allanger/shoebill-test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

chore(release): Add a new release: metrics-server

Browse Source 
A new release is added to the cluster:
		  Name: metrics-server 
		  Namespace: kube-system
		  Version: 3.11.0
		  Chart: metrics-server/metrics-server
This commit is contained in:
Nikolai Rodionov
2024-09-09 09:41:17 +02:00
parent 7936b2f5d2
commit 012aaadacc
174 changed files with 29571 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
charts/istiod-istiod/templates/NOTES.txt Normal file
View File

@ -0,0 +1,79 @@
"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
$ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
Next steps:
{{- $profile := default "" .Values.profile }}
{{- if (eq $profile "ambient") }}
* Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
* Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
{{- else }}
* Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
* Try out our tasks to get started on common configurations:
* https://istio.io/latest/docs/tasks/traffic-management
* https://istio.io/latest/docs/tasks/security/
* https://istio.io/latest/docs/tasks/policy-enforcement/
{{- end }}
* Review the list of actively supported releases, CVE publications and our hardening guide:
* https://istio.io/latest/docs/releases/supported-releases/
* https://istio.io/latest/news/security/
* https://istio.io/latest/docs/ops/best-practices/security/
For further documentation see https://istio.io website
{{-
$deps := dict
"global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
"global.certificates" "meshConfig.certificates"
"global.localityLbSetting" "meshConfig.localityLbSetting"
"global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
"global.enableTracing" "meshConfig.enableTracing"
"global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
"global.proxy.accessLogFile" "meshConfig.accessLogFile"
"global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
"global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
"global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
"global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
"global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
"global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
"pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
"global.mtls.enabled" "the PeerAuthentication resource"
"global.mtls.auto" "meshConfig.enableAutoMtls"
"global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
"global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
"global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
"global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
"global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
"global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
"global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
"global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
"global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
"istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
"meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
"meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
"meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
"meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
}}
{{- range $dep, $replace := $deps }}
{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}}
{{- if not (eq $res "")}}
WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
{{- end }}
{{- end }}
{{-
$failDeps := dict
"telemetry.v2.prometheus.configOverride"
"telemetry.v2.stackdriver.configOverride"
"telemetry.v2.stackdriver.disableOutbound"
"telemetry.v2.stackdriver.outboundAccessLogging"
}}
{{- range $dep, $replace := $failDeps }}
{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}}
{{- if not (eq $res "")}}
{{fail (print $dep " is removed")}}
{{- end }}
{{- end }}

23
charts/istiod-istiod/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,23 @@
{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
{{ define "default-prometheus" }}
{{- and
(not .Values.meshConfig.defaultProviders)
.Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
}}
{{- end }}
{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
{{ define "default-sd-metrics" }}
{{- and
(not .Values.meshConfig.defaultProviders)
.Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
}}
{{- end }}
{{/* SD has metrics and logging split. */}}
{{ define "default-sd-logs" }}
{{- and
(not .Values.meshConfig.defaultProviders)
.Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
}}
{{- end }}

39
charts/istiod-istiod/templates/autoscale.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
spec:
maxReplicas: {{ .Values.pilot.autoscaleMax }}
minReplicas: {{ .Values.pilot.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
{{- if .Values.pilot.memory.targetAverageUtilization }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }}
{{- end }}
{{- if .Values.pilot.autoscaleBehavior }}
behavior: {{ toYaml .Values.pilot.autoscaleBehavior | nindent 4 }}
{{- end }}
---
{{- end }}

161
charts/istiod-istiod/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,161 @@
{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
# Needed because status reporter sets the config map owner reference to the istiod pod
- apiGroups: [""]
verbs: ["update"]
resources: ["pods/finalizers"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch" ]
resources: [ "serviceentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
{{- if .Values.pilot.taint.enabled }}
- apiGroups: [""]
resources: ["nodes"]
verbs: ["patch"]
{{- end }}
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
{{- range .Values.global.certSigners }}
- {{ . | quote }}
{{- end }}
verbs: ["approve"]
{{- end}}
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update", "patch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gatewayclasses"]
verbs: ["create", "update", "patch", "delete"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["{{ $mcsAPIGroup }}"]
resources: ["serviceexports"]
verbs: [ "get", "watch", "list", "create", "delete"]
# Used for MCS serviceimport management
- apiGroups: ["{{ $mcsAPIGroup }}"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
---
{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
- apiGroups: ["apps"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "deployments" ]
- apiGroups: [""]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "services" ]
- apiGroups: [""]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "serviceaccounts"]
{{- end }}

33
charts/istiod-istiod/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
---
{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
{{- end }}

