From 7fa6bc532ed58a557ba61931c1074dbc1dc89693 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Tue, 31 Jul 2018 18:54:31 -0700 Subject: [PATCH] Use Istio 1.0.0. --- DEVELOPMENT.md | 4 +- docs/creating-a-kubernetes-cluster.md | 2 +- hack/release.sh | 2 +- test/e2e-tests.sh | 2 +- third_party/istio-1.0-prerelease/README.md | 7 - third_party/istio-1.0.0/README.md | 15 + .../download-istio.sh | 6 +- .../istio.yaml | 2393 +++++++++-------- .../namespace.yaml.patch | 0 9 files changed, 1226 insertions(+), 1205 deletions(-) delete mode 100644 third_party/istio-1.0-prerelease/README.md create mode 100644 third_party/istio-1.0.0/README.md rename third_party/{istio-1.0-prerelease => istio-1.0.0}/download-istio.sh (75%) rename third_party/{istio-1.0-prerelease => istio-1.0.0}/istio.yaml (70%) rename third_party/{istio-1.0-prerelease => istio-1.0.0}/namespace.yaml.patch (100%) diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index b149dd54c634..3f09c33f10e7 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -124,7 +124,7 @@ kubectl create clusterrolebinding cluster-admin-binding \ ### Deploy Istio ```shell -kubectl apply -f ./third_party/istio-1.0-prerelease/istio.yaml +kubectl apply -f ./third_party/istio-1.0.0/istio.yaml ``` Follow the [instructions](./docs/setting-up-ingress-static-ip.md) if you need @@ -215,7 +215,7 @@ ko delete --ignore-not-found=true \ -f config/monitoring/100-common \ -f config/ \ -f ./third_party/config/build/release.yaml \ - -f ./third_party/istio-1.0-prerelease/istio.yaml + -f ./third_party/istio-1.0.0/istio.yaml ``` ## Telemetry diff --git a/docs/creating-a-kubernetes-cluster.md b/docs/creating-a-kubernetes-cluster.md index 4e683db32497..dea8dcbe7feb 100644 --- a/docs/creating-a-kubernetes-cluster.md +++ b/docs/creating-a-kubernetes-cluster.md @@ -143,7 +143,7 @@ To use a k8s cluster running in GKE: so deploy istio with `LoadBalancer` replaced by `NodePort`: ```bash - sed 's/LoadBalancer/NodePort/' third_party/istio-1.0-prerelease/istio.yaml | kubectl apply -f - + sed 's/LoadBalancer/NodePort/' third_party/istio-1.0.0/istio.yaml | kubectl apply -f - ``` (Then optionally [enable istio injection](../DEVELOPMENT.md#deploy-istio).) diff --git a/hack/release.sh b/hack/release.sh index f88396a1ea03..be57aacbe18b 100755 --- a/hack/release.sh +++ b/hack/release.sh @@ -28,7 +28,7 @@ readonly SERVING_RELEASE_GCR # istio.yaml file to upload # We publish our own istio.yaml, so users don't need to use helm" -readonly ISTIO_YAML=./third_party/istio-1.0-prerelease/istio.yaml +readonly ISTIO_YAML=./third_party/istio-1.0.0/istio.yaml # Local generated yaml file. readonly OUTPUT_YAML=release.yaml # Local generated lite yaml file. diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh index ff2852d144ab..e16e86edf039 100755 --- a/test/e2e-tests.sh +++ b/test/e2e-tests.sh @@ -32,7 +32,7 @@ [ -v KNATIVE_TEST_INFRA ] || exit 1 # Location of istio for the test cluster -readonly ISTIO_YAML=./third_party/istio-1.0-prerelease/istio.yaml +readonly ISTIO_YAML=./third_party/istio-1.0.0/istio.yaml # Helper functions. diff --git a/third_party/istio-1.0-prerelease/README.md b/third_party/istio-1.0-prerelease/README.md deleted file mode 100644 index c07d82f820a9..000000000000 --- a/third_party/istio-1.0-prerelease/README.md +++ /dev/null @@ -1,7 +0,0 @@ -This istio.yaml file is is generated by running -``` -./download-istio.sh -``` - -and modify `istio.yaml` to add a prestop hook to keep `istio-proxy` alive longer -after container receiving prestop request. diff --git a/third_party/istio-1.0.0/README.md b/third_party/istio-1.0.0/README.md new file mode 100644 index 000000000000..314fc2edaf36 --- /dev/null +++ b/third_party/istio-1.0.0/README.md @@ -0,0 +1,15 @@ +This istio.yaml file is is generated by running +``` +./download-istio.sh +``` + +The Helm options we used are: + +1. `sidecarInjectorWebhook.enabled=true` & `sidecarInjectorWebhook.enableNamespacesByDefault=true`: We allow sidecar injection on all namespaces. +2. `global.proxy.autoInject=disabled`: However, only apply sidecar injection for Pods annotated with `istio.sidecar.inject=true`, and not as a default. +3. `prometheus.enabled=false`: Disable Prometheus by default. + +Our goal here is to allow sidecar injection for Pods created by Knative, and +nothing else. This template is used in integration tests and also released as +an Istio-one-line-installation so that our users don't have to go through a lot +of steps to install Istio. diff --git a/third_party/istio-1.0-prerelease/download-istio.sh b/third_party/istio-1.0.0/download-istio.sh similarity index 75% rename from third_party/istio-1.0-prerelease/download-istio.sh rename to third_party/istio-1.0.0/download-istio.sh index bb735992742c..8af90ed89f08 100755 --- a/third_party/istio-1.0-prerelease/download-istio.sh +++ b/third_party/istio-1.0.0/download-istio.sh @@ -1,6 +1,7 @@ # Download and unpack Istio -ISTIO_VERSION=release-1.0-20180723-09-15 -DOWNLOAD_URL=https://storage.googleapis.com/istio-prerelease/daily-build/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz +ISTIO_VERSION=1.0.0 +DOWNLOAD_URL=https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz + wget $DOWNLOAD_URL tar xzf istio-${ISTIO_VERSION}-linux.tar.gz cd istio-${ISTIO_VERSION} @@ -9,7 +10,6 @@ cd istio-${ISTIO_VERSION} helm template --namespace=istio-system \ --set sidecarInjectorWebhook.enabled=true \ --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ - --set global.proxy.image=proxyv2 \ --set global.proxy.autoInject=disabled \ --set prometheus.enabled=false \ install/kubernetes/helm/istio > ../istio.yaml diff --git a/third_party/istio-1.0-prerelease/istio.yaml b/third_party/istio-1.0.0/istio.yaml similarity index 70% rename from third_party/istio-1.0-prerelease/istio.yaml rename to