd .. -rm -rf istio-0.8.0 -rm istio-0.8.0-linux.tar.gz diff --git a/third_party/istio-1.0-prerelease/README.md b/third_party/istio-1.0-prerelease/README.md new file mode 100644 index 000000000000..c07d82f820a9 --- /dev/null +++ b/third_party/istio-1.0-prerelease/README.md @@ -0,0 +1,7 @@ +This istio.yaml file is is generated by running +``` +./download-istio.sh +``` + +and modify `istio.yaml` to add a prestop hook to keep `istio-proxy` alive longer +after container receiving prestop request. diff --git a/third_party/istio-1.0-prerelease/download-istio.sh b/third_party/istio-1.0-prerelease/download-istio.sh new file mode 100755 index 000000000000..5dd48ea5707c --- /dev/null +++ b/third_party/istio-1.0-prerelease/download-istio.sh @@ -0,0 +1,24 @@ +# Download and unpack Istio +ISTIO_VERSION=release-1.0-20180723-09-15 +DOWNLOAD_URL=https://storage.googleapis.com/istio-prerelease/daily-build/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz +wget $DOWNLOAD_URL +tar xzf istio-${ISTIO_VERSION}-linux.tar.gz +cd istio-${ISTIO_VERSION} + +# Create template +helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ + --set global.proxy.image=proxyv2 \ + --set global.autoInject=disabled \ + --set prometheus.enabled=false \ + install/kubernetes/helm/istio > ../istio.yaml + +# Clean up. +cd .. +rm -rf istio-${ISTIO_VERSION} +rm istio-${ISTIO_VERSION}-linux.tar.gz + +# Add in the `istio-system` namespace, so we only need to +# run one kubectl command to install istio. +patch istio.yaml namespace.yaml.patch diff --git a/third_party/istio-0.8.0/istio.yaml b/third_party/istio-1.0-prerelease/istio.yaml similarity index 64% rename from third_party/istio-0.8.0/istio.yaml rename to third_party/istio-1.0-prerelease/istio.yaml index 781ce72501b2..8d9b6dc04c70 100644 --- a/third_party/istio-0.8.0/istio.yaml +++ b/third_party/istio-1.0-prerelease/istio.yaml @@ -5,6 +5,132 @@ kind: Namespace metadata: name: istio-system # PATCH #1 ends. +--- +# Source: istio/charts/galley/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.0 + release: RELEASE-NAME + heritage: Tiller + istio: mixer +data: + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.0 + release: RELEASE-NAME + heritage: Tiller + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + # disabled per @costinm's request + # - serviceentries + - virtualservices + failurePolicy: Fail + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - servicecontrolreports + - tracespans + failurePolicy: Fail + + --- # Source: istio/charts/mixer/templates/configmap.yaml apiVersion: v1 @@ -14,7 +140,7 @@ metadata: namespace: istio-system labels: app: istio-statsd-prom-bridge - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME heritage: Tiller istio: mixer @@ -28,7 +154,7 @@ metadata: namespace: istio-system labels: app: istio-mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME heritage: Tiller istio: mixer @@ -85,10 +211,18 @@ data: valueType: TIMESTAMP source.uid: valueType: STRING - source.user: + source.user: # DEPRECATED + valueType: STRING + source.principal: valueType: STRING destination.uid: valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING connection.id: valueType: STRING connection.received.bytes: @@ -109,6 +243,13 @@ data: valueType: TIMESTAMP context.time: valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING api.service: valueType: STRING api.version: @@ -142,26 +283,58 @@ data: valueType: IP_ADDRESS source.labels: valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP source.name: valueType: STRING source.namespace: valueType: STRING - source.service: + source.owner: + valueType: STRING + source.service: # DEPRECATED valueType: STRING source.serviceAccount: valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING destination.ip: valueType: IP_ADDRESS destination.labels: valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING destination.name: valueType: STRING + destination.container.name: + valueType: STRING destination.namespace: valueType: STRING - destination.service: + destination.service: # DEPRECATED + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: valueType: STRING destination.serviceAccount: valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING --- apiVersion: "config.istio.io/v1alpha2" kind: stdio @@ -180,47 +353,103 @@ data: severity: '"Info"' timestamp: request.time variables: - originIp: origin.ip | ip("0.0.0.0") sourceIp: source.ip | ip("0.0.0.0") - sourceService: source.service | "" - sourceUser: source.user | source.uid | "" + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" destinationIp: destination.ip | ip("0.0.0.0") - destinationService: destination.service | "" + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" destinationNamespace: destination.namespace | "" - apiName: api.service | "" - apiVersion: api.version | "" - apiClaims: request.headers["sec-istio-auth-userinfo"]| "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" apiKey: request.api_key | request.headers["x-api-key"] | "" - requestOperation: api.operation | "" - protocol: request.scheme | "http" + protocol: request.scheme | context.protocol | "http" method: request.method | "" url: request.path | "" responseCode: response.code | 0 responseSize: response.size | 0 requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" latency: response.duration | "0ms" - connectionMtls: connection.mtls | false + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) userAgent: request.useragent | "" responseTimestamp: response.time - receivedBytes: request.total_size | connection.received.bytes | 0 - sentBytes: response.total_size | connection.sent.bytes | 0 + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 referer: request.referer | "" - monitored_resource_type: '"UNSPECIFIED"' + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' + --- + apiVersion: "config.istio.io/v1alpha2" + kind: logentry + metadata: + name: tcpaccesslog + namespace: istio-system + spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: - name: stdio + name: stdiohttp namespace: istio-system spec: - match: "true" # If omitted match is true. + match: context.protocol == "http" || context.protocol == "grpc" actions: - handler: handler.stdio instances: - accesslog.logentry --- apiVersion: "config.istio.io/v1alpha2" + kind: rule + metadata: + name: stdiotcp + namespace: istio-system + spec: + match: context.protocol == "tcp" + actions: + - handler: handler.stdio + instances: + - tcpaccesslog.logentry + --- + apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestcount @@ -228,12 +457,23 @@ data: spec: value: "1" dimensions: - source_service: source.service | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 - connection_mtls: connection.mtls | false + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" @@ -244,12 +484,23 @@ data: spec: value: response.duration | "0ms" dimensions: - source_service: source.service | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 - connection_mtls: connection.mtls | false + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" @@ -260,12 +511,23 @@ data: spec: value: request.size | 0 dimensions: - source_service: source.service | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 - connection_mtls: connection.mtls | false + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" @@ -276,12 +538,23 @@ data: spec: value: response.size | 0 dimensions: - source_service: source.service | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 - connection_mtls: connection.mtls | false + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" @@ -289,16 +562,24 @@ data: metadata: name: tcpbytesent namespace: istio-system - labels: - istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp spec: value: connection.sent.bytes | 0 dimensions: - source_service: source.service | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - connection_mtls: connection.mtls | false + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" @@ -306,16 +587,24 @@ data: metadata: name: tcpbytereceived namespace: istio-system - labels: - istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp spec: value: connection.received.bytes | 0 dimensions: - source_service: source.service | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" - destination_service: destination.service | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - connection_mtls: connection.mtls | false + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" @@ -325,86 +614,149 @@ data: namespace: istio-system spec: metrics: - - name: request_count + - name: requests_total instance_name: requestcount.metric.istio-system kind: COUNTER label_names: - - source_service + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace - source_version - - destination_service + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol - response_code - - connection_mtls - - name: request_duration + - connection_security_policy + - name: request_duration_seconds instance_name: requestduration.metric.istio-system kind: DISTRIBUTION label_names: - - source_service + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace - source_version - - destination_service + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol - response_code - - connection_mtls + - connection_security_policy buckets: explicit_buckets: bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - - name: request_size + - name: request_bytes instance_name: requestsize.metric.istio-system kind: DISTRIBUTION label_names: - - source_service + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace - source_version - - destination_service + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol - response_code - - connection_mtls + - connection_security_policy buckets: exponentialBuckets: numFiniteBuckets: 8 scale: 1 growthFactor: 10 - - name: response_size + - name: response_bytes instance_name: responsesize.metric.istio-system kind: DISTRIBUTION label_names: - - source_service + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace - source_version - - destination_service + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol - response_code - - connection_mtls + - connection_security_policy buckets: exponentialBuckets: numFiniteBuckets: 8 scale: 1 growthFactor: 10 - - name: tcp_bytes_sent + - name: tcp_sent_bytes_total instance_name: tcpbytesent.metric.istio-system kind: COUNTER label_names: - - source_service + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace - source_version - - destination_service + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace - destination_version - - connection_mtls - - name: tcp_bytes_received + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - name: tcp_received_bytes_total instance_name: tcpbytereceived.metric.istio-system kind: COUNTER label_names: - - source_service + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace - source_version - - destination_service + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace - destination_version - - connection_mtls + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promhttp namespace: istio-system - labels: - istio-protocol: http spec: + match: context.protocol == "http" || context.protocol == "grpc" actions: - handler: handler.prometheus instances: @@ -418,9 +770,8 @@ data: metadata: name: promtcp namespace: istio-system - labels: - istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP spec: + match: context.protocol == "tcp" actions: - handler: handler.prometheus instances: @@ -475,21 +826,32 @@ data: source_uid: source.uid | "" source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr destination_uid: destination.uid | "" - origin_uid: '""' - origin_ip: ip("0.0.0.0") # default to unspecified ip addr + destination_port: destination.port | 0 attribute_bindings: # Fill the new attributes from the adapter produced output. # $out refers to an instance of OutputTemplate message source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" source.namespace: $out.source_namespace | "default" - source.service: $out.source_service | "unknown" + source.owner: $out.source_owner | "unknown" source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" destination.namespace: $out.destination_namespace | "default" - destination.service: $out.destination_service | "unknown" + destination.owner: $out.destination_owner | "unknown" destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" + --- # Configuration needed by Mixer. # Mixer cluster is delivered via CDS @@ -521,6 +883,86 @@ data: maxRequestsPerConnection: 10000 --- + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + /kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/charts/security/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: istio-system + labels: + app: istio-security + chart: security-1.0.0 + release: RELEASE-NAME + heritage: Tiller + istio: security +data: + custom-resources.yaml: |- + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + /kubectl apply -f ${pathToResourceYAML} + --- # Source: istio/templates/configmap.yaml @@ -531,42 +973,37 @@ metadata: namespace: istio-system labels: app: istio - chart: istio-0.8.0 + chart: istio-1.0.0 release: RELEASE-NAME heritage: Tiller data: mesh: |- - # - # Edit this list to avoid using mTLS to connect to these services. - # Typically, these are control services (e.g kubernetes API server) that don't have istio sidecar - # to transparently terminate mTLS authentication. - # mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"] - # Set the following variable to true to disable policy checks by the Mixer. # Note that metrics will still be