14
charts/istiod-istiod/templates/configmap-jwks.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.pilot.jwksResolverExtraRootCA }}
apiVersion: v1
kind: ConfigMap
metadata:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
data:
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
{{- end }}

112
charts/istiod-istiod/templates/configmap.yaml Normal file
View File

@ -0,0 +1,112 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
{{ $prom := include "default-prometheus" . | eq "true" }}
{{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
{{ $sdLogs := include "default-sd-logs" . | eq "true" }}
{{- if or $prom $sdMetrics $sdLogs }}
defaultProviders:
{{- if or $prom $sdMetrics }}
metrics:
{{ if $prom }}- prometheus{{ end }}
{{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
{{- end }}
{{- if and $sdMetrics $sdLogs }}
accessLogging:
- stackdriver
{{- end }}
{{- end }}
defaultConfig:
{{- if .Values.global.meshID }}
meshId: "{{ .Values.global.meshID }}"
{{- end }}
{{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
image:
imageType: {{. | quote}}
{{- end }}
{{- if not (eq .Values.global.proxy.tracer "none") }}
tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }}
lightstep:
# Address of the LightStep Satellite pool
address: {{ .Values.global.tracer.lightstep.address }}
# Access Token used to communicate with the Satellite pool
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
zipkin:
# Address of the Zipkin collector
address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
datadog:
# Address of the Datadog Agent
address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
stackdriver:
# enables trace output to stdout.
debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
# The global default max number of attributes per span.
maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
# The global default max number of annotation events per span.
maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
# The global default max number of message events per span.
maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
{{- end }}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
{{- if .Values.pilot.enabled }}
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
{{- else }}
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
{{- end }}
{{- else }}
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
{{- end }}
{{- end }}
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
{{- $originalMesh := include "mesh" . | fromYaml }}
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
{{- if .Values.pilot.configMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
{{- if .Values.global.meshNetworks }}
networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
{{- else }}
networks: {}
{{- end }}
mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---
{{- end }}

270
charts/istiod-istiod/templates/deployment.yaml Normal file
View File

@ -0,0 +1,270 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
istio: pilot
release: {{ .Release.Name }}
{{- range $key, $val := .Values.pilot.deploymentLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
spec:
{{- if not .Values.pilot.autoscaleEnabled }}
{{- if .Values.pilot.replicaCount }}
replicas: {{ .Values.pilot.replicaCount }}
{{- end }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
selector:
matchLabels:
{{- if ne .Values.revision "" }}
app: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
{{- else }}
istio: pilot
{{- end }}
template:
metadata:
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot"
{{- if ne .Values.revision "" }}
istio: istiod
{{- else }}
istio: pilot
{{- end }}
{{- range $key, $val := .Values.pilot.podLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
istio.io/dataplane-mode: none
annotations:
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
{{- if .Values.pilot.podAnnotations }}
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.pilot.nodeSelector }}
nodeSelector:
{{ toYaml .Values.pilot.nodeSelector | indent 8 }}
{{- end }}
{{- with .Values.pilot.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
- key: cni.istio.io/not-ready
operator: "Exists"
{{- with .Values.pilot.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.pilot.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: discovery
{{- if contains "/" .Values.pilot.image }}
image: "{{ .Values.pilot.image }}"
{{- else }}
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
args:
- "discovery"
- --monitoringAddr=:15014
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --domain
- {{ .Values.global.proxy.clusterDomain }}
{{- if .Values.pilot.taint.namespace }}
- --cniNamespace={{ .Values.pilot.taint.namespace }}
{{- end }}
- --keepaliveMaxServerConnectionAge
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
{{- if .Values.pilot.extraContainerArgs }}
{{- with .Values.pilot.extraContainerArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: REVISION
value: "{{ .Values.revision | default `default` }}"
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
# If you explicitly told us where ztunnel lives, use that.
# Otherwise, assume it lives in our namespace
# Also, check for an explicit ENV override (legacy approach) and prefer that
# if present
{{ $ztTrustedNS := or .Values.pilot.trustedZtunnelNamespace .Release.Namespace }}
{{- if not .Values.pilot.env.CA_TRUSTED_NODE_ACCOUNTS }}
- name: CA_TRUSTED_NODE_ACCOUNTS
value: "{{ $ztTrustedNS }}/ztunnel"
{{- end }}
{{- if .Values.pilot.env }}
{{- range $key, $val := .Values.pilot.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.pilot.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.pilot.traceSampling }}"
{{- end }}
# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
# don't set it here to avoid duplication.
{{- if and .Values.global.externalIstiod (eq .Values.pilot.env.EXTERNAL_ISTIOD "")}}
- name: EXTERNAL_ISTIOD
value: "{{ .Values.global.externalIstiod }}"
{{- end }}
- name: PILOT_ENABLE_ANALYSIS
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
- name: PLATFORM
value: "{{ .Values.global.platform }}"
resources:
{{- if .Values.pilot.resources }}
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
{{- if .Values.pilot.seccompProfile }}
seccompProfile:
{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }}
{{- end }}
volumeMounts:
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
{{- end }}
- name: istio-csr-dns-cert
mountPath: /var/run/secrets/istiod/tls
readOnly: true
- name: istio-csr-ca-configmap
mountPath: /var/run/secrets/istiod/ca
readOnly: true
{{- with .Values.pilot.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
volumes:
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ .Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
# Optional: istio-csr dns pilot certs
- name: istio-csr-dns-cert
secret:
secretName: istiod-tls
optional: true
- name: istio-csr-ca-configmap
configMap:
name: istio-ca-root-cert
defaultMode: 420
optional: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- end }}
{{- with .Values.pilot.volumes }}
{{- toYaml . | nindent 6}}
{{- end }}
---