third_party/istio-1.0.0/istio.yaml index 6458cbe1e0e7..34ba2fa5c31e 100644 --- a/third_party/istio-1.0-prerelease/istio.yaml +++ b/third_party/istio-1.0.0/istio.yaml @@ -21,7 +21,7 @@ metadata: heritage: Tiller istio: mixer data: - validatingwebhookconfiguration.yaml: |- + validatingwebhookconfiguration.yaml: |- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: @@ -148,775 +148,6 @@ metadata: istio: mixer data: mapping.conf: |- ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-mixer-custom-resources - namespace: istio-system - labels: - app: istio-mixer - chart: mixer-1.0.0 - release: RELEASE-NAME - heritage: Tiller - istio: mixer -data: - custom-resources.yaml: |- - apiVersion: "config.istio.io/v1alpha2" - kind: attributemanifest - metadata: - name: istioproxy - namespace: istio-system - spec: - attributes: - origin.ip: - valueType: IP_ADDRESS - origin.uid: - valueType: STRING - origin.user: - valueType: STRING - request.headers: - valueType: STRING_MAP - request.id: - valueType: STRING - request.host: - valueType: STRING - request.method: - valueType: STRING - request.path: - valueType: STRING - request.reason: - valueType: STRING - request.referer: - valueType: STRING - request.scheme: - valueType: STRING - request.total_size: - valueType: INT64 - request.size: - valueType: INT64 - request.time: - valueType: TIMESTAMP - request.useragent: - valueType: STRING - response.code: - valueType: INT64 - response.duration: - valueType: DURATION - response.headers: - valueType: STRING_MAP - response.total_size: - valueType: INT64 - response.size: - valueType: INT64 - response.time: - valueType: TIMESTAMP - source.uid: - valueType: STRING - source.user: # DEPRECATED - valueType: STRING - source.principal: - valueType: STRING - destination.uid: - valueType: STRING - destination.principal: - valueType: STRING - destination.port: - valueType: INT64 - connection.event: - valueType: STRING - connection.id: - valueType: STRING - connection.received.bytes: - valueType: INT64 - connection.received.bytes_total: - valueType: INT64 - connection.sent.bytes: - valueType: INT64 - connection.sent.bytes_total: - valueType: INT64 - connection.duration: - valueType: DURATION - connection.mtls: - valueType: BOOL - context.protocol: - valueType: STRING - context.timestamp: - valueType: TIMESTAMP - context.time: - valueType: TIMESTAMP - # Deprecated, kept for compatibility - context.reporter.local: - valueType: BOOL - context.reporter.kind: - valueType: STRING - context.reporter.uid: - valueType: STRING - api.service: - valueType: STRING - api.version: - valueType: STRING - api.operation: - valueType: STRING - api.protocol: - valueType: STRING - request.auth.principal: - valueType: STRING - request.auth.audiences: - valueType: STRING - request.auth.presenter: - valueType: STRING - request.auth.claims: - valueType: STRING_MAP - request.auth.raw_claims: - valueType: STRING - request.api_key: - valueType: STRING - - --- - apiVersion: "config.istio.io/v1alpha2" - kind: attributemanifest - metadata: - name: kubernetes - namespace: istio-system - spec: - attributes: - source.ip: - valueType: IP_ADDRESS - source.labels: - valueType: STRING_MAP - source.metadata: - valueType: STRING_MAP - source.name: - valueType: STRING - source.namespace: - valueType: STRING - source.owner: - valueType: STRING - source.service: # DEPRECATED - valueType: STRING - source.serviceAccount: - valueType: STRING - source.services: - valueType: STRING - source.workload.uid: - valueType: STRING - source.workload.name: - valueType: STRING - source.workload.namespace: - valueType: STRING - destination.ip: - valueType: IP_ADDRESS - destination.labels: - valueType: STRING_MAP - destination.metadata: - valueType: STRING_MAP - destination.owner: - valueType: STRING - destination.name: - valueType: STRING - destination.container.name: - valueType: STRING - destination.namespace: - valueType: STRING - destination.service: # DEPRECATED - valueType: STRING - destination.service.uid: - valueType: STRING - destination.service.name: - valueType: STRING - destination.service.namespace: - valueType: STRING - destination.service.host: - valueType: STRING - destination.serviceAccount: - valueType: STRING - destination.workload.uid: - valueType: STRING - destination.workload.name: - valueType: STRING - destination.workload.namespace: - valueType: STRING - --- - apiVersion: "config.istio.io/v1alpha2" - kind: stdio - metadata: - name: handler - namespace: istio-system - spec: - outputAsJson: true - --- - apiVersion: "config.istio.io/v1alpha2" - kind: logentry - metadata: - name: accesslog - namespace: istio-system - spec: - severity: '"Info"' - timestamp: request.time - variables: - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - apiClaims: request.auth.raw_claims | "" - apiKey: request.api_key | request.headers["x-api-key"] | "" - protocol: request.scheme | context.protocol | "http" - method: request.method | "" - url: request.path | "" - responseCode: response.code | 0 - responseSize: response.size | 0 - requestSize: request.size | 0 - requestId: request.headers["x-request-id"] | "" - clientTraceId: request.headers["x-client-trace-id"] | "" - latency: response.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - userAgent: request.useragent | "" - responseTimestamp: response.time - receivedBytes: request.total_size | 0 - sentBytes: response.total_size | 0 - referer: request.referer | "" - httpAuthority: request.headers[":authority"] | request.host | "" - xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - monitored_resource_type: '"global"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: logentry - metadata: - name: tcpaccesslog - namespace: istio-system - spec: - severity: '"Info"' - timestamp: context.time | timestamp("2017-01-01T00:00:00Z") - variables: - connectionEvent: connection.event | "" - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - protocol: context.protocol | "tcp" - connectionDuration: connection.