From c8a6cbe6a63705e9d777a75fa814bf8b415025ac Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Mon, 3 Jun 2024 21:51:50 +0530 Subject: [PATCH] Upgraded cni to v.1.18.7 Signed-off-by: biswajit-9776 --- .github/workflows/kserve_cni_test.yaml | 2 +- README.md | 12 +- common/istio-1-17/README.md | 95 - .../base/cluster-local-gateway.yaml | 337 - .../istio-install/base/install.yaml | 3606 -------- .../istio-install/base/kustomization.yaml | 18 - .../istio-namespace/base/kustomization.yaml | 6 - .../base/gateway-authorizationpolicy.yaml | 14 - .../cluster-local-gateway/base/gateway.yaml | 17 - .../base/kustomization.yaml | 12 - .../base/patches/remove-pdb.yaml | 6 - .../istio-cni-1-17/istio-crds/base/crd.yaml | 7230 ----------------- .../istio-crds/base/kustomization.yaml | 5 - .../base/deny_all_authorizationpolicy.yaml | 9 - .../istio-install/base/gateway.yaml | 17 - .../base/gateway_authorizationpolicy.yaml | 15 - .../base/patches/disable-debugging.yaml | 18 - .../istio-configmap-disable-tracing.yaml | 20 - .../istio-ingressgateway-remove-pdb.yaml | 6 - .../base/patches/istiod-remove-pdb.yaml | 6 - .../istio-install/base/patches/service.yaml | 7 - .../istio-install/base/x-forwarded-host.yaml | 42 - .../overlays/oauth2-proxy/kustomization.yaml | 8 - .../istio-namespace/base/namespace.yaml | 7 - .../base/cluster-roles.yaml | 55 - .../base/kf-istio-resources.yaml | 14 - .../base/kustomization.yaml | 6 - common/istio-cni-1-17/profile-overlay.yaml | 56 - common/istio-cni-1-17/profile.yaml | 161 - common/istio-cni-1-17/split-istio-packages | 72 - .../README.md | 0 .../base/cluster-local-gateway.yaml | 7 +- .../base/gateway-authorizationpolicy.yaml | 0 .../cluster-local-gateway/base/gateway.yaml | 0 .../base/kustomization.yaml | 0 .../base/patches/remove-pdb.yaml | 0 .../istio-crds/base/crd.yaml | 0 .../istio-crds/base/kustomization.yaml | 0 .../base/deny_all_authorizationpolicy.yaml | 0 .../istio-install/base/gateway.yaml | 0 .../base/gateway_authorizationpolicy.yaml | 0 .../istio-install/base/install.yaml | 1688 ++-- .../istio-install/base/kustomization.yaml | 0 .../base/patches/disable-debugging.yaml | 0 .../istio-configmap-disable-tracing.yaml | 0 .../istio-ingressgateway-remove-pdb.yaml | 0 .../base/patches/istiod-remove-pdb.yaml | 0 .../istio-install/base/patches/service.yaml | 0 .../istio-install/base/x-forwarded-host.yaml | 0 .../overlays/oauth2-proxy/kustomization.yaml | 0 .../istio-namespace/base/kustomization.yaml | 0 .../istio-namespace/base/namespace.yaml | 0 .../base/cluster-roles.yaml | 0 .../base/kf-istio-resources.yaml | 0 .../base/kustomization.yaml | 0 .../profile-overlay.yaml | 0 .../profile.yaml | 9 +- .../split-istio-packages | 0 common/oidc-client/oauth2-proxy/README.md | 12 +- contrib/kserve/README.md | 10 +- example/kustomization.yaml | 10 +- hack/extract_images.sh | 2 +- tests/gh-actions/install_istio-cni.sh | 2 +- tests/gh-actions/install_knative-cni.sh | 4 +- tests/gh-actions/install_knative.sh | 4 +- 65 files changed, 646 insertions(+), 12981 deletions(-) delete mode 100644 common/istio-1-17/README.md delete mode 100644 common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml delete mode 100644 common/istio-1-17/istio-install/base/install.yaml delete mode 100644 common/istio-1-17/istio-install/base/kustomization.yaml delete mode 100644 common/istio-1-17/istio-namespace/base/kustomization.yaml delete mode 100644 common/istio-cni-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml delete mode 100644 common/istio-cni-1-17/cluster-local-gateway/base/gateway.yaml delete mode 100644 common/istio-cni-1-17/cluster-local-gateway/base/kustomization.yaml delete mode 100644 common/istio-cni-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml delete mode 100644 common/istio-cni-1-17/istio-crds/base/crd.yaml delete mode 100644 common/istio-cni-1-17/istio-crds/base/kustomization.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/deny_all_authorizationpolicy.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/gateway.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/gateway_authorizationpolicy.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/patches/disable-debugging.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/patches/istiod-remove-pdb.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/patches/service.yaml delete mode 100644 common/istio-cni-1-17/istio-install/base/x-forwarded-host.yaml delete mode 100644 common/istio-cni-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml delete mode 100644 common/istio-cni-1-17/istio-namespace/base/namespace.yaml delete mode 100644 common/istio-cni-1-17/kubeflow-istio-resources/base/cluster-roles.yaml delete mode 100644 common/istio-cni-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml delete mode 100644 common/istio-cni-1-17/kubeflow-istio-resources/base/kustomization.yaml delete mode 100644 common/istio-cni-1-17/profile-overlay.yaml delete mode 100644 common/istio-cni-1-17/profile.yaml delete mode 100755 common/istio-cni-1-17/split-istio-packages rename common/{istio-cni-1-17 => istio-cni-1-18}/README.md (100%) rename common/{istio-cni-1-17 => istio-cni-1-18}/cluster-local-gateway/base/cluster-local-gateway.yaml (97%) rename common/{istio-1-17 => istio-cni-1-18}/cluster-local-gateway/base/gateway-authorizationpolicy.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/cluster-local-gateway/base/gateway.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/cluster-local-gateway/base/kustomization.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/cluster-local-gateway/base/patches/remove-pdb.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-crds/base/crd.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-crds/base/kustomization.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/deny_all_authorizationpolicy.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/gateway.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/gateway_authorizationpolicy.yaml (100%) rename common/{istio-cni-1-17 => istio-cni-1-18}/istio-install/base/install.yaml (75%) rename common/{istio-cni-1-17 => istio-cni-1-18}/istio-install/base/kustomization.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/patches/disable-debugging.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/patches/istio-configmap-disable-tracing.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/patches/istiod-remove-pdb.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/patches/service.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/base/x-forwarded-host.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-install/overlays/oauth2-proxy/kustomization.yaml (100%) rename common/{istio-cni-1-17 => istio-cni-1-18}/istio-namespace/base/kustomization.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/istio-namespace/base/namespace.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/kubeflow-istio-resources/base/cluster-roles.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/kubeflow-istio-resources/base/kf-istio-resources.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/kubeflow-istio-resources/base/kustomization.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/profile-overlay.yaml (100%) rename common/{istio-1-17 => istio-cni-1-18}/profile.yaml (95%) rename common/{istio-1-17 => istio-cni-1-18}/split-istio-packages (100%) diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml index 3ac21b91d5..013339ebb8 100644 --- a/.github/workflows/kserve_cni_test.yaml +++ b/.github/workflows/kserve_cni_test.yaml @@ -6,7 +6,7 @@ on: - tests/gh-actions/kind-cluster.yaml - tests/gh-actions/install_kind.sh - tests/gh-actions/install_kustomize.sh - - common/istio-cni-1-17/** + - common/istio-cni-1-18/** - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - tests/gh-actions/install_knative-cni.sh diff --git a/README.md b/README.md index fd11ae3097..655b4f3cb7 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ used from the different projects of Kubeflow: | Component | Local Manifests Path | Upstream Revision | | - | - | - | -| Istio | common/istio-1-17 | [1.17.3](https://github.com/istio/istio/releases/tag/1.17.3) | +| Istio | common/istio-1-18 | [1.18.7](https://github.com/istio/istio/releases/tag/1.18.7) | | Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.12.4](https://github.com/knative/serving/releases/tag/knative-v1.12.4)