reported to the Mixer. disablePolicyChecks: false + # Set enableTracing to false to disable request tracing. enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "/dev/stdout" # - # To disable the mixer completely (including metrics), comment out - # the following lines - mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 - mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004 + # Deprecated: mixer is using EDS + mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 + # This is the ingress service name, update if you used a different name ingressService: istio-ingress - # - # Along with discoveryRefreshDelay, this setting determines how - # frequently should Envoy fetch and update its internal configuration - # from istio Pilot. Lower refresh delay results in higher CPU - # utilization and potential performance loss in exchange for faster - # convergence. Tweak this value according to your setup. - rdsRefreshDelay: 10s + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "" + + # How frequently should Envoy fetch key/cert from NodeAgent. + sdsRefreshDelay: 15s + # defaultConfig: - # NOTE: If you change any values in this section, make sure to make - # the same changes in start up args in istio-ingress pods. - # See rdsRefreshDelay for explanation about this setting. - discoveryRefreshDelay: 10s # # TCP connection timeout between Envoy & the application, and between Envoys. connectTimeout: 10s @@ -624,7 +1061,7 @@ metadata: namespace: istio-system labels: app: istio - chart: istio-0.8.0 + chart: istio-1.0.0 release: RELEASE-NAME heritage: Tiller istio: sidecar-injector @@ -634,7 +1071,7 @@ data: template: |- initContainers: - name: istio-init - image: docker.io/istio/proxy_init:0.8.0 + image: "gcr.io/istio-release/proxy_init:release-1.0-20180723-09-15" args: - "-p" - [[ .MeshConfig.ProxyListenPort ]] @@ -676,6 +1113,7 @@ data: containers: - name: istio-proxy # PATCH #2: Add a prestop sleep. + # TODO(#1370) Remove this. lifecycle: preStop: exec: @@ -686,7 +1124,7 @@ data: image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]] "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]" [[ else -]] - docker.io/istio/proxyv2:0.8.0 + gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15 [[ end -]] args: - proxy @@ -718,7 +1156,7 @@ data: - --proxyAdminPort - [[ .ProxyConfig.ProxyAdminPort ]] - --controlPlaneAuthPolicy - - [[ .ProxyConfig.ControlPlaneAuthPolicy ]] + - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/controlPlaneAuthPolicy") .ProxyConfig.ControlPlaneAuthPolicy ]] env: - name: POD_NAME valueFrom: @@ -740,21 +1178,27 @@ data: value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] imagePullPolicy: IfNotPresent securityContext: - privileged: false - readOnlyRootFilesystem: true - [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]] - capabilities: - add: - - NET_ADMIN - [[ else -]] - runAsUser: 1337 - [[ end -]] + privileged: false + readOnlyRootFilesystem: true + [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]] + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + [[ else -]] + runAsUser: 1337 + [[ end -]] restartPolicy: Always resources: + [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU") -]] + requests: + cpu: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU" ]]" + memory: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyMemory" ]]" + [[ else -]] requests: - cpu: 100m - memory: 128Mi + cpu: 10m + [[ end -]] volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy @@ -776,34 +1220,32 @@ data: --- -# Source: istio/charts/egressgateway/templates/serviceaccount.yaml +# Source: istio/charts/galley/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: istio-egressgateway-service-account + name: istio-galley-service-account namespace: istio-system labels: - app: egressgateway - chart: egressgateway-0.8.0 + app: istio-galley + chart: galley-1.0.0 heritage: Tiller release: RELEASE-NAME --- -# Source: istio/charts/ingress/templates/serviceaccount.yaml +# Source: istio/charts/gateways/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: istio-ingress-service-account + name: istio-egressgateway-service-account namespace: istio-system labels: - app: ingress - chart: ingress-0.8.0 + app: egressgateway + chart: gateways-1.0.0 heritage: Tiller release: RELEASE-NAME - --- -# Source: istio/charts/ingressgateway/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: @@ -811,9 +1253,10 @@ metadata: namespace: istio-system labels: app: ingressgateway - chart: ingressgateway-0.8.0 + chart: gateways-1.0.0 heritage: Tiller release: RELEASE-NAME +--- --- # Source: istio/charts/mixer/templates/create-custom-resources-job.yaml @@ -824,7 +1267,7 @@ metadata: namespace: istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME --- @@ -832,16 +1275,18 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-mixer-post-install-istio-system - namespace: istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["rbac.istio.io"] # istio RBAC watcher + resources: ["*"] + verbs: ["create", "get", "list", "watch", "patch"] - apiGroups: ["networking.istio.io"] # needed to create mixer destination rules resources: ["*"] verbs: ["*"] @@ -851,6 +1296,12 @@ rules: - apiGroups: [""] resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -858,7 +1309,7 @@ metadata: name: istio-mixer-post-install-role-binding-istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: @@ -874,20 +1325,20 @@ subjects: apiVersion: batch/v1 kind: Job metadata: - name: istio-mixer-post-install + name: istio-mixer-post-install-1.0 namespace: istio-system annotations: "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-delete-policy": hook-succeeded labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME heritage: Tiller spec: template: metadata: - name: istio-mixer-post-install + name: istio-mixer-post-install-1.0 labels: app: mixer release: RELEASE-NAME @@ -896,11 +1347,7 @@ spec: containers: - name: hyperkube image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" - command: - - ./kubectl - - apply - - -f - - /tmp/mixer/custom-resources.yaml + command: [ "/bin/bash", "/tmp/mixer/run.sh", "/tmp/mixer/custom-resources.yaml" ] volumeMounts: - mountPath: "/tmp/mixer" name: tmp-configmap-mixer @@ -908,11 +1355,10 @@ spec: - name: tmp-configmap-mixer configMap: name: istio-mixer-custom-resources - restartPolicy: Never # CRD might take some time till they are available to consume + restartPolicy: OnFailure --- # Source: istio/charts/mixer/templates/serviceaccount.yaml - apiVersion: v1 kind: ServiceAccount metadata: @@ -920,13 +1366,12 @@ metadata: namespace: istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/pilot/templates/serviceaccount.yaml - apiVersion: v1 kind: ServiceAccount metadata: @@ -934,32 +1379,123 @@ metadata: namespace: istio-system labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 heritage: Tiller release: RELEASE-NAME --- -# Source: istio/charts/security/templates/serviceaccount.yaml +# Source: istio/charts/security/templates/cleanup-secrets.yaml +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. apiVersion: v1 kind: ServiceAccount metadata: - name: istio-citadel-service-account + name: istio-cleanup-secrets-service-account namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security-1.0.0 + heritage: Tiller + release: RELEASE-NAME +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security-1.0.0 + heritage: Tiller + release: RELEASE-NAME +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 heritage: Tiller release: RELEASE-NAME +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-istio-system +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets + namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: security + chart: security-1.0.0 + release: RELEASE-NAME + heritage: Tiller +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: security + release: RELEASE-NAME + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: hyperkube + image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure + --- +# Source: istio/charts/security/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: istio-cleanup-old-ca-service-account + name: istio-citadel-service-account namespace: istio-system labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 heritage: Tiller release: RELEASE-NAME @@ -972,7 +1508,7 @@ metadata: namespace: istio-system labels: app: istio-sidecar-injector - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 heritage: Tiller release: RELEASE-NAME @@ -993,6 +1529,9 @@ spec: kind: rule plural: rules singular: rule + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1011,6 +1550,30 @@ spec: kind: attributemanifest plural: attributemanifests singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + labels: + app: mixer + package: bypass + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1029,6 +1592,9 @@ spec: kind: circonus plural: circonuses singular: circonus + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1047,6 +1613,9 @@ spec: kind: denier plural: deniers singular: denier + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1065,6 +1634,9 @@ spec: kind: fluentd plural: fluentds singular: fluentd + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1083,6 +1655,9 @@ spec: kind: kubernetesenv plural: kubernetesenvs singular: kubernetesenv + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1101,6 +1676,9 @@ spec: kind: listchecker plural: listcheckers singular: listchecker + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1119,6 +1697,9 @@ spec: kind: memquota plural: memquotas singular: memquota + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1137,6 +1718,9 @@ spec: kind: noop plural: noops singular: noop + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1155,6 +1739,9 @@ spec: kind: opa plural: opas singular: opa + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1173,6 +1760,9 @@ spec: kind: prometheus plural: prometheuses singular: prometheus + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1191,6 +1781,26 @@ spec: kind: rbac plural: rbacs singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + labels: + package: redisquota + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota scope: Namespaced version: v1alpha2 --- @@ -1209,6 +1819,31 @@ spec: kind: servicecontrol plural: servicecontrols singular: servicecontrol + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + labels: + app: mixer + package: signalfx + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1227,6 +1862,9 @@ spec: kind: solarwinds plural: solarwindses singular: solarwinds + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1245,6 +1883,9 @@ spec: kind: stackdriver plural: stackdrivers singular: stackdriver + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1263,6 +1904,9 @@ spec: kind: statsd plural: statsds singular: statsd + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1281,6 +1925,9 @@ spec: kind: stdio plural: stdios singular: stdio + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1299,6 +1946,9 @@ spec: kind: apikey plural: apikeys singular: apikey + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1317,6 +1967,9 @@ spec: kind: authorization plural: authorizations singular: authorization + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1335,6 +1988,9 @@ spec: kind: checknothing plural: checknothings singular: checknothing + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1353,6 +2009,9 @@ spec: kind: kubernetes plural: kuberneteses singular: kubernetes + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1371,6 +2030,9 @@ spec: kind: listentry plural: listentries singular: listentry + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1389,6 +2051,30 @@ spec: kind: logentry plural: logentries singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + labels: + app: mixer + package: edge + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1407,6 +2093,9 @@ spec: kind: metric plural: metrics singular: metric + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1425,6 +2114,9 @@ spec: kind: quota plural: quotas singular: quota + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1443,6 +2135,9 @@ spec: kind: reportnothing plural: reportnothings singular: reportnothing + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1461,6 +2156,9 @@ spec: kind: servicecontrolreport plural: servicecontrolreports singular: servicecontrolreport + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1479,6 +2177,9 @@ spec: kind: tracespan plural: tracespans singular: tracespan + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- @@ -1486,88 +2187,148 @@ spec: kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: serviceroles.config.istio.io + name: rbacconfigs.rbac.istio.io labels: app: mixer package: istio.io.mixer istio: rbac spec: - group: config.istio.io + group: rbac.istio.io names: - kind: ServiceRole - plural: serviceroles - singular: servicerole + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io scope: Namespaced - version: v1alpha2 + version: v1alpha1 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: servicerolebindings.config.istio.io + name: serviceroles.rbac.istio.io labels: app: mixer package: istio.io.mixer istio: rbac spec: - group: config.istio.io + group: rbac.istio.io names: - kind: ServiceRoleBinding + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding plural: servicerolebindings singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io scope: Namespaced - version: v1alpha2 - + version: v1alpha1 --- -# Source: istio/charts/pilot/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: destinationpolicies.config.istio.io + name: adapters.config.istio.io labels: - app: istio-pilot + app: mixer + package: adapter + istio: mixer-adapter spec: group: config.istio.io names: - kind: DestinationPolicy - listKind: DestinationPolicyList - plural: destinationpolicies - singular: destinationpolicy + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- -apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: egressrules.config.istio.io + name: instances.config.istio.io labels: - app: istio-pilot + app: mixer + package: instance + istio: mixer-instance spec: group: config.istio.io names: - kind: EgressRule - listKind: EgressRuleList - plural: egressrules - singular: egressrule + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- +kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: routerules.config.istio.io + name: handlers.config.istio.io labels: - app: istio-pilot + app: mixer + package: handler + istio: mixer-handler spec: group: config.istio.io names: - kind: RouteRule - listKind: RouteRuleList - plural: routerules - singular: routerule + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- + +--- +# Source: istio/charts/pilot/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -1581,6 +2342,9 @@ spec: listKind: VirtualServiceList plural: virtualservices singular: virtualservice + categories: + - istio-io + - networking-istio-io scope: Namespaced version: v1alpha3 --- @@ -1597,6 +2361,9 @@ spec: listKind: DestinationRuleList plural: destinationrules singular: destinationrule + categories: + - istio-io + - networking-istio-io scope: Namespaced version: v1alpha3 --- @@ -1613,6 +2380,9 @@ spec: listKind: ServiceEntryList plural: serviceentries singular: serviceentry + categories: + - istio-io + - networking-istio-io scope: Namespaced version: v1alpha3 --- @@ -1628,6 +2398,9 @@ spec: kind: Gateway plural: gateways singular: gateway + categories: + - istio-io + - networking-istio-io scope: Namespaced version: v1alpha3 --- @@ -1641,11 +2414,31 @@ spec: kind: Policy plural: policies singular: policy + categories: + - istio-io + - authentication-istio-io scope: Namespaced version: v1alpha1 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: httpapispecbindings.config.istio.io spec: @@ -1654,6 +2447,9 @@ spec: kind: HTTPAPISpecBinding plural: httpapispecbindings singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io scope: Namespaced version: v1alpha2 --- @@ -1667,6 +2463,9 @@ spec: kind: HTTPAPISpec plural: httpapispecs singular: httpapispec + categories: + - istio-io + - apim-istio-io scope: Namespaced version: v1alpha2 --- @@ -1680,6 +2479,9 @@ spec: kind: QuotaSpecBinding plural: quotaspecbindings singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io scope: Namespaced version: v1alpha2 --- @@ -1693,71 +2495,135 @@ spec: kind: QuotaSpec plural: quotaspecs singular: quotaspec + categories: + - istio-io + - apim-istio-io scope: Namespaced version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 --- -# Source: istio/charts/ingress/templates/clusterrole.yaml +# Source: istio/charts/galley/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-galley-istio-system + labels: + app: istio-galley + chart: galley-1.0.0 + heritage: Tiller + release: RELEASE-NAME +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["*"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] + +--- +# Source: istio/charts/gateways/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: - app: ingress - chart: ingress-0.8.0 + app: gateways + chart: gateways-1.0.0 heritage: Tiller release: RELEASE-NAME - name: istio-ingress-istio-system + name: istio-egressgateway-istio-system rules: - apiGroups: ["extensions"] - resources: ["thirdpartyresources", "ingresses"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] verbs: ["get", "watch", "list", "update"] -- apiGroups: [""] - resources: ["configmaps", "pods", "endpoints", "services"] - verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: gateways + chart: gateways-1.0.0 + heritage: Tiller + release: RELEASE-NAME + name: istio-ingressgateway-istio-system +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- --- # Source: istio/charts/mixer/templates/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-mixer-istio-system - namespace: istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["rbac.istio.io"] # istio RBAC watcher + resources: ["*"] + verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] --- # Source: istio/charts/pilot/templates/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-pilot-istio-system - namespace: istio-system labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["*"] @@ -1782,15 +2648,13 @@ rules: --- # Source: istio/charts/security/templates/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-citadel-istio-system - namespace: istio-system labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 heritage: Tiller release: RELEASE-NAME rules: @@ -1803,35 +2667,16 @@ rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: istio-cleanup-old-ca-istio-system - namespace: istio-system - labels: - app: security - chart: security-0.8.0 - heritage: Tiller - release: RELEASE-NAME -rules: -- apiGroups: [""] - resources: ["deployments", "serviceaccounts", "services"] - verbs: ["get", "delete"] -- apiGroups: ["extensions"] - resources: ["deployments", "replicasets"] - verbs: ["get", "list", "update", "delete"] --- # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-sidecar-injector-istio-system labels: app: istio-sidecar-injector - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 heritage: Tiller release: RELEASE-NAME rules: @@ -1843,31 +2688,64 @@ rules: verbs: ["get", "list", "watch", "patch"] --- -# Source: istio/charts/ingress/templates/clusterrolebinding.yaml +# Source: istio/charts/galley/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + app: istio-galley + chart: galley-1.0.0 + heritage: Tiller + release: RELEASE-NAME +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system + +--- +# Source: istio/charts/gateways/templates/clusterrolebindings.