80
charts/istiod-istiod/templates/istiod-injector-configmap.yaml Normal file
View File

@ -0,0 +1,80 @@
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
values: |-
{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}}
{{ $pilotVals := pick .Values.pilot "cni" -}}
{{ $vals = set $vals "pilot" $pilotVals -}}
{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
{{ $vals = set $vals "gateways" $gatewayVals -}}
{{ $vals | toPrettyJson | indent 4 }}
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
# and istiod webhook functionality.
#
# New fields should not use Values - it is a 'primary' config object, users should be able
# to fine tune it or use it with kube-inject.
config: |-
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
{{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
defaultTemplates:
{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
- {{ . }}
{{- end }}
{{- else }}
defaultTemplates: [sidecar]
{{- end }}
policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
injectedAnnotations:
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
"{{ $key }}": {{ $val | quote }}
{{- end }}
{{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
This should make it obvious that their installation is broken.
*/}}
template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
templates:
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
sidecar: |
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
gateway: |
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
grpc-simple: |
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
grpc-agent: |
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
waypoint: |
{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
kube-gateway: |
{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
{{- end }}
{{- with .Values.sidecarInjectorWebhook.templates }}
{{ toYaml . | trim | indent 6 }}
{{- end }}
{{- end }}

158
charts/istiod-istiod/templates/mutatingwebhook.yaml Normal file
View File

@ -0,0 +1,158 @@
{{- /* Core defines the common configuration used by all webhook segments */}}
{{/* Copy just what we need to avoid expensive deepCopy */}}
{{- $whv := dict
"revision" .Values.revision
"injectionPath" .Values.istiodRemote.injectionPath
"injectionURL" .Values.istiodRemote.injectionURL
"reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
"caBundle" .Values.istiodRemote.injectionCABundle
"namespace" .Release.Namespace }}
{{- define "core" }}
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
a unique prefix to each. */}}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .injectionURL }}
url: "{{ .injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
namespace: {{ .namespace }}
path: "{{ .injectionPath }}"
port: 443
{{- end }}
{{- if .caBundle }}
caBundle: "{{ .caBundle }}"
{{- end }}
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
reinvocationPolicy: "{{ .reinvocationPolicy }}"
admissionReviewVersions: ["v1"]
{{- end }}
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
{{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq .Release.Namespace "istio-system"}}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- else }}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ .Release.Name }}
webhooks:
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
{{- /* Webhooks for default revision */}}
{{- if (eq .Values.revision "") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
- key: "kubernetes.io/metadata.name"
operator: "NotIn"
values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
{{- end }}

25
charts/istiod-istiod/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
istio: pilot
spec:
minAvailable: 1
selector:
matchLabels:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision | quote }}
{{- else }}
istio: pilot
{{- end }}
---
{{- end }}

60
charts/istiod-istiod/templates/reader-clusterrole.yaml Normal file
View File

@ -0,0 +1,60 @@
{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
- "telemetry.istio.io"
- "extensions.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["gateways"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["{{ $mcsAPIGroup }}"]
resources: ["serviceexports"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["{{ $mcsAPIGroup }}"]
resources: ["serviceimports"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- if .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}

15
charts/istiod-istiod/templates/reader-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}