[v1.12.6](https://github.com/knative/eventing/releases/tag/knative-v1.12.6) | | Cert Manager | common/cert-manager | [1.14.5](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.2) | @@ -208,10 +208,10 @@ Install Istio: ```sh echo "Installing Istio configured with external authorization..." -cd common/istio-1-17 -kustomize build common/istio-1-17/istio-crds/base | kubectl apply -f - -kustomize build common/istio-1-17/istio-namespace/base | kubectl apply -f - -kustomize build common/istio-1-17/istio-install/overlays/oauth2-proxy | kubectl apply -f - +cd common/istio-1-18 +kustomize build common/istio-1-18/istio-crds/base | kubectl apply -f - +kustomize build common/istio-1-18/istio-namespace/base | kubectl apply -f - +kustomize build common/istio-1-18/istio-install/overlays/oauth2-proxy | kubectl apply -f - echo "Waiting for all Istio Pods to become ready..." kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s @@ -247,7 +247,7 @@ Install Knative Serving: ```sh kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f - -kustomize build common/istio-1-17/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-1-18/cluster-local-gateway/base | kubectl apply -f - ``` Optionally, you can install Knative Eventing which can be used for inference request logging: diff --git a/common/istio-1-17/README.md b/common/istio-1-17/README.md deleted file mode 100644 index 8b74be19f6..0000000000 --- a/common/istio-1-17/README.md +++ /dev/null @@ -1,95 +0,0 @@ -# Istio - -## Upgrade Istio Manifests - -Istio ships with an installer called `istioctl`, which is a deployment / -debugging / configuration management tool for Istio all in one package. -In this section, we explain how to upgrade our istio kustomize packages -by leveraging `istioctl`. Assuming the new version is `X.Y.Z` and the -old version is `X1.Y1.Z1`: - -1. Make a copy of the old istio manifests tree, which will become the - kustomization for the new Istio version: - - $ export MANIFESTS_SRC= - $ export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1 - $ export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y - $ cp -a $ISTIO_OLD $ISTIO_NEW - -2. Download `istioctl` for version `X.Y.Z`: - - $ ISTIO_VERSION="X.Y.Z" - $ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" - $ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz - # sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl - -3. Use `istioctl` to generate an `IstioOperator` resource, the - CustomResource used to describe the Istio Control Plane: - - $ cd $ISTIO_NEW - $ istioctl profile dump default > profile.yaml - - --- - **NOTE** - - `istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/) - (`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default. - - --- - -4. Generate manifests and add them to their respective packages. We - will generate manifests using `istioctl`, the - `profile.yaml` file from upstream and the - `profile-overlay.yaml` file that contains our desired - changes: - - $ export PATH="$MANIFESTS_SRC/scripts:$PATH" - $ cd $ISTIO_NEW - $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml - $ split-istio-packages -f dump.yaml - $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base - $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base - $ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base - $ rm dump.yaml - - --- - **NOTE** - - `split-istio-packages` is a python script in the same folder as this file. - The `ruamel.yaml` version used is 0.16.12. - - `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically - detect default settings. Ensure you have a target cluster ready before running the above commands. - We set this flag because `istioctl manifest generate` generates manifest files with resources that are no - longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220 - - --- - -## Changes to Istio's upstream manifests - -### Changes to the upstream IstioOperator profile - -Changes to Istio's upstream profile `default` are the following: - -- Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59. -- Disable the EgressGateway component. We do not use it and it adds unnecessary complexity. - -Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml) -file. - -### Changes to the upstream manifests using kustomize - -The Istio kustomizations make the following changes: - -- Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. See: - - https://github.com/istio/istio/issues/12602 - - https://github.com/istio/istio/issues/24000 -- Add EnvoyFilter for adding an `X-Forwarded-For` header in requests passing through the Istio Ingressgateway, inside the `istio-install` kustomization. -- Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway. -- Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model). -- Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as `istioctl` stopped generating them in later versions. -- Add the istio-system namespace object to `istio-namespace`, as `istioctl` stopped generating it in later versions. -- Configure TCP KeepAlives. -- Disable tracing as it causes DNS breakdown. See: - https://github.com/istio/istio/issues/29898 -- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane diff --git a/common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml deleted file mode 100644 index 20ecc30f15..0000000000 --- a/common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml +++ /dev/null @@ -1,337 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cluster-local-gateway-service-account - namespace: istio-system - labels: - app: cluster-local-gateway - istio: cluster-local-gateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: cluster-local-gateway - install.operator.istio.io/owning-resource: unknown - istio: cluster-local-gateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: cluster-local-gateway - namespace: istio-system -spec: - selector: - matchLabels: - app: cluster-local-gateway - istio: cluster-local-gateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - prometheus.io/path: /stats/prometheus - prometheus.io/port: '15020' - prometheus.io/scrape: 'true' - sidecar.istio.io/inject: 'false' - labels: - app: cluster-local-gateway - chart: gateways - heritage: Tiller - install.operator.istio.io/owning-resource: unknown - istio: cluster-local-gateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - service.istio.io/canonical-name: cluster-local-gateway - service.istio.io/canonical-revision: latest - sidecar.istio.io/inject: 'false' - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - requiredDuringSchedulingIgnoredDuringExecution: - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: ISTIO_META_ROUTER_MODE - value: sni-dnat - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: cluster-local-gateway - - name: ISTIO_META_OWNER - value: - kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: 'true' - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.17.5 - name: istio-proxy - ports: - - containerPort: 15020 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/credential-uds - name: credential-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true - securityContext: - fsGroup: 1337 - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - serviceAccountName: cluster-local-gateway-service-account - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: cluster-local-gateway - namespace: istio-system - labels: - app: cluster-local-gateway - istio: cluster-local-gateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -spec: - minAvailable: 1 - selector: - matchLabels: - app: cluster-local-gateway - istio: cluster-local-gateway ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cluster-local-gateway-sds - namespace: istio-system - labels: - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -rules: -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cluster-local-gateway-sds - namespace: istio-system - labels: - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cluster-local-gateway-sds -subjects: -- kind: ServiceAccount - name: cluster-local-gateway-service-account ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: cluster-local-gateway - install.operator.istio.io/owning-resource: unknown - istio: cluster-local-gateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: cluster-local-gateway - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - target: - averageUtilization: 80 - type: Utilization - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: cluster-local-gateway ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - labels: - app: cluster-local-gateway - install.operator.istio.io/owning-resource: unknown - istio: cluster-local-gateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: cluster-local-gateway - namespace: istio-system -spec: - ports: - - name: status-port - port: 15020 - protocol: TCP - targetPort: 15020 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: cluster-local-gateway - istio: cluster-local-gateway - type: ClusterIP diff --git a/common/istio-1-17/istio-install/base/install.yaml b/common/istio-1-17/istio-install/base/install.yaml deleted file mode 100644 index 33113c1620..0000000000 --- a/common/istio-1-17/istio-install/base/install.yaml +++ /dev/null @@ -1,3606 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-ingressgateway-service-account - namespace: istio-system - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-reader-service-account - namespace: istio-system - labels: - app: istio-reader - release: istio ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod-service-account - namespace: istio-system - labels: - app: istiod - release: istio ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole-istio-system - labels: - app: istio-reader - release: istio -rules: -- apiGroups: - - config.istio.io - - security.istio.io - - networking.istio.io - - authentication.istio.io - - rbac.istio.io - resources: ['*'] - verbs: [get, list, watch] -- apiGroups: [''] - resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, - secrets] - verbs: [get, list, watch] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list] - resources: [workloadentries] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, list, watch, create, delete] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, list, watch] -- apiGroups: [apps] - resources: [replicasets] - verbs: [get, list, watch] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -rules: -- apiGroups: - - config.istio.io - - security.istio.io - - networking.istio.io - - authentication.istio.io - - rbac.istio.io - resources: ['*'] - verbs: [get, list, watch] -- apiGroups: [''] - resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, - secrets] - verbs: [get, list, watch] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list] - resources: [workloadentries] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] -- apiGroups: [apps] - resources: [replicasets] - verbs: [get, list, watch] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole-istio-system - labels: - app: istiod - release: istio -rules: - # sidecar injection controller -- apiGroups: [admissionregistration.k8s.io] - resources: [mutatingwebhookconfigurations] - verbs: [get, list, watch, update, patch] - - # configuration validation webhook controller -- apiGroups: [admissionregistration.k8s.io] - resources: [validatingwebhookconfigurations] - verbs: [get, list, watch, update] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, - rbac.istio.io, telemetry.istio.io, extensions.istio.io] - verbs: [get, watch, list] - resources: ['*'] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries/status] - - # auto-detect installed CRD definitions -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] - - # discovery and routing -- apiGroups: [''] - resources: [pods, nodes, services, namespaces, endpoints] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] - - # ingress controller -- apiGroups: [networking.k8s.io] - resources: [ingresses, ingressclasses] - verbs: [get, list, watch] -- apiGroups: [networking.k8s.io] - resources: [ingresses/status] - verbs: ['*'] - - # required for CA's namespace controller -- apiGroups: [''] - resources: [configmaps] - verbs: [create, get, list, watch, update] - - # Istiod and bootstrap. -- apiGroups: [certificates.k8s.io] - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: [update, create, get, delete, watch] -- apiGroups: [certificates.k8s.io] - resources: - - signers - resourceNames: - - kubernetes.io/legacy-unknown - verbs: [approve] - - # Used by Istiod to verify the JWT tokens -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - # Used by Istiod to verify gateway SDS -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - # Use for Kubernetes Service APIs -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] - verbs: [get, watch, list] -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] # TODO: should be on just */status but wildcard is not supported - verbs: [update, patch] -- apiGroups: [gateway.networking.k8s.io] - resources: [gatewayclasses] - verbs: [create, update, patch, delete] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] - - # Used for MCS serviceexport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list, create, delete] - - # Used for MCS serviceimport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller-istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: [apps] - verbs: [get, watch, list, update, patch, create, delete] - resources: [deployments] -- apiGroups: [''] - verbs: [get, watch, list, update, patch, create, delete] - resources: [services] -- apiGroups: [''] - verbs: [get, watch, list, update, patch, create, delete] - resources: [serviceaccounts] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio -rules: - # sidecar injection controller -- apiGroups: [admissionregistration.k8s.io] - resources: [mutatingwebhookconfigurations] - verbs: [get, list, watch, update, patch] - - # configuration validation webhook controller -- apiGroups: [admissionregistration.k8s.io] - resources: [validatingwebhookconfigurations] - verbs: [get, list, watch, update] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, - rbac.istio.io, telemetry.istio.io] - verbs: [get, watch, list] - resources: ['*'] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries/status] - - # auto-detect installed CRD definitions -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] - - # discovery and routing -- apiGroups: [''] - resources: [pods, nodes, services, namespaces, endpoints] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] - - # ingress controller -- apiGroups: [networking.k8s.io] - resources: [ingresses, ingressclasses] - verbs: [get, list, watch] -- apiGroups: [networking.k8s.io] - resources: [ingresses/status] - verbs: ['*'] - - # required for CA's namespace controller -- apiGroups: [''] - resources: [configmaps] - verbs: [create, get, list, watch, update] - - # Istiod and bootstrap. -- apiGroups: [certificates.k8s.io] - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: [update, create, get, delete, watch] -- apiGroups: [certificates.k8s.io] - resources: - - signers - resourceNames: - - kubernetes.io/legacy-unknown - verbs: [approve] - - # Used by Istiod to verify the JWT tokens -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - # Used by Istiod to verify gateway SDS -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - # Use for Kubernetes Service APIs -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] - verbs: [get, watch, list] -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] # TODO: should be on just */status but wildcard is not supported - verbs: [update] -- apiGroups: [gateway.networking.k8s.io] - resources: [gatewayclasses] - verbs: [create, update, patch, delete] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] - - # Used for MCS serviceexport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list, create, delete] - - # Used for MCS serviceimport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole-istio-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole-istio-system -subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-istio-system -subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole-istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole-istio-system -subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller-istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller-istio-system -subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-istio-system -subjects: -- kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator-istio-system - labels: - app: istiod - release: istio - istio: istiod - istio.io/rev: default -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. -- name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - service: - name: istiod - namespace: istio-system - path: /validate - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - '*' - resources: - - '*' - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: [v1beta1, v1] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - default ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.13 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.14 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.15 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.16 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.17 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {disable_host_header_fallback: true} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {disable_host_header_fallback: true} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.13 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.14 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.15 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.16 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.17 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - release: istio -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - networks: {} - - mesh: |- - defaultConfig: - discoveryAddress: istiod.istio-system.svc:15012 - proxyMetadata: {} - tracing: - zipkin: - address: zipkin.istio-system:9411 - enablePrometheusMerge: true - rootNamespace: istio-system - tcpKeepalive: - interval: 5s - probes: 3 - time: 10s - trustDomain: cluster.local ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - release: istio -data: - - values: |- - { - "global": { - "autoscalingv2API": true, - "caAddress": "", - "caName": "", - "certSigners": [], - "configCluster": false, - "configValidation": true, - "defaultNodeSelector": {}, - "defaultPodDisruptionBudget": { - "enabled": true - }, - "defaultResources": { - "requests": { - "cpu": "10m" - } - }, - "enabled": true, - "externalIstiod": false, - "hub": "docker.io/istio", - "imagePullPolicy": "", - "imagePullSecrets": [], - "istioNamespace": "istio-system", - "istiod": { - "enableAnalysis": false - }, - "jwtPolicy": "third-party-jwt", - "logAsJson": false, - "logging": { - "level": "default:info" - }, - "meshID": "", - "meshNetworks": {}, - "mountMtlsCerts": false, - "multiCluster": { - "clusterName": "", - "enabled": false - }, - "namespace": "istio-system", - "network": "", - "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, - "operatorManageWebhooks": false, - "pilotCertProvider": "istiod", - "priorityClassName": "", - "proxy": { - "autoInject": "enabled", - "clusterDomain": "cluster.local", - "componentLogLevel": "misc:error", - "enableCoreDump": false, - "excludeIPRanges": "", - "excludeInboundPorts": "", - "excludeOutboundPorts": "", - "holdApplicationUntilProxyStarts": false, - "image": "proxyv2", - "includeIPRanges": "*", - "includeInboundPorts": "*", - "includeOutboundPorts": "", - "logLevel": "warning", - "privileged": false, - "readinessFailureThreshold": 30, - "readinessInitialDelaySeconds": 1, - "readinessPeriodSeconds": 2, - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "statusPort": 15020, - "tracer": "zipkin" - }, - "proxy_init": { - "image": "proxyv2", - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } - } - }, - "remotePilotAddress": "", - "sds": { - "token": { - "aud": "istio-ca" - } - }, - "sts": { - "servicePort": 0 - }, - "tag": "1.17.5", - "tracer": { - "datadog": { - "address": "$(HOST_IP):8126" - }, - "lightstep": { - "accessToken": "", - "address": "" - }, - "stackdriver": { - "debug": false, - "maxNumberOfAnnotations": 200, - "maxNumberOfAttributes": 200, - "maxNumberOfMessageEvents": 200 - }, - "zipkin": { - "address": "" - } - }, - "useMCP": false, - "variant": "" - }, - "istio_cni": { - "enabled": false - }, - "revision": "", - "sidecarInjectorWebhook": { - "alwaysInjectSelector": [], - "defaultTemplates": [], - "enableNamespacesByDefault": false, - "injectedAnnotations": {}, - "neverInjectSelector": [], - "rewriteAppHTTPProbe": true, - "templates": {} - } - } - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - defaultTemplates: [sidecar] - policy: enabled - alwaysInjectSelector: - [] - neverInjectSelector: - [] - injectedAnnotations: - template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" - templates: - sidecar: | - {{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - {{- end }} - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - {{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} - {{- end }} - } - spec: - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - "15006" - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if gt .EstimatedConcurrency 0 }} - - --concurrency - - "{{ .EstimatedConcurrency }}" - {{- end -}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} - gateway: | - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - istio.io/rev: {{ index .ObjectMeta.Labels `istio.io/rev` | default .Revision | default "default" | quote }} - annotations: { - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } - spec: - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} - grpc-simple: | - metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" - spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} - grpc-agent: | - {{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - {{- end }} - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } - spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - {{- range $index, $container := .Spec.Containers }} - {{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-sidecar-injector - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - app: sidecar-injector - release: istio -webhooks: -- name: rev.namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] - failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - default - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - 'false' -- name: rev.object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] - failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - 'false' - - key: istio.io/rev - operator: In - values: - - default -- name: namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] - failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - 'false' -- name: object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] - failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - 'true' - - key: istio.io/rev - operator: DoesNotExist ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-ingressgateway - namespace: istio-system - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -spec: - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - labels: - app: istio-ingressgateway - istio: ingressgateway - heritage: Tiller - release: istio - chart: gateways - service.istio.io/canonical-name: istio-ingressgateway - service.istio.io/canonical-revision: latest - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways - sidecar.istio.io/inject: 'false' - annotations: - prometheus.io/port: '15020' - prometheus.io/scrape: 'true' - prometheus.io/path: /stats/prometheus - sidecar.istio.io/inject: 'false' - spec: - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 - serviceAccountName: istio-ingressgateway-service-account - containers: - - name: istio-proxy - image: docker.io/istio/proxyv2:1.17.5 - ports: - - containerPort: 15021 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: - kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: 'true' - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - - name: ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - readOnly: true - - name: ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - readOnly: true - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - - name: podinfo - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels - - path: annotations - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: config-volume - configMap: - name: istio - optional: true - - name: ingressgateway-certs - secret: - secretName: istio-ingressgateway-certs - optional: true - - name: ingressgateway-ca-certs - secret: - secretName: istio-ingressgateway-ca-certs - optional: true - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - preferredDuringSchedulingIgnoredDuringExecution: ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - istio: pilot - release: istio -spec: - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - selector: - matchLabels: - istio: pilot - template: - metadata: - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - sidecar.istio.io/inject: 'false' - operator.istio.io/component: Pilot - istio: pilot - annotations: - prometheus.io/port: '15014' - prometheus.io/scrape: 'true' - sidecar.istio.io/inject: 'false' - spec: - serviceAccountName: istiod - securityContext: - fsGroup: 1337 - containers: - - name: discovery - image: docker.io/istio/pilot:1.17.5 - args: - - discovery - - --monitoringAddr=:15014 - - --log_output_level=default:info - - --domain - - cluster.local - - --keepaliveMaxServerConnectionAge - - 30m - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: default - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - - name: PILOT_TRACE_SAMPLING - value: '1' - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: 'true' - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: 'true' - - name: ISTIOD_ADDR - value: istiod.istio-system.svc:15012 - - name: PILOT_ENABLE_ANALYSIS - value: 'false' - - name: CLUSTER_ID - value: Kubernetes - resources: - requests: - cpu: 500m - memory: 2048Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert - defaultMode: 420 - optional: true ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istio-ingressgateway - namespace: istio-system - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - release: istio - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - istio: pilot ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istio-ingressgateway-sds - namespace: istio-system - labels: - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -rules: -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: [networking.istio.io] - verbs: [create] - resources: [gateways] - -- apiGroups: [''] - resources: [secrets] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: [create, get, watch, list, update, delete] - -- apiGroups: [''] - resources: [configmaps] - verbs: [delete] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: [networking.istio.io] - verbs: [create] - resources: [gateways] - -- apiGroups: [''] - resources: [secrets] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: [create, get, watch, list, update, delete] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-ingressgateway-sds - namespace: istio-system - labels: - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-ingressgateway-sds -subjects: -- kind: ServiceAccount - name: istio-ingressgateway-service-account ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod -subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-istio-system -subjects: -- kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istio-ingressgateway - namespace: istio-system - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -spec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot -spec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 ---- -apiVersion: v1 -kind: Service -metadata: - name: istio-ingressgateway - namespace: istio-system - annotations: - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -spec: - type: LoadBalancer - selector: - app: istio-ingressgateway - istio: ingressgateway - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8443 ---- -apiVersion: v1 -kind: Service -metadata: - name: istiod - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - app: istiod - istio: pilot - release: istio -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot diff --git a/common/istio-1-17/istio-install/base/kustomization.yaml b/common/istio-1-17/istio-install/base/kustomization.yaml deleted file mode 100644 index da19a0353e..0000000000 --- a/common/istio-1-17/istio-install/base/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: istio-system - -resources: -- install.yaml -- gateway_authorizationpolicy.yaml -- deny_all_authorizationpolicy.yaml -- gateway.yaml -- x-forwarded-host.yaml - -patches: -- path: patches/service.yaml -- path: patches/istio-configmap-disable-tracing.yaml -- path: patches/disable-debugging.yaml -- path: patches/istio-ingressgateway-remove-pdb.yaml -- path: patches/istiod-remove-pdb.yaml diff --git a/common/istio-1-17/istio-namespace/base/kustomization.yaml b/common/istio-1-17/istio-namespace/base/kustomization.yaml deleted file mode 100644 index 6e0028159b..0000000000 --- a/common/istio-1-17/istio-namespace/base/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- namespace.yaml -namespace: istio-system diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-cni-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml deleted file mode 100644 index 4a45b0a1e0..0000000000 --- a/common/istio-cni-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Allow all traffic to the cluster-local-gateway -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: cluster-local-gateway -spec: - action: ALLOW - selector: - # Same as the cluster-local-gateway Service selector - matchLabels: - app: cluster-local-gateway - istio: cluster-local-gateway - rules: - - {} \ No newline at end of file diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/gateway.yaml b/common/istio-cni-1-17/cluster-local-gateway/base/gateway.yaml deleted file mode 100644 index a5db160087..0000000000 --- a/common/istio-cni-1-17/cluster-local-gateway/base/gateway.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: cluster-local-gateway - labels: - release: istio -spec: - selector: - app: cluster-local-gateway - istio: cluster-local-gateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - '*' diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/kustomization.yaml b/common/istio-cni-1-17/cluster-local-gateway/base/kustomization.yaml deleted file mode 100644 index 3f63154ee9..0000000000 --- a/common/istio-cni-1-17/cluster-local-gateway/base/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: istio-system - -resources: -- cluster-local-gateway.yaml -- gateway-authorizationpolicy.yaml -- gateway.yaml - -patches: -- path: patches/remove-pdb.yaml diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-cni-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml deleted file mode 100644 index 7453e086c5..0000000000 --- a/common/istio-cni-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml +++ /dev/null @@ -1,6 +0,0 @@ -$patch: delete -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: cluster-local-gateway - namespace: istio-system \ No newline at end of file diff --git a/common/istio-cni-1-17/istio-crds/base/crd.yaml b/common/istio-cni-1-17/istio-crds/base/crd.yaml deleted file mode 100644 index 25dc3dce98..0000000000 --- a/common/istio-cni-1-17/istio-crds/base/crd.yaml +++ /dev/null @@ -1,7230 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - type: object - proxyVersion: - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - type: integer - vhost: - properties: - name: - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows provides the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - type: string - metric: - description: One of the well-known Istio Standard - Metrics. - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to - update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - type: string - type: object - header: - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - type: string - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - type: string - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - randomSamplingPercentage: - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - imagePullPolicy: - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: Criteria for selecting traffic by their direction. - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - type: integer - type: object - type: array - type: object - type: array - phase: - description: Determines where in the filter chain this `WasmPlugin` - is to be injected. - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - nullable: true - type: integer - selector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - type: string - url: - description: URL of a Wasm module or OCI container. - type: string - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - type: string - value: - description: Value for the environment variable. - type: string - valueFrom: - enum: - - INLINE - - HOST - type: string - type: object - type: array - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} diff --git a/common/istio-cni-1-17/istio-crds/base/kustomization.yaml b/common/istio-cni-1-17/istio-crds/base/kustomization.yaml deleted file mode 100644 index 3dd2d3cace..0000000000 --- a/common/istio-cni-1-17/istio-crds/base/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- crd.yaml -namespace: istio-system diff --git a/common/istio-cni-1-17/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-cni-1-17/istio-install/base/deny_all_authorizationpolicy.yaml deleted file mode 100644 index 390f153d38..0000000000 --- a/common/istio-cni-1-17/istio-install/base/deny_all_authorizationpolicy.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# Enforce an explicit deny-by-default authorization model, similar to -# the deprecated Istio RBAC -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: global-deny-all - namespace: istio-system -spec: - {} diff --git a/common/istio-cni-1-17/istio-install/base/gateway.yaml b/common/istio-cni-1-17/istio-install/base/gateway.yaml deleted file mode 100644 index 28ae654e1b..0000000000 --- a/common/istio-cni-1-17/istio-install/base/gateway.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-ingressgateway - labels: - release: istio -spec: - selector: - app: istio-ingressgateway - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - '*' diff --git a/common/istio-cni-1-17/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-cni-1-17/istio-install/base/gateway_authorizationpolicy.yaml deleted file mode 100644 index e315e37241..0000000000 --- a/common/istio-cni-1-17/istio-install/base/gateway_authorizationpolicy.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# Allow all traffic to the istio-ingressgateway -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: istio-ingressgateway - namespace: istio-system -spec: - action: ALLOW - selector: - # Same as the istio-ingressgateway Service selector - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - rules: - - {} diff --git a/common/istio-cni-1-17/istio-install/base/patches/disable-debugging.yaml b/common/istio-cni-1-17/istio-install/base/patches/disable-debugging.yaml deleted file mode 100644 index 038430d7fb..0000000000 --- a/common/istio-cni-1-17/istio-install/base/patches/disable-debugging.