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - receivedBytes: connection.received.bytes | 0 - sentBytes: connection.sent.bytes | 0 - totalReceivedBytes: connection.received.bytes_total | 0 - totalSentBytes: connection.sent.bytes_total | 0 - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - monitored_resource_type: '"global"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: stdiohttp - namespace: istio-system - spec: - match: context.protocol == "http" || context.protocol == "grpc" - actions: - - handler: handler.stdio - instances: - - accesslog.logentry - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: stdiotcp - namespace: istio-system - spec: - match: context.protocol == "tcp" - actions: - - handler: handler.stdio - instances: - - tcpaccesslog.logentry - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: requestcount - namespace: istio-system - spec: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: requestduration - namespace: istio-system - spec: - value: response.duration | "0ms" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: requestsize - namespace: istio-system - spec: - value: request.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: responsesize - namespace: istio-system - spec: - value: response.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: tcpbytesent - namespace: istio-system - spec: - value: connection.sent.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: metric - metadata: - name: tcpbytereceived - namespace: istio-system - spec: - value: connection.received.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' - --- - apiVersion: "config.istio.io/v1alpha2" - kind: prometheus - metadata: - name: handler - namespace: istio-system - spec: - metrics: - - name: requests_total - instance_name: requestcount.metric.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - - name: request_duration_seconds - instance_name: requestduration.metric.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - explicit_buckets: - bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - - name: request_bytes - instance_name: requestsize.metric.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: response_bytes - instance_name: responsesize.metric.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: tcp_sent_bytes_total - instance_name: tcpbytesent.metric.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - name: tcp_received_bytes_total - instance_name: tcpbytereceived.metric.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: promhttp - namespace: istio-system - spec: - match: context.protocol == "http" || context.protocol == "grpc" - actions: - - handler: handler.prometheus - instances: - - requestcount.metric - - requestduration.metric - - requestsize.metric - - responsesize.metric - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: promtcp - namespace: istio-system - spec: - match: context.protocol == "tcp" - actions: - - handler: handler.prometheus - instances: - - tcpbytesent.metric - - tcpbytereceived.metric - --- - - apiVersion: "config.istio.io/v1alpha2" - kind: kubernetesenv - metadata: - name: handler - namespace: istio-system - spec: - # when running from mixer root, use the following config after adding a - # symbolic link to a kubernetes config file via: - # - # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig - # - # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" - - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: kubeattrgenrulerule - namespace: istio-system - spec: - actions: - - handler: handler.kubernetesenv - instances: - - attributes.kubernetes - --- - apiVersion: "config.istio.io/v1alpha2" - kind: rule - metadata: - name: tcpkubeattrgenrulerule - namespace: istio-system - spec: - match: context.protocol == "tcp" - actions: - - handler: handler.kubernetesenv - instances: - - attributes.kubernetes - --- - apiVersion: "config.istio.io/v1alpha2" - kind: kubernetes - metadata: - name: attributes - namespace: istio-system - spec: - # Pass the required attribute data to the adapter - source_uid: source.uid | "" - source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr - destination_uid: destination.uid | "" - destination_port: destination.port | 0 - attribute_bindings: - # Fill the new attributes from the adapter produced output. - # $out refers to an instance of OutputTemplate message - source.ip: $out.source_pod_ip | ip("0.0.0.0") - source.uid: $out.source_pod_uid | "unknown" - source.labels: $out.source_labels | emptyStringMap() - source.name: $out.source_pod_name | "unknown" - source.namespace: $out.source_namespace | "default" - source.owner: $out.source_owner | "unknown" - source.serviceAccount: $out.source_service_account_name | "unknown" - source.workload.uid: $out.source_workload_uid | "unknown" - source.workload.name: $out.source_workload_name | "unknown" - source.workload.namespace: $out.source_workload_namespace | "unknown" - destination.ip: $out.destination_pod_ip | ip("0.0.0.0") - destination.uid: $out.destination_pod_uid | "unknown" - destination.labels: $out.destination_labels | emptyStringMap() - destination.name: $out.destination_pod_name | "unknown" - destination.container.name: $out.destination_container_name | "unknown" - destination.namespace: $out.destination_namespace | "default" - destination.owner: $out.destination_owner | "unknown" - destination.serviceAccount: $out.destination_service_account_name | "unknown" - destination.workload.uid: $out.destination_workload_uid | "unknown" - destination.workload.name: $out.destination_workload_name | "unknown" - destination.workload.namespace: $out.destination_workload_namespace | "unknown" - - --- - # Configuration needed by Mixer. - # Mixer cluster is delivered via CDS - # Specify mixer cluster settings - apiVersion: networking.istio.io/v1alpha3 - kind: DestinationRule - metadata: - name: istio-policy - namespace: istio-system - spec: - host: istio-policy.istio-system.svc.cluster.local - trafficPolicy: - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 - --- - apiVersion: networking.istio.io/v1alpha3 - kind: DestinationRule - metadata: - name: istio-telemetry - namespace: istio-system - spec: - host: istio-telemetry.istio-system.svc.cluster.local - trafficPolicy: - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 - --- - - run.sh: |- - #!