141
charts/istiod-istiod/templates/revision-tags.yaml Normal file
View File

@ -0,0 +1,141 @@
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
{{- $whv := dict
"revision" .Values.revision
"injectionPath" .Values.istiodRemote.injectionPath
"injectionURL" .Values.istiodRemote.injectionURL
"reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
"namespace" .Release.Namespace }}
{{- define "core" }}
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
a unique prefix to each. */}}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .injectionURL }}
url: "{{ .injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
namespace: {{ .namespace }}
path: "{{ .injectionPath }}"
port: 443
{{- end }}
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1"]
{{- end }}
{{- range $tagName := $.Values.revisionTags }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq $.Release.Namespace "istio-system"}}
name: istio-revision-tag-{{ $tagName }}
{{- else }}
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
{{- end }}
labels:
istio.io/tag: {{ $tagName }}
istio.io/rev: {{ $.Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ $.Release.Name }}
webhooks:
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
{{- if (eq $tagName "default") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
- key: "kubernetes.io/metadata.name"
operator: "NotIn"
values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
---
{{- end }}

30
charts/istiod-istiod/templates/role.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]
# For status controller, so it can delete the distribution report configmap
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["delete"]
# For gateway deployment controller
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "update", "patch", "create"]

16
charts/istiod-istiod/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}

50
charts/istiod-istiod/templates/service.yaml Normal file
View File

@ -0,0 +1,50 @@
apiVersion: v1
kind: Service
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
{{- if .Values.pilot.serviceAnnotations }}
annotations:
{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: istiod
istio: pilot
release: {{ .Release.Name }}
spec:
ports:
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
selector:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision | quote }}
{{- else }}
# Label used by the 'default' service. For versioned deployments we match with app and version.
# This avoids default deployment picking the canary
istio: pilot
{{- end }}
{{- if .Values.pilot.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.pilot.ipFamilyPolicy }}
{{- end }}
{{- if .Values.pilot.ipFamilies }}
ipFamilies:
{{- range .Values.pilot.ipFamilies }}
- {{ . }}
{{- end }}
{{- end }}
---

19
charts/istiod-istiod/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
{{- if .Values.pilot.serviceAccountAnnotations }}
annotations:
{{- toYaml .Values.pilot.serviceAccountAnnotations | indent 4 }}
{{- end }}
---

57
charts/istiod-istiod/templates/validatingadmissionpolicy.yaml Normal file
View File

@ -0,0 +1,57 @@
{{- if .Values.experimental.stableValidationPolicy }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
- extensions.istio.io
apiVersions: ["*"]
operations: ["CREATE", "UPDATE"]
resources: ["*"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
variables:
- name: isEnvoyFilter
expression: "object.kind == 'EnvoyFilter'"
- name: isWasmPlugin
expression: "object.kind == 'WasmPlugin'"
- name: isProxyConfig
expression: "object.kind == 'ProxyConfig'"
- name: isTelemetry
expression: "object.kind == 'Telemetry'"
validations:
- expression: "!variables.isEnvoyFilter"
- expression: "!variables.isWasmPlugin"
- expression: "!variables.isProxyConfig"
- expression: |
!(
variables.isTelemetry && (
(has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
(has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
(has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
)
)
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
spec:
policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
validationActions: [Deny]
{{- end }}

63
charts/istiod-istiod/templates/validatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,63 @@
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
webhooks:
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
# are rejecting invalid configs on a per-revision basis.
- name: rev.validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
{{- if .Values.base.validationCABundle }}
caBundle: "{{ .Values.base.validationCABundle }}"
{{- end }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
- extensions.istio.io
apiVersions:
- "*"
resources:
- "*"
{{- if .Values.base.validationCABundle }}
# Disable webhook controller in Pilot to stop patching it
failurePolicy: Fail
{{- else }}
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
{{- end }}
sideEffects: None
admissionReviewVersions: ["v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
---
{{- end }}

43
charts/istiod-istiod/templates/zzz_profile.yaml Normal file
View File

@ -0,0 +1,43 @@
{{/*
WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
The original version of this file is located at /manifests directory.
If you want to make a change in this file, edit the original one and run "make gen".
Complex logic ahead...
We have three sets of values, in order of precedence (last wins):
1. The builtin values.yaml defaults
2. The profile the user selects
3. Users input (-f or --set)
Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
{{- $globals := $.Values.global | default dict | deepCopy }}
{{- $defaults := $.Values.defaults }}
{{- $_ := unset $.Values "defaults" }}
{{- $profile := dict }}
{{- with .Values.profile }}
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
{{- $profile = (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown profile" $.Values.profile) }}
{{- end }}
{{- end }}
{{- with .Values.compatibilityVersion }}
{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
{{- end }}
{{- end }}
{{- if $profile }}
{{- $a := mustMergeOverwrite $defaults $profile }}
{{- end }}
# Flatten globals, if defined on a per-chart basis
{{- if false }}
{{- $a := mustMergeOverwrite $defaults $globals }}
{{- end }}
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}