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Penetration test enahncement: check port 15010 & 8080 in istiod: According to https://istio.io/latest/docs/ops/best-practices/security/#control-plane port 15010 -# is not that problematic (only resource discovery). Other parts of the documentation also say| 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) | -# We have a secure network layer and only XDS is served. -# Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access". -# Nevertheless we set ENABLE_DEBUG_ON_HTTP=false do disable it entirely. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod - namespace: istio-system -spec: - template: - spec: - containers: - - name: discovery - env: - - name: ENABLE_DEBUG_ON_HTTP - value: 'false' diff --git a/common/istio-cni-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-cni-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml deleted file mode 100644 index 4db376d17e..0000000000 --- a/common/istio-cni-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: istio-system -data: - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - mesh: |- - accessLogFile: /dev/stdout - defaultConfig: - discoveryAddress: istiod.istio-system.svc:15012 - proxyMetadata: {} - tracing: {} - enablePrometheusMerge: true - rootNamespace: istio-system - tcpKeepalive: - interval: 5s - probes: 3 - time: 10s - trustDomain: cluster.local diff --git a/common/istio-cni-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-cni-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml deleted file mode 100644 index f40567eb95..0000000000 --- a/common/istio-cni-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml +++ /dev/null @@ -1,6 +0,0 @@ -$patch: delete -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istio-ingressgateway - namespace: istio-system diff --git a/common/istio-cni-1-17/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-cni-1-17/istio-install/base/patches/istiod-remove-pdb.yaml deleted file mode 100644 index 3de371b704..0000000000 --- a/common/istio-cni-1-17/istio-install/base/patches/istiod-remove-pdb.yaml +++ /dev/null @@ -1,6 +0,0 @@ -$patch: delete -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod - namespace: istio-system diff --git a/common/istio-cni-1-17/istio-install/base/patches/service.yaml b/common/istio-cni-1-17/istio-install/base/patches/service.yaml deleted file mode 100644 index 5d2faff985..0000000000 --- a/common/istio-cni-1-17/istio-install/base/patches/service.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istio-ingressgateway - namespace: istio-system -spec: - type: ClusterIP diff --git a/common/istio-cni-1-17/istio-install/base/x-forwarded-host.yaml b/common/istio-cni-1-17/istio-install/base/x-forwarded-host.yaml deleted file mode 100644 index 4bae262aa6..0000000000 --- a/common/istio-cni-1-17/istio-install/base/x-forwarded-host.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# EnvoyFilter for adding the X-Forwarded-Host header. -# Needed for the Rok GW to work correctly. -# Older manifests used an Istio rule, but that relies on Mixer which -# is deprecated. This way is more performant and up-to-date. -# -# TODO: X-Forwarded-Host needs to be applied in two steps: -# 1. Put old host in `X-Forwarded-Host` -# 2. Update Host in request -# -# This filter only does (1). It can't do (2) because it doesn't know the new -# host yet. See if we can add an EnvoyFilter for (2). We currently have to do -# this per VirtualService, in each app that needs it. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: x-forwarded-host -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - # The first patch adds the lua filter to the listener/http connection manager - - applyTo: HTTP_FILTER - match: - context: GATEWAY - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: envoy.filters.http.lua - typed_config: - "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" - inlineCode: | - function envoy_on_request(request_handle) - local host = request_handle:headers():get(":authority") - request_handle:headers():add("x-forwarded-host", host) - end diff --git a/common/istio-cni-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml deleted file mode 100644 index 086e1bdb88..0000000000 --- a/common/istio-cni-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- ../../base - -components: -- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches diff --git a/common/istio-cni-1-17/istio-namespace/base/namespace.yaml b/common/istio-cni-1-17/istio-namespace/base/namespace.yaml deleted file mode 100644 index 355352bbb2..0000000000 --- a/common/istio-cni-1-17/istio-namespace/base/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: istio-system - labels: - istio-operator-managed: Reconcile - istio-injection: disabled diff --git a/common/istio-cni-1-17/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-cni-1-17/kubeflow-istio-resources/base/cluster-roles.yaml deleted file mode 100644 index d60d4e9cd2..0000000000 --- a/common/istio-cni-1-17/kubeflow-istio-resources/base/cluster-roles.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kubeflow-istio-admin - labels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" -rules: [] - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kubeflow-istio-edit - labels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" -rules: -- apiGroups: - - istio.io - - networking.istio.io - resources: ["*"] - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kubeflow-istio-view - labels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" -rules: -- apiGroups: - - istio.io - - networking.istio.io - resources: ["*"] - verbs: - - get - - list - - watch diff --git a/common/istio-cni-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-cni-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml deleted file mode 100644 index 720ff97dd3..0000000000 --- a/common/istio-cni-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: kubeflow-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" diff --git a/common/istio-cni-1-17/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-17/kubeflow-istio-resources/base/kustomization.yaml deleted file mode 100644 index 75669a18a5..0000000000 --- a/common/istio-cni-1-17/kubeflow-istio-resources/base/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- kf-istio-resources.yaml -- cluster-roles.yaml -namespace: kubeflow diff --git a/common/istio-cni-1-17/profile-overlay.yaml b/common/istio-cni-1-17/profile-overlay.yaml deleted file mode 100644 index 1ab0a58576..0000000000 --- a/common/istio-cni-1-17/profile-overlay.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - meshConfig: - tcpKeepalive: - time: 10s - interval: 5s - probes: 3 - components: - ingressGateways: - # Cluster-local gateway for KFServing - - enabled: true - name: cluster-local-gateway - # https://github.com/istio/istio/issues/19263#issuecomment-615833092 - label: - app: cluster-local-gateway - istio: cluster-local-gateway - k8s: - env: - - name: ISTIO_META_ROUTER_MODE - value: sni-dnat - hpaSpec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: cluster-local-gateway - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - service: - type: ClusterIP - ports: - - name: status-port - port: 15020 - targetPort: 15020 - - name: http2 - port: 80 - targetPort: 8080 - - # Disable EgressGateway - egressGateways: - - enabled: false - name: istio-egressgateway diff --git a/common/istio-cni-1-17/profile.yaml b/common/istio-cni-1-17/profile.yaml deleted file mode 100644 index 9621a5596c..0000000000 --- a/common/istio-cni-1-17/profile.yaml +++ /dev/null @@ -1,161 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: true - cni: - enabled: false - egressGateways: - - enabled: false - name: istio-egressgateway - ingressGateways: - - enabled: true - name: istio-ingressgateway - istiodRemote: - enabled: false - pilot: - enabled: true - hub: docker.io/istio - meshConfig: - defaultConfig: - proxyMetadata: {} - enablePrometheusMerge: true - profile: default - tag: 1.17.5 - values: - base: - enableCRDTemplates: false - validationURL: "" - defaultRevision: "" - gateways: - istio-egressgateway: - autoscaleEnabled: true - env: {} - name: istio-egressgateway - secretVolumes: - - mountPath: /etc/istio/egressgateway-certs - name: egressgateway-certs - secretName: istio-egressgateway-certs - - mountPath: /etc/istio/egressgateway-ca-certs - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - type: ClusterIP - istio-ingressgateway: - autoscaleEnabled: true - env: {} - name: istio-ingressgateway - secretVolumes: - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - type: LoadBalancer - global: - configValidation: true - defaultNodeSelector: {} - defaultPodDisruptionBudget: - enabled: true - defaultResources: - requests: - cpu: 10m - imagePullPolicy: "" - imagePullSecrets: [] - istioNamespace: istio-system - istiod: - enableAnalysis: false - jwtPolicy: third-party-jwt - logAsJson: false - logging: - level: default:info - meshNetworks: {} - mountMtlsCerts: false - multiCluster: - clusterName: "" - enabled: false - network: "" - omitSidecarInjectorConfigMap: false - oneNamespace: false - operatorManageWebhooks: false - pilotCertProvider: istiod - priorityClassName: "" - proxy: - autoInject: enabled - clusterDomain: cluster.local - componentLogLevel: misc:error - enableCoreDump: false - excludeIPRanges: "" - excludeInboundPorts: "" - excludeOutboundPorts: "" - image: proxyv2 - includeIPRanges: '*' - logLevel: warning - privileged: false - readinessFailureThreshold: 30 - readinessInitialDelaySeconds: 1 - readinessPeriodSeconds: 2 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - statusPort: 15020 - tracer: zipkin - proxy_init: - image: proxyv2 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 10m - memory: 10Mi - sds: - token: - aud: istio-ca - sts: - servicePort: 0 - tracer: - datadog: {} - lightstep: {} - stackdriver: {} - zipkin: {} - useMCP: false - istiodRemote: - injectionURL: "" - pilot: - autoscaleEnabled: true - autoscaleMax: 5 - autoscaleMin: 1 - configMap: true - cpu: - targetAverageUtilization: 80 - enableProtocolSniffingForInbound: true - enableProtocolSniffingForOutbound: true - env: {} - image: pilot - keepaliveMaxServerConnectionAge: 30m - nodeSelector: {} - podLabels: {} - replicaCount: 1 - traceSampling: 1 - telemetry: - enabled: true - v2: - enabled: true - metadataExchange: - wasmEnabled: false - prometheus: - enabled: true - wasmEnabled: false - stackdriver: - configOverride: {} - enabled: false - logging: false - monitoring: false - topology: false - diff --git a/common/istio-cni-1-17/split-istio-packages b/common/istio-cni-1-17/split-istio-packages deleted file mode 100755 index bc119aeea5..0000000000 --- a/common/istio-cni-1-17/split-istio-packages +++ /dev/null @@ -1,72 +0,0 @@ -#!/usr/bin/env python3 - -import sys -import argparse -import ruamel.yaml - - -DESCRIPTION = """ Separate Istio YAML into separate components. - -Separate Istio YAML definitions into four separate components: crds, install -and cluster-local-gateway. -""" - - -class YAMLEmitterNoVersionDirective(ruamel.yaml.emitter.Emitter): - """YAML Emitter that doesn't emit the YAML version directive.""" - - def write_version_directive(self, version_text): - """Disable emitting version directive, i.e., %YAML 1.1.""" - pass - - -class YAML(ruamel.yaml.YAML): - """Wrapper of the ruamel.yaml.YAML class with our custom settings.""" - - def __init__(self, *args, **kwargs): - super(YAML, self).__init__(*args, **kwargs) - # XXX: Explicitly set version for producing K8s compatible manifests. - # https://yaml.readthedocs.io/en/latest/detail.html#document-version-support - self.version = (1, 1) - # XXX: Do not emit version directive since tools might fail to - # parse manifests. - self.Emitter = YAMLEmitterNoVersionDirective - - -yaml = YAML() - - -def parse_args(): - parser = argparse.ArgumentParser( - description=DESCRIPTION, - formatter_class=argparse.ArgumentDefaultsHelpFormatter) - parser.add_argument("-f", "--manifest-file", type=str, required=True, - dest="manifest_file", - help="Istio YAML, generated by istioctl.") - return parser.parse_args() - - -def main(): - args = parse_args() - with open(args.manifest_file, "r") as f: - objects = [obj for obj in list(yaml.load_all(f)) if obj] - crds, install, cluster_local = [], [], [] - for obj in objects: - if obj.get("kind") == "CustomResourceDefinition": - crds.append(obj) - elif (obj.get("metadata", {}).get("name", ""). - startswith("cluster-local-gateway")): - cluster_local.append(obj) - else: - install.append(obj) - - with open("crd.yaml", "w") as f: - yaml.dump_all(crds, f) - with open("install.yaml", "w") as f: - yaml.dump_all(install, f) - with open("cluster-local-gateway.yaml", "w") as f: - yaml.dump_all(cluster_local, f) - - -if __name__ == "__main__": - sys.exit(main()) diff --git a/common/istio-cni-1-17/README.md b/common/istio-cni-1-18/README.md similarity index 100% rename from common/istio-cni-1-17/README.md rename to common/istio-cni-1-18/README.md diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml similarity index 97% rename from common/istio-cni-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml rename to common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml index 20ecc30f15..1134c395c1 100644 --- a/common/istio-cni-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml +++ b/common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -35,6 +35,7 @@ spec: template: metadata: annotations: + istio.io/rev: default prometheus.io/path: /stats/prometheus prometheus.io/port: '15020' prometheus.io/scrape: 'true' @@ -99,6 +100,10 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu - name: SERVICE_ACCOUNT valueFrom: fieldRef: @@ -120,7 +125,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.17.5 + image: docker.io/istio/proxyv2:1.18.7 name: istio-proxy ports: - containerPort: 15020 diff --git a/common/istio-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml similarity index 100% rename from common/istio-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml rename to common/istio-cni-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml diff --git a/common/istio-1-17/cluster-local-gateway/base/gateway.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/gateway.yaml similarity index 100% rename from common/istio-1-17/cluster-local-gateway/base/gateway.yaml rename to common/istio-cni-1-18/cluster-local-gateway/base/gateway.yaml diff --git a/common/istio-1-17/cluster-local-gateway/base/kustomization.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/kustomization.yaml similarity index 100% rename from common/istio-1-17/cluster-local-gateway/base/kustomization.yaml rename to common/istio-cni-1-18/cluster-local-gateway/base/kustomization.yaml diff --git a/common/istio-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml similarity index 100% rename from common/istio-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml rename to common/istio-cni-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml diff --git a/common/istio-1-17/istio-crds/base/crd.yaml b/common/istio-cni-1-18/istio-crds/base/crd.yaml similarity index 100% rename from common/istio-1-17/istio-crds/base/crd.yaml rename to common/istio-cni-1-18/istio-crds/base/crd.yaml diff --git a/common/istio-1-17/istio-crds/base/kustomization.yaml b/common/istio-cni-1-18/istio-crds/base/kustomization.yaml similarity index 100% rename from common/istio-1-17/istio-crds/base/kustomization.yaml rename to common/istio-cni-1-18/istio-crds/base/kustomization.yaml diff --git a/common/istio-1-17/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-cni-1-18/istio-install/base/deny_all_authorizationpolicy.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/deny_all_authorizationpolicy.yaml rename to common/istio-cni-1-18/istio-install/base/deny_all_authorizationpolicy.yaml diff --git a/common/istio-1-17/istio-install/base/gateway.yaml b/common/istio-cni-1-18/istio-install/base/gateway.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/gateway.yaml rename to common/istio-cni-1-18/istio-install/base/gateway.yaml diff --git a/common/istio-1-17/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-cni-1-18/istio-install/base/gateway_authorizationpolicy.