/bin/sh - - set -x - - if [ "$#" -ne "1" ]; then - echo "first argument should be path to custom resource yaml" - exit 1 - fi - - pathToResourceYAML=${1} - - /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null - if [ "$?" -eq 0 ]; then - echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" - while true; do - /kubectl -n istio-system get deployment istio-galley 2>/dev/null - if [ "$?" -eq 0 ]; then - break - fi - sleep 1 - done - /kubectl -n istio-system rollout status deployment istio-galley - if [ "$?" -ne 0 ]; then - echo "istio-galley deployment rollout status check failed" - exit 1 - fi - echo "istio-galley deployment ready for configuration validation" - fi - sleep 5 - /kubectl apply -f ${pathToResourceYAML} - --- # Source: istio/charts/security/templates/configmap.yaml @@ -933,18 +164,18 @@ metadata: istio: security data: custom-resources.yaml: |- - run.sh: |- + run.sh: |- #!/bin/sh - + set -x - + if [ "$#" -ne "1" ]; then echo "first argument should be path to custom resource yaml" exit 1 fi - + pathToResourceYAML=${1} - + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null if [ "$?" -eq 0 ]; then echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" @@ -964,10 +195,11 @@ data: fi sleep 5 /kubectl apply -f ${pathToResourceYAML} - + --- # Source: istio/templates/configmap.yaml + apiVersion: v1 kind: ConfigMap metadata: @@ -994,13 +226,10 @@ data: mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 - # This is the ingress service name, update if you used a different name - ingressService: istio-ingress - # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get - # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. sdsUdsPath: "" - + # How frequently should Envoy fetch key/cert from NodeAgent. sdsRefreshDelay: 15s @@ -1056,6 +285,7 @@ data: --- # Source: istio/templates/sidecar-injector-configmap.yaml + apiVersion: v1 kind: ConfigMap metadata: @@ -1073,7 +303,7 @@ data: template: |- initContainers: - name: istio-init - image: "gcr.io/istio-release/proxy_init:release-1.0-20180723-09-15" + image: "docker.io/istio/proxy_init:1.0.0" args: - "-p" - [[ .MeshConfig.ProxyListenPort ]] @@ -1111,22 +341,13 @@ data: - NET_ADMIN privileged: true restartPolicy: Always - + containers: - name: istio-proxy - # PATCH #2: Add a prestop sleep. - # TODO(#1370) Remove this. - lifecycle: - preStop: - exec: - command: - - /bin/sleep - - "20" - # PATCH #2 ends. image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]] "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]" [[ else -]] - gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15 + docker.io/istio/proxyv2:1.0.0 [[ end -]] args: - proxy @@ -1199,7 +420,7 @@ data: [[ else -]] requests: cpu: 10m - + [[ end -]] volumeMounts: - mountPath: /etc/istio/proxy @@ -1220,7 +441,6 @@ data: secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] [[ end -]] - --- # Source: istio/charts/galley/templates/serviceaccount.yaml apiVersion: v1 @@ -1260,105 +480,6 @@ metadata: release: RELEASE-NAME --- ---- -# Source: istio/charts/mixer/templates/create-custom-resources-job.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-mixer-post-install-account - namespace: istio-system - labels: - app: mixer - chart: mixer-1.0.0 - heritage: Tiller - release: RELEASE-NAME ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: istio-mixer-post-install-istio-system - labels: - app: mixer - chart: mixer-1.0.0 - heritage: Tiller - release: RELEASE-NAME -rules: -- apiGroups: ["config.istio.io"] # istio CRD watcher - resources: ["*"] - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["rbac.istio.io"] # istio RBAC watcher - resources: ["*"] - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["networking.istio.io"] # needed to create mixer destination rules - resources: ["*"] - verbs: ["*"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get"] -- apiGroups: ["extensions"] - resources: ["deployments", "replicasets"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: istio-mixer-post-install-role-binding-istio-system - labels: - app: mixer - chart: mixer-1.0.0 - heritage: Tiller - release: RELEASE-NAME -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-mixer-post-install-istio-system -subjects: - - kind: ServiceAccount - name: istio-mixer-post-install-account - namespace: istio-system ---- - -apiVersion: batch/v1 -kind: Job -metadata: - name: istio-mixer-post-install-1.0 - namespace: istio-system - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: mixer - chart: mixer-1.0.0 - release: RELEASE-NAME - heritage: Tiller -spec: - template: - metadata: - name: istio-mixer-post-install-1.0 - labels: - app: mixer - release: RELEASE-NAME - spec: - serviceAccountName: istio-mixer-post-install-account - containers: - - name: hyperkube - image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" - command: [ "/bin/bash", "/tmp/mixer/run.sh", "/tmp/mixer/custom-resources.yaml" ] - volumeMounts: - - mountPath: "/tmp/mixer" - name: tmp-configmap-mixer - volumes: - - name: tmp-configmap-mixer - configMap: - name: istio-mixer-custom-resources - restartPolicy: OnFailure - --- # Source: istio/charts/mixer/templates/serviceaccount.yaml apiVersion: v1 @@ -1502,25 +623,213 @@ metadata: release: RELEASE-NAME --- -# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-sidecar-injector-service-account + namespace: istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.0 + heritage: Tiller + release: RELEASE-NAME + +--- +# Source: istio/templates/crds.yaml +# +# these CRDs only make sense when pilot is enabled +# +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + annotations: + "helm.sh/hook": crd-install + "helm.sh/hook-weight": "-5" + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +# + +# these CRDs only make sense when security is enabled +# + +# +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecs.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: istio-sidecar-injector-service-account - namespace: istio-system - labels: - app: istio-sidecar-injector - chart: sidecarInjectorWebhook-1.0.0 - heritage: Tiller - release: RELEASE-NAME - + annotations: + "helm.sh/hook": crd-install + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 --- -# Source: istio/charts/mixer/templates/crds.yaml + # Mixer CRDs kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: rules.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer @@ -1542,6 +851,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: attributemanifests.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer @@ -1563,6 +874,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: bypasses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: bypass @@ -1584,6 +897,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: circonuses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: circonus @@ -1605,6 +920,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: deniers.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: denier @@ -1626,6 +943,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: fluentds.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: fluentd @@ -1647,6 +966,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: kubernetesenvs.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: kubernetesenv @@ -1668,6 +989,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: listcheckers.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: listchecker @@ -1689,6 +1012,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: memquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: memquota @@ -1710,6 +1035,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: noops.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: noop @@ -1731,6 +1058,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: opas.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: opa @@ -1752,6 +1081,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: prometheuses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: prometheus @@ -1773,6 +1104,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: rbacs.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: rbac @@ -1794,6 +1127,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: redisquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: package: redisquota istio: mixer-adapter @@ -1811,6 +1146,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: servicecontrols.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: servicecontrol @@ -1833,6 +1170,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: signalfxs.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: signalfx @@ -1854,6 +1193,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: solarwindses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: solarwinds @@ -1875,6 +1216,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: stackdrivers.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: stackdriver @@ -1896,6 +1239,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: statsds.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: statsd @@ -1917,6 +1262,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: stdios.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: stdio @@ -1938,6 +1285,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: apikeys.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: apikey @@ -1959,6 +1308,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: authorizations.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: authorization @@ -1980,6 +1331,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: checknothings.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: checknothing @@ -2001,6 +1354,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: kuberneteses.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: adapter.template.kubernetes @@ -2022,6 +1377,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: listentries.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: listentry @@ -2043,6 +1400,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: logentries.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: logentry @@ -2064,6 +1423,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: edges.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: edge @@ -2085,6 +1446,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: metrics.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: metric @@ -2106,6 +1469,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: quotas.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: quota @@ -2127,6 +1492,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: reportnothings.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: reportnothing @@ -2148,6 +1515,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: servicecontrolreports.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: servicecontrolreport @@ -2169,6 +1538,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: tracespans.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: tracespan @@ -2190,6 +1561,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: rbacconfigs.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer @@ -2211,6 +1584,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: serviceroles.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer @@ -2232,6 +1607,8 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: servicerolebindings.rbac.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: istio.io.mixer @@ -2252,276 +1629,92 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: adapters.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: app: mixer package: adapter istio: mixer-adapter spec: group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: instances.config.istio.io - labels: - app: mixer - package: instance - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: instance - plural: instances - singular: instance - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: templates.config.istio.io - labels: - app: mixer - package: template - istio: mixer-template -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: handlers.config.istio.io - labels: - app: mixer - package: handler - istio: mixer-handler -spec: - group: config.istio.io - names: - kind: handler - plural: handlers - singular: handler - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - ---- -# Source: istio/charts/pilot/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: virtualservices.networking.istio.io - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - singular: virtualservice - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: destinationrules.networking.istio.io - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - singular: destinationrule - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceentries.networking.istio.io - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - singular: serviceentry - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: gateways.networking.istio.io - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: Gateway - plural: gateways - singular: gateway - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: policies.authentication.istio.io -spec: - group: authentication.istio.io - names: - kind: Policy - plural: policies - singular: policy - categories: - - istio-io - - authentication-istio-io - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: meshpolicies.authentication.istio.io -spec: - group: authentication.istio.io - names: - kind: MeshPolicy - listKind: MeshPolicyList - plural: meshpolicies - singular: meshpolicy - categories: - - istio-io - - authentication-istio-io - scope: Cluster - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - kind: HTTPAPISpecBinding - plural: httpapispecbindings - singular: httpapispecbinding - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - kind: HTTPAPISpec - plural: httpapispecs - singular: httpapispec + names: + kind: adapter + plural: adapters + singular: adapter categories: - istio-io - - apim-istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: quotaspecbindings.config.istio.io + name: instances.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: instance + istio: mixer-instance spec: group: config.istio.io names: - kind: QuotaSpecBinding - plural: quotaspecbindings - singular: quotaspecbinding + kind: instance + plural: instances + singular: instance categories: - istio-io - - apim-istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: quotaspecs.config.istio.io + name: templates.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: template + istio: mixer-template spec: group: config.istio.io names: - kind: QuotaSpec - plural: quotaspecs - singular: quotaspec + kind: template + plural: templates + singular: template categories: - istio-io - - apim-istio-io + - policy-istio-io scope: Namespaced version: v1alpha2 - --- -apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 metadata: - name: envoyfilters.networking.istio.io + name: handlers.config.istio.io + annotations: + "helm.sh/hook": crd-install labels: - app: istio-pilot + app: mixer + package: handler + istio: mixer-handler spec: - group: networking.istio.io + group: config.istio.io names: - kind: EnvoyFilter - plural: envoyfilters - singular: envoyfilter + kind: handler + plural: handlers + singular: handler categories: - istio-io - - networking-istio-io + - policy-istio-io scope: Namespaced - version: v1alpha3 - + version: v1alpha2 +--- +# +# --- # Source: istio/charts/galley/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 @@ -2904,6 +2097,14 @@ spec: name: tcp-citadel-grpc-tls port: 8060 targetPort: 8060 + - + name: http2-prometheus + port: 15030 + targetPort: 15030 + - + name: http2-grafana + port: 15031 + targetPort: 15031 --- --- @@ -3003,7 +2204,7 @@ spec: name: istio-statsd-prom-bridge containers: - name: statsd-prom-bridge - image: "docker.io/prom/statsd-exporter:latest" + image: "docker.io/prom/statsd-exporter:v0.6.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9102 @@ -3014,7 +2215,7 @@ spec: resources: requests: cpu: 10m - + volumeMounts: - name: config-volume mountPath: /etc/statsd @@ -3096,15 +2297,22 @@ metadata: istio: galley spec: replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 template: metadata: labels: istio: galley + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-galley-service-account containers: - name: validator - image: "gcr.io/istio-release/galley:release-1.0-20180723-09-15" + image: "docker.io/istio/galley:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 443 @@ -3112,6 +2320,7 @@ spec: command: - /usr/local/bin/galley - validator + - --deployment-namespace=istio-system - --caCertFile=/etc/istio/certs/root-cert.pem - --tlsCertFile=/etc/istio/certs/cert-chain.pem - --tlsKeyFile=/etc/istio/certs/key.pem @@ -3147,7 +2356,7 @@ spec: resources: requests: cpu: 10m - + volumes: - name: certs secret: @@ -3155,7 +2364,7 @@ spec: - name: config configMap: name: istio-galley-configuration - affinity: + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: @@ -3213,11 +2422,12 @@ spec: istio: egressgateway annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-egressgateway-service-account containers: - name: egressgateway - image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" + image: "docker.io/istio/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 80 @@ -3246,11 +2456,11 @@ spec: - --controlPlaneAuthPolicy - NONE - --discoveryAddress - - istio-pilot:8080 + - istio-pilot.istio-system:8080 resources: requests: cpu: 10m - + env: - name: POD_NAME valueFrom: @@ -3294,7 +2504,7 @@ spec: secret: secretName: "istio-egressgateway-ca-certs" optional: true - affinity: + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: @@ -3349,11 +2559,12 @@ spec: istio: ingressgateway annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-ingressgateway-service-account containers: - name: ingressgateway - image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" + image: "docker.io/istio/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 80 @@ -3361,6 +2572,8 @@ spec: - containerPort: 31400 - containerPort: 15011 - containerPort: 8060 + - containerPort: 15030 + - containerPort: 15031 args: - proxy - router @@ -3385,11 +2598,11 @@ spec: - --controlPlaneAuthPolicy - NONE - --discoveryAddress - - istio-pilot:8080 + - istio-pilot.istio-system:8080 resources: requests: cpu: 10m - + env: - name: POD_NAME valueFrom: @@ -3433,7 +2646,7 @@ spec: secret: secretName: "istio-ingressgateway-ca-certs" optional: true - affinity: + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: @@ -3490,6 +2703,7 @@ spec: istio-mixer-type: policy annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-mixer-service-account volumes: @@ -3499,7 +2713,7 @@ spec: optional: true - name: uds-socket emptyDir: {} - affinity: + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: @@ -3534,7 +2748,7 @@ spec: - s390x containers: - name: mixer - image: "gcr.io/istio-release/mixer:release-1.0-20180723-09-15" + image: "docker.io/istio/mixer:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9093 @@ -3548,7 +2762,7 @@ spec: resources: requests: cpu: 10m - + volumeMounts: - name: uds-socket mountPath: /sock @@ -3559,7 +2773,7 @@ spec: initialDelaySeconds: 5 periodSeconds: 5 - name: istio-proxy - image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" + image: "docker.io/istio/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9091 @@ -3591,19 +2805,13 @@ spec: resources: requests: cpu: 10m - + volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true - name: uds-socket mountPath: /sock - livenessProbe: - httpGet: - path: /version - port: 15093 - initialDelaySeconds: 5 - periodSeconds: 5 --- apiVersion: extensions/v1beta1 @@ -3625,6 +2833,7 @@ spec: istio-mixer-type: telemetry annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-mixer-service-account volumes: @@ -3636,7 +2845,7 @@ spec: emptyDir: {} containers: - name: mixer - image: "gcr.io/istio-release/mixer:release-1.0-20180723-09-15" + image: "docker.io/istio/mixer:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9093 @@ -3650,7 +2859,7 @@ spec: resources: requests: cpu: 10m - + volumeMounts: - name: uds-socket mountPath: /sock @@ -3661,7 +2870,7 @@ spec: initialDelaySeconds: 5 periodSeconds: 5 - name: istio-proxy - image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" + image: "docker.io/istio/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9091 @@ -3693,21 +2902,15 @@ spec: resources: requests: cpu: 10m - + volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true - name: uds-socket mountPath: /sock - livenessProbe: - httpGet: - path: /version - port: 15093 - initialDelaySeconds: 5 - periodSeconds: 5 ---- +--- --- # Source: istio/charts/pilot/templates/deployment.yaml @@ -3734,11 +2937,12 @@ spec: app: pilot annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-pilot-service-account containers: - name: discovery - image: "gcr.io/istio-release/pilot:release-1.0-20180723-09-15" + image: "docker.io/istio/pilot:1.0.0" imagePullPolicy: IfNotPresent args: - "discovery" @@ -3771,8 +2975,9 @@ spec: value: "100" resources: requests: - cpu: 10m - + cpu: 500m + memory: 2048Mi + volumeMounts: - name: config-volume mountPath: /etc/istio/config @@ -3780,7 +2985,7 @@ spec: mountPath: /etc/certs readOnly: true - name: istio-proxy - image: "gcr.io/istio-release/proxyv2:release-1.0-20180723-09-15" + image: "docker.io/istio/proxyv2:1.0.0" imagePullPolicy: IfNotPresent ports: - containerPort: 15003 @@ -3814,7 +3019,7 @@ spec: resources: requests: cpu: 10m - + volumeMounts: - name: istio-certs mountPath: /etc/certs @@ -3826,7 +3031,7 @@ spec: - name: istio-certs secret: secretName: istio.istio-pilot-service-account - affinity: + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: @@ -3882,11 +3087,12 @@ spec: istio: citadel annotations: sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-citadel-service-account containers: - name: citadel - image: "gcr.io/istio-release/citadel:release-1.0-20180723-09-15" + image: "docker.io/istio/citadel:1.0.0" imagePullPolicy: IfNotPresent args: - --append-dns-names=true @@ -3897,8 +3103,8 @@ spec: resources: requests: cpu: 10m - - affinity: + + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: @@ -3951,11 +3157,14 @@ spec: metadata: labels: istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-sidecar-injector-service-account containers: - name: sidecar-injector-webhook - image: "gcr.io/istio-release/sidecar_injector:release-1.0-20180723-09-15" + image: "docker.io/istio/sidecar_injector:1.0.0" imagePullPolicy: IfNotPresent args: - --caCertFile=/etc/istio/certs/root-cert.pem @@ -3996,7 +3205,7 @@ spec: resources: requests: cpu: 10m - + volumes: - name: config-volume configMap: @@ -4010,7 +3219,7 @@ spec: items: - key: config path: config - affinity: + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: @@ -4044,6 +3253,26 @@ spec: values: - s390x +--- +# Source: istio/charts/pilot/templates/gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-autogenerated-k8s-ingress + namespace: istio-system +spec: + selector: + istio: ingress + servers: + - port: + number: 80 + protocol: HTTP2 + name: http + hosts: + - "*" + +--- + --- # Source: istio/charts/gateways/templates/autoscale.yaml @@ -4063,7 +3292,7 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: 55 + targetAverageUtilization: 60 --- apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -4077,6 +3306,67 @@ spec: apiVersion: apps/v1beta1 kind: Deployment name: istio-ingressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 60 +--- + +--- +# Source: istio/charts/mixer/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-policy + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-policy + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-telemetry + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-telemetry + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/pilot/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot +spec: + maxReplicas: 1 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-pilot metrics: - type: Resource resource: @@ -4123,30 +3413,753 @@ webhooks: --- -# Source: istio/charts/mixer/templates/config.yaml +# Source: istio/charts/pilot/templates/meshexpansion.yaml --- -# Source: istio/charts/pilot/templates/gateway.yaml +# Source: istio/charts/security/templates/create-custom-resources-job.yaml --- -# Source: istio/charts/pilot/templates/meshexpansion.yaml +# Source: istio/charts/security/templates/enable-mesh-mtls.yaml --- -# Source: istio/charts/security/templates/create-custom-resources-job.yaml +# Source: istio/charts/security/templates/meshexpansion.yaml --- -# Source: istio/charts/security/templates/enable-mesh-mtls.yaml + +--- +# Source: istio/charts/telemetry-gateway/templates/gateway.yaml --- -# Source: istio/charts/security/templates/meshexpansion.yaml +# Source: istio/templates/install-custom-resources.sh.tpl --- +# Source: istio/charts/mixer/templates/config.yaml +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + namespace: istio-system +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + context.protocol: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING --- -# Source: istio/templates/install-custom-resources.sh.tpl +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + namespace: istio-system +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.service: # DEPRECATED + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service: # DEPRECATED + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +apiVersion: "config.istio.io/v1alpha2" +kind: stdio +metadata: + name: handler + namespace: istio-system +spec: + outputAsJson: true +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: accesslog + namespace: istio-system +spec: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseSize: response.size | 0 + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: tcpaccesslog + namespace: istio-system +spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + namespace: istio-system +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.stdio + instances: + - accesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.stdio + instances: + - tcpaccesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestcount + namespace: istio-system +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestduration + namespace: istio-system +spec: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestsize + namespace: istio-system +spec: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: responsesize + namespace: istio-system +spec: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytesent + namespace: istio-system +spec: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytereceived + namespace: istio-system +spec: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: prometheus +metadata: + name: handler + namespace: istio-system +spec: + metrics: + - name: requests_total + instance_name: requestcount.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + namespace: istio-system +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.prometheus + instances: + - requestcount.metric + - requestduration.metric + - requestsize.metric + - responsesize.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.prometheus + instances: + - tcpbytesent.metric + - tcpbytereceived.metric +--- + +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetesenv +metadata: + name: handler + namespace: istio-system +spec: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + namespace: istio-system +spec: + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetes +metadata: + name: attributes + namespace: istio-system +spec: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attribute_bindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" + +--- +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + namespace: istio-system +spec: + host: istio-policy.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + namespace: istio-system +spec: + host: istio-telemetry.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- + diff --git a/third_party/istio-1.0-prerelease/namespace.yaml.patch b/third_party/istio-1.0.0/namespace.yaml.patch similarity index 100% rename from third_party/istio-1.0-prerelease/namespace.yaml.patch rename to third_party/istio-1.0.0/namespace.yaml.patch