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: istio-ingress-istio-system + name: istio-egressgateway-istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-pilot-istio-system + name: istio-egressgateway-istio-system +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-ingressgateway-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-ingressgateway-istio-system subjects: - kind: ServiceAccount - name: istio-ingress-service-account + name: istio-ingressgateway-service-account namespace: istio-system +--- --- # Source: istio/charts/mixer/templates/clusterrolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-mixer-admin-role-binding-istio-system labels: app: mixer - chart: mixer-0.8.0 + chart: mixer-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: @@ -1881,14 +2759,13 @@ subjects: --- # Source: istio/charts/pilot/templates/clusterrolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-pilot-istio-system labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: @@ -1902,14 +2779,13 @@ subjects: --- # Source: istio/charts/security/templates/clusterrolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-citadel-istio-system labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: @@ -1920,36 +2796,16 @@ subjects: - kind: ServiceAccount name: istio-citadel-service-account namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: istio-cleanup-old-ca-istio-system - namespace: istio-system - labels: - app: security - chart: security-0.8.0 - heritage: Tiller - release: RELEASE-NAME -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-cleanup-old-ca-istio-system -subjects: - - kind: ServiceAccount - name: istio-cleanup-old-ca-service-account - namespace: istio-system --- # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-sidecar-injector-admin-role-binding-istio-system labels: app: istio-sidecar-injector - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 heritage: Tiller release: RELEASE-NAME roleRef: @@ -1960,77 +2816,76 @@ subjects: - kind: ServiceAccount name: istio-sidecar-injector-service-account namespace: istio-system + --- -# Source: istio/charts/egressgateway/templates/service.yaml +# Source: istio/charts/galley/templates/service.yaml apiVersion: v1 kind: Service metadata: - name: istio-egressgateway + name: istio-galley namespace: istio-system labels: - chart: egressgateway-0.8.0 - release: RELEASE-NAME - heritage: Tiller - istio: egressgateway + istio: galley spec: - type: ClusterIP - selector: - istio: egressgateway ports: - - - name: http - port: 80 - - - name: https - port: 443 + - port: 443 + name: https-validation + - port: 9093 + name: http-monitoring + selector: + istio: galley --- -# Source: istio/charts/ingress/templates/service.yaml +# Source: istio/charts/gateways/templates/service.yaml + apiVersion: v1 kind: Service metadata: - name: istio-ingress + name: istio-egressgateway namespace: istio-system + annotations: labels: - chart: ingress-0.8.0 + chart: gateways-1.0.0 release: RELEASE-NAME heritage: Tiller - istio: ingress + app: istio-egressgateway + istio: egressgateway spec: - type: LoadBalancer + type: ClusterIP selector: - istio: ingress + app: istio-egressgateway + istio: egressgateway ports: - - name: http - nodePort: 32000 + name: http2 port: 80 - name: https port: 443 --- - ---- -# Source: istio/charts/ingressgateway/templates/service.yaml apiVersion: v1 kind: Service metadata: name: istio-ingressgateway namespace: istio-system + annotations: labels: - chart: ingressgateway-0.8.0 + chart: gateways-1.0.0 release: RELEASE-NAME heritage: Tiller + app: istio-ingressgateway istio: ingressgateway spec: type: LoadBalancer selector: + app: istio-ingressgateway istio: ingressgateway ports: - - name: http + name: http2 nodePort: 31380 port: 80 + targetPort: 80 - name: https nodePort: 31390 @@ -2039,6 +2894,15 @@ spec: name: tcp nodePort: 31400 port: 31400 + - + name: tcp-pilot-grpc-tls + port: 15011 + targetPort: 15011 + - + name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 +--- --- # Source: istio/charts/mixer/templates/service.yaml @@ -2049,7 +2913,7 @@ metadata: name: istio-policy namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2070,7 +2934,7 @@ metadata: name: istio-telemetry namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2098,7 +2962,7 @@ metadata: name: istio-statsd-prom-bridge namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: statsd-prom-bridge spec: @@ -2119,7 +2983,7 @@ metadata: name: istio-statsd-prom-bridge namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2137,7 +3001,7 @@ spec: name: istio-statsd-prom-bridge containers: - name: statsd-prom-bridge - image: "prom/statsd-exporter:latest" + image: "docker.io/prom/statsd-exporter:latest" imagePullPolicy: IfNotPresent ports: - containerPort: 9102 @@ -2146,7 +3010,8 @@ spec: args: - '-statsd.mapping-config=/etc/statsd/mapping.conf' resources: - {} + requests: + cpu: 10m volumeMounts: - name: config-volume @@ -2161,17 +3026,11 @@ metadata: namespace: istio-system labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 release: RELEASE-NAME heritage: Tiller spec: ports: - - port: 15003 - name: http-old-discovery # mTLS or non-mTLS depending on auth setting - - port: 15005 - name: https-discovery # always mTLS - - port: 15007 - name: http-discovery # always plain-text - port: 15010 name: grpc-xds # direct - port: 15011 @@ -2221,91 +3080,79 @@ spec: istio: sidecar-injector --- -# Source: istio/charts/egressgateway/templates/deployment.yaml +# Source: istio/charts/galley/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: - name: istio-egressgateway + name: istio-galley namespace: istio-system labels: - app: egressgateway - chart: egressgateway-0.8.0 + app: galley + chart: galley-1.0.0 release: RELEASE-NAME heritage: Tiller - istio: egressgateway + istio: galley spec: - replicas: + replicas: 1 template: metadata: labels: - istio: egressgateway - annotations: - sidecar.istio.io/inject: "false" + istio: galley spec: - serviceAccountName: istio-egressgateway-service-account + serviceAccountName: istio-galley-service-account containers: - - name: egressgateway - image: "docker.io/istio/proxyv2:0.8.0" + - name: validator + image: "gcr.io/istio-release/galley:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent ports: - - containerPort: 80 - - containerPort: 443 - args: - - proxy - - router - - -v - - "2" - - --discoveryRefreshDelay - - '1s' #discoveryRefreshDelay - - --drainDuration - - '45s' #drainDuration - - --parentShutdownDuration - - '1m0s' #parentShutdownDuration - - --connectTimeout - - '10s' #connectTimeout - - --serviceCluster - - istio-egressgateway - - --zipkinAddress - - zipkin:9411 - - --statsdUdpAddress - - istio-statsd-prom-bridge:9125 - - --proxyAdminPort - - "15000" - - --controlPlaneAuthPolicy - - NONE - - --discoveryAddress - - istio-pilot:8080 - resources: - {} - - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name + - containerPort: 443 + - containerPort: 9093 + command: + - /usr/local/bin/galley + - validator + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --healthCheckInterval=2s + - --healthCheckFile=/health + - --webhook-config-file + - /etc/istio/config/validatingwebhookconfiguration.yaml volumeMounts: - - name: istio-certs - mountPath: /etc/certs + - name: certs + mountPath: /etc/istio/certs readOnly: true + - name: config + mountPath: /etc/istio/config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + volumes: - - name: istio-certs + - name: certs secret: - secretName: "istio.default" - optional: true + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -2341,38 +3188,41 @@ spec: - s390x --- -# Source: istio/charts/ingress/templates/deployment.yaml +# Source: istio/charts/gateways/templates/deployment.yaml + apiVersion: extensions/v1beta1 kind: Deployment metadata: - name: istio-ingress + name: istio-egressgateway namespace: istio-system labels: - app: ingress - chart: ingress-0.8.0 + app: egressgateway + chart: gateways-1.0.0 release: RELEASE-NAME heritage: Tiller - istio: ingress + app: istio-egressgateway + istio: egressgateway spec: - replicas: + replicas: 1 template: metadata: labels: - istio: ingress + app: istio-egressgateway + istio: egressgateway annotations: sidecar.istio.io/inject: "false" spec: - serviceAccountName: istio-ingress-service-account + serviceAccountName: istio-egressgateway-service-account containers: - - name: ingress - image: "docker.io/istio/proxy:0.8.0" + - name: egressgateway + image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 args: - proxy - - ingress + - router - -v - "2" - --discoveryRefreshDelay @@ -2384,7 +3234,7 @@ spec: - --connectTimeout - '10s' #connectTimeout - --serviceCluster - - istio-ingress + - istio-egressgateway - --zipkinAddress - zipkin:9411 - --statsdUdpAddress @@ -2396,7 +3246,8 @@ spec: - --discoveryAddress - istio-pilot:8080 resources: - {} + requests: + cpu: 10m env: - name: POD_NAME @@ -2414,21 +3265,32 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true - - name: ingress-certs - mountPath: /etc/istio/ingress-certs + - name: egressgateway-certs + mountPath: "/etc/istio/egressgateway-certs" + readOnly: true + - name: egressgateway-ca-certs + mountPath: "/etc/istio/egressgateway-ca-certs" readOnly: true volumes: - name: istio-certs secret: - secretName: "istio.default" + secretName: istio.istio-egressgateway-service-account + optional: true + - name: egressgateway-certs + secret: + secretName: "istio-egressgateway-certs" optional: true - - name: ingress-certs + - name: egressgateway-ca-certs secret: - secretName: istio-ingress-certs + secretName: "istio-egressgateway-ca-certs" optional: true affinity: nodeAffinity: @@ -2463,9 +3325,7 @@ spec: operator: In values: - s390x - --- -# Source: istio/charts/ingressgateway/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -2473,15 +3333,17 @@ metadata: namespace: istio-system labels: app: ingressgateway - chart: ingressgateway-0.8.0 + chart: gateways-1.0.0 release: RELEASE-NAME heritage: Tiller + app: istio-ingressgateway istio: ingressgateway spec: - replicas: + replicas: 1 template: metadata: labels: + app: istio-ingressgateway istio: ingressgateway annotations: sidecar.istio.io/inject: "false" @@ -2489,12 +3351,14 @@ spec: serviceAccountName: istio-ingressgateway-service-account containers: - name: ingressgateway - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 - containerPort: 31400 + - containerPort: 15011 + - containerPort: 8060 args: - proxy - router @@ -2521,7 +3385,8 @@ spec: - --discoveryAddress - istio-pilot:8080 resources: - {} + requests: + cpu: 10m env: - name: POD_NAME @@ -2550,15 +3415,22 @@ spec: - name: ingressgateway-certs mountPath: "/etc/istio/ingressgateway-certs" readOnly: true + - name: ingressgateway-ca-certs + mountPath: "/etc/istio/ingressgateway-ca-certs" + readOnly: true volumes: - name: istio-certs secret: - secretName: "istio.default" + secretName: istio.istio-ingressgateway-service-account optional: true - name: ingressgateway-certs secret: secretName: "istio-ingressgateway-certs" optional: true + - name: ingressgateway-ca-certs + secret: + secretName: "istio-ingressgateway-ca-certs" + optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -2592,6 +3464,7 @@ spec: operator: In values: - s390x +--- --- # Source: istio/charts/mixer/templates/deployment.yaml @@ -2602,7 +3475,7 @@ metadata: name: istio-policy namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2610,6 +3483,7 @@ spec: template: metadata: labels: + app: policy istio: mixer istio-mixer-type: policy annotations: @@ -2621,6 +3495,8 @@ spec: secret: secretName: istio.istio-mixer-service-account optional: true + - name: uds-socket + emptyDir: {} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -2656,23 +3532,32 @@ spec: - s390x containers: - name: mixer - image: "docker.io/istio/mixer:0.8.0" + image: "gcr.io/istio-release/mixer:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent ports: - - containerPort: 9092 - containerPort: 9093 - containerPort: 42422 args: - --address - - tcp://127.0.0.1:9092 + - unix:///sock/mixer.socket - --configStoreURL=k8s:// - --configDefaultNamespace=istio-system - --trace_zipkin_url=http://zipkin:9411/api/v1/spans resources: - {} + requests: + cpu: 10m + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 - name: istio-proxy - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent ports: - containerPort: 9091 @@ -2702,14 +3587,21 @@ spec: apiVersion: v1 fieldPath: status.podIP resources: - requests: - cpu: 100m - memory: 128Mi + requests: + cpu: 10m volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 15093 + initialDelaySeconds: 5 + periodSeconds: 5 --- apiVersion: extensions/v1beta1 @@ -2718,7 +3610,7 @@ metadata: name: istio-telemetry namespace: istio-system labels: - chart: mixer-0.8.0 + chart: mixer-1.0.0 release: RELEASE-NAME istio: mixer spec: @@ -2726,6 +3618,7 @@ spec: template: metadata: labels: + app: telemetry istio: mixer istio-mixer-type: telemetry annotations: @@ -2737,25 +3630,36 @@ spec: secret: secretName: istio.istio-mixer-service-account optional: true + - name: uds-socket + emptyDir: {} containers: - name: mixer - image: "docker.io/istio/mixer:0.8.0" + image: "gcr.io/istio-release/mixer:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent ports: - - containerPort: 9092 - containerPort: 9093 - containerPort: 42422 args: - --address - - tcp://127.0.0.1:9092 + - unix:///sock/mixer.socket - --configStoreURL=k8s:// - --configDefaultNamespace=istio-system - --trace_zipkin_url=http://zipkin:9411/api/v1/spans resources: - {} + requests: + cpu: 10m + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 - name: istio-proxy - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent ports: - containerPort: 9091 @@ -2785,14 +3689,21 @@ spec: apiVersion: v1 fieldPath: status.podIP resources: - requests: - cpu: 100m - memory: 128Mi + requests: + cpu: 10m volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 15093 + initialDelaySeconds: 5 + periodSeconds: 5 --- @@ -2803,10 +3714,10 @@ kind: Deployment metadata: name: istio-pilot namespace: istio-system - # TODO: default tempate doesn't have this, which one is right ? + # TODO: default template doesn't have this, which one is right ? labels: app: istio-pilot - chart: pilot-0.8.0 + chart: pilot-1.0.0 release: RELEASE-NAME heritage: Tiller istio: pilot @@ -2818,23 +3729,23 @@ spec: metadata: labels: istio: pilot + app: pilot annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-pilot-service-account containers: - name: discovery - image: "docker.io/istio/pilot:0.8.0" + image: "gcr.io/istio-release/pilot:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent args: - "discovery" -# TODO(sdake) remove when secrets are automagically registered ports: - containerPort: 8080 - containerPort: 15010 readinessProbe: httpGet: - path: /v1/registration + path: /debug/endpointz port: 8080 initialDelaySeconds: 30 periodSeconds: 30 @@ -2854,8 +3765,11 @@ spec: value: "500" - name: PILOT_CACHE_SQUASH value: "5" + - name: PILOT_TRACE_SAMPLING + value: "100" resources: - {} + requests: + cpu: 10m volumeMounts: - name: config-volume @@ -2864,7 +3778,7 @@ spec: mountPath: /etc/certs readOnly: true - name: istio-proxy - image: "docker.io/istio/proxyv2:0.8.0" + image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent ports: - containerPort: 15003 @@ -2897,8 +3811,7 @@ spec: fieldPath: status.podIP resources: requests: - cpu: 100m - memory: 128Mi + cpu: 10m volumeMounts: - name: istio-certs @@ -2910,7 +3823,7 @@ spec: name: istio - name: istio-certs secret: - secretName: "istio.istio-pilot-service-account" + secretName: istio.istio-pilot-service-account affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -2955,7 +3868,7 @@ metadata: namespace: istio-system labels: app: security - chart: security-0.8.0 + chart: security-1.0.0 release: RELEASE-NAME heritage: Tiller istio: citadel @@ -2971,16 +3884,17 @@ spec: serviceAccountName: istio-citadel-service-account containers: - name: citadel - image: "docker.io/istio/citadel:0.8.0" + image: "gcr.io/istio-release/citadel:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent args: - --append-dns-names=true - --grpc-port=8060 - --grpc-hostname=citadel - - --self-signed-ca=true - --citadel-storage-namespace=istio-system + - --self-signed-ca=true resources: - {} + requests: + cpu: 10m affinity: nodeAffinity: @@ -3025,12 +3939,12 @@ metadata: namespace: istio-system labels: app: sidecarInjectorWebhook - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 release: RELEASE-NAME heritage: Tiller istio: sidecar-injector spec: - replicas: + replicas: 1 template: metadata: labels: @@ -3039,7 +3953,7 @@ spec: serviceAccountName: istio-sidecar-injector-service-account containers: - name: sidecar-injector-webhook - image: "docker.io/istio/sidecar_injector:0.8.0" + image: "gcr.io/istio-release/sidecar_injector:release-1.0-20180723-09-15" imagePullPolicy: IfNotPresent args: - --caCertFile=/etc/istio/certs/root-cert.pem @@ -3065,7 +3979,7 @@ spec: - /usr/local/bin/sidecar-injector - probe - --probe-path=/health - - --interval=2s + - --interval=4s initialDelaySeconds: 4 periodSeconds: 4 readinessProbe: @@ -3074,9 +3988,13 @@ spec: - /usr/local/bin/sidecar-injector - probe - --probe-path=/health - - --interval=2s + - --interval=4s initialDelaySeconds: 4 periodSeconds: 4 + resources: + requests: + cpu: 10m + volumes: - name: config-volume configMap: @@ -3125,47 +4043,7 @@ spec: - s390x --- -# Source: istio/charts/security/templates/cleanup-old-ca.yaml - -apiVersion: batch/v1 -kind: Job -metadata: - name: istio-cleanup-old-ca - namespace: istio-system - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: security - chart: security-0.8.0 - release: RELEASE-NAME - heritage: Tiller -spec: - template: - metadata: - name: istio-cleanup-old-ca - labels: - app: security - release: RELEASE-NAME - spec: - serviceAccountName: istio-cleanup-old-ca-service-account - containers: - - name: hyperkube - image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" - command: - - /bin/bash - - -c - - > - NS="-n istio-system"; - ./kubectl get deploy istio-ca $NS; - if [[ $? = 0 ]]; then ./kubectl delete deploy istio-ca $NS; fi; - ./kubectl get serviceaccount istio-ca-service-account $NS; - if [[ $? = 0 ]]; then ./kubectl delete serviceaccount istio-ca-service-account $NS; fi; - ./kubectl get service istio-ca-ilb $NS; - if [[ $? = 0 ]]; then ./kubectl delete service istio-ca-ilb $NS; fi - restartPolicy: Never ---- -# Source: istio/charts/egressgateway/templates/autoscale.yaml +# Source: istio/charts/gateways/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -3173,7 +4051,7 @@ metadata: name: istio-egressgateway namespace: istio-system spec: - maxReplicas: 1 + maxReplicas: 5 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 @@ -3183,41 +4061,15 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: 80 - - + targetAverageUtilization: 55 --- -# Source: istio/charts/ingress/templates/autoscale.yaml - -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istio-ingress - namespace: istio-system -spec: - maxReplicas: 1 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1beta1 - kind: Deployment - name: istio-ingress - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - - ---- -# Source: istio/charts/ingressgateway/templates/autoscale.yaml - apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: istio-ingressgateway namespace: istio-system spec: - maxReplicas: 1 + maxReplicas: 5 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 @@ -3227,8 +4079,8 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: 80 - + targetAverageUtilization: 55 +--- --- # Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -3239,7 +4091,7 @@ metadata: namespace: istio-system labels: app: istio-sidecar-injector - chart: sidecarInjectorWebhook-0.8.0 + chart: sidecarInjectorWebhook-1.0.0 release: RELEASE-NAME heritage: Tiller webhooks: @@ -3257,10 +4109,42 @@ webhooks: resources: ["pods"] failurePolicy: Fail namespaceSelector: - matchLabels: - istio-injection: enabled + matchExpressions: + - key: istio-injection + operator: NotIn + values: + - disabled + + +--- +# Source: istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl + --- # Source: istio/charts/mixer/templates/config.yaml +--- +# Source: istio/charts/pilot/templates/gateway.yaml + + +--- +# Source: istio/charts/pilot/templates/meshexpansion.yaml + + +--- +# Source: istio/charts/security/templates/create-custom-resources-job.yaml + + +--- +# Source: istio/charts/security/templates/enable-mesh-mtls.yaml + + +--- +# Source: istio/charts/security/templates/meshexpansion.yaml + + +--- + +--- +# Source: istio/templates/install-custom-resources.sh.tpl diff --git a/third_party/istio-1.0-prerelease/namespace.yaml.patch b/third_party/istio-1.0-prerelease/namespace.yaml.patch new file mode 100644 index 000000000000..92c7e48d1708 --- /dev/null +++ b/third_party/istio-1.0-prerelease/namespace.yaml.patch @@ -0,0 +1,8 @@ +1a2,8 +> # PATCH #1: Creating the istio-system namespace. +> apiVersion: v1 +> kind: Namespace +> metadata: +> name: istio-system +> # PATCH #1 ends. +> ---