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/gateway_authorizationpolicy.yaml rename to common/istio-cni-1-18/istio-install/base/gateway_authorizationpolicy.yaml diff --git a/common/istio-cni-1-17/istio-install/base/install.yaml b/common/istio-cni-1-18/istio-install/base/install.yaml similarity index 75% rename from common/istio-cni-1-17/istio-install/base/install.yaml rename to common/istio-cni-1-18/istio-install/base/install.yaml index c5fe6e1ade..0352653ec5 100644 --- a/common/istio-cni-1-17/istio-install/base/install.yaml +++ b/common/istio-cni-1-18/istio-install/base/install.yaml @@ -62,11 +62,8 @@ metadata: operator.istio.io/component: Cni rules: - apiGroups: [''] - resources: - - pods - - nodes - verbs: - - get + resources: [pods, nodes, namespaces] + verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -81,10 +78,10 @@ metadata: rules: - apiGroups: [''] resources: [pods] - verbs: [get, list, watch, delete, patch, update] + verbs: [watch, get, list] - apiGroups: [''] - resources: [events] - verbs: [get, list, watch, delete, patch, update, create] + resources: [pods] + verbs: [delete] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -235,18 +232,6 @@ rules: verbs: [create, get, list, watch, update] # Istiod and bootstrap. -- apiGroups: [certificates.k8s.io] - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: [update, create, get, delete, watch] -- apiGroups: [certificates.k8s.io] - resources: - - signers - resourceNames: - - kubernetes.io/legacy-unknown - verbs: [approve] # Used by Istiod to verify the JWT tokens - apiGroups: [authentication.k8s.io] @@ -572,1024 +557,6 @@ webhooks: values: - default --- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.13 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.14 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.15 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.16 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.17 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {disable_host_header_fallback: true} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {disable_host_header_fallback: true} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.13 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.14 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.15 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.16 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.17 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.17.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: {} ---- apiVersion: v1 kind: ConfigMap metadata: @@ -1613,6 +580,9 @@ data: tracing: zipkin: address: zipkin.istio-system:9411 + defaultProviders: + metrics: + - prometheus enablePrometheusMerge: true rootNamespace: istio-system tcpKeepalive: @@ -1641,7 +611,8 @@ data: "name": "istio-cni", "type": "istio-cni", "log_level": "debug", - "log_uds_address": "__LOG_UDS_ADDRESS__", + "log_uds_address": "__LOG_UDS_ADDRESS__", + "kubernetes": { "kubeconfig": "__KUBECONFIG_FILEPATH__", "cni_bin_dir": "/opt/cni/bin", @@ -1715,7 +686,6 @@ data: "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", - "holdApplicationUntilProxyStarts": false, "image": "proxyv2", "includeIPRanges": "*", "includeInboundPorts": "*", @@ -1739,17 +709,7 @@ data: "tracer": "zipkin" }, "proxy_init": { - "image": "proxyv2", - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } - } + "image": "proxyv2" }, "remotePilotAddress": "", "sds": { @@ -1760,24 +720,12 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.17.5", + "tag": "1.18.7", "tracer": { - "datadog": { - "address": "$(HOST_IP):8126" - }, - "lightstep": { - "accessToken": "", - "address": "" - }, - "stackdriver": { - "debug": false, - "maxNumberOfAnnotations": 200, - "maxNumberOfAttributes": 200, - "maxNumberOfMessageEvents": 200 - }, - "zipkin": { - "address": "" - } + "datadog": {}, + "lightstep": {}, + "stackdriver": {}, + "zipkin": {} }, "useMCP": false, "variant": "" @@ -1851,6 +799,7 @@ data: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -1897,7 +846,7 @@ data: - "-p" - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - "-z" - - "15006" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - "-u" - "1337" - "-m" @@ -2024,10 +973,6 @@ data: {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} - {{- if gt .EstimatedConcurrency 0 }} - - --concurrency - - "{{ .EstimatedConcurrency }}" - {{- end -}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} @@ -2074,6 +1019,10 @@ data: valueFrom: fieldRef: fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} @@ -2333,8 +1282,8 @@ data: labels: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - istio.io/rev: {{ index .ObjectMeta.Labels `istio.io/rev` | default .Revision | default "default" | quote }} annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", @@ -2401,6 +1350,10 @@ data: valueFrom: fieldRef: fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} @@ -2661,6 +1614,7 @@ data: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { + istio.io/rev: {{ .Revision | default "default" }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -2946,6 +1900,558 @@ data: securityContext: fsGroup: 1337 {{- end }} + waypoint: | + apiVersion: v1 + kind: ServiceAccount + metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap .Labels | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + spec: + selector: + matchLabels: + istio.io/gateway-name: "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "ambient.istio.io/redirection" "disabled" + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .Labels + (strdict + "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + image: {{.ProxyImage}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + name: istio-proxy + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: true + runAsGroup: 1337 + runAsUser: 0 + capabilities: + add: + - NET_ADMIN + - NET_RAW + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + --- + apiVersion: v1 + kind: Service + metadata: + annotations: + {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{ toJsonMap .Labels | nindent 4}} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + spec: + ports: + - name: https-hbone + port: 15008 + protocol: TCP + appProtocol: https + selector: + istio.io/gateway-name: "{{.Name}}" + --- + kube-gateway: | + apiVersion: v1 + kind: ServiceAccount + metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap .Labels | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" + spec: + selector: + matchLabels: + istio.io/gateway-name: {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .Labels + (strdict "istio.io/gateway-name" .Name) | nindent 8}} + spec: + {{- if .KubeVersion122 }} + {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + image: "{{ .ProxyImage }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + {{- if .KubeVersion122 }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + {{- else }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 0 + runAsGroup: 1337 + runAsNonRoot: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: true + {{- end }} + ports: + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .Labels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + --- + apiVersion: v1 + kind: Service + metadata: + annotations: + {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{ toJsonMap .Labels | nindent 4}} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} + spec: + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + istio.io/gateway-name: {{.Name}} + {{- if .Spec.Addresses }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }} + --- --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration @@ -3101,6 +2607,7 @@ spec: sidecar.istio.io/inject: 'false' annotations: sidecar.istio.io/inject: 'false' + ambient.istio.io/redirection: disabled # Add Prometheus Scrape annotations prometheus.io/scrape: 'true' prometheus.io/port: '15014' @@ -3109,6 +2616,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes tolerations: # Make sure istio-cni-node gets scheduled on all nodes. - effect: NoSchedule @@ -3127,7 +2635,7 @@ spec: # This container installs the Istio CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/istio/install-cni:1.17.5 + image: docker.io/istio/install-cni:1.18.7 readinessProbe: httpGet: path: /readyz @@ -3159,7 +2667,7 @@ spec: fieldRef: fieldPath: spec.nodeName - name: REPAIR_LABEL_PODS - value: 'true' + value: 'false' # Set to true to enable pod deletion - name: REPAIR_DELETE_PODS value: 'true' @@ -3173,6 +2681,13 @@ spec: value: cni.istio.io/uninitialized - name: REPAIR_BROKEN_POD_LABEL_VALUE value: 'true' + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: LOG_LEVEL + value: debug volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir @@ -3196,6 +2711,9 @@ spec: - name: cni-log-dir hostPath: path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: /var/run/netns --- apiVersion: apps/v1 kind: Deployment @@ -3233,6 +2751,7 @@ spec: operator.istio.io/component: IngressGateways sidecar.istio.io/inject: 'false' annotations: + istio.io/rev: default prometheus.io/port: '15020' prometheus.io/scrape: 'true' prometheus.io/path: /stats/prometheus @@ -3246,7 +2765,7 @@ spec: serviceAccountName: istio-ingressgateway-service-account containers: - name: istio-proxy - image: docker.io/istio/proxyv2:1.17.5 + image: docker.io/istio/proxyv2:1.18.7 ports: - containerPort: 15021 protocol: TCP @@ -3321,6 +2840,10 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu - name: SERVICE_ACCOUNT valueFrom: fieldRef: @@ -3447,6 +2970,7 @@ spec: annotations: prometheus.io/port: '15014' prometheus.io/scrape: 'true' + ambient.istio.io/redirection: disabled sidecar.istio.io/inject: 'false' spec: serviceAccountName: istiod @@ -3454,7 +2978,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.17.5 + image: docker.io/istio/pilot:1.18.7 args: - discovery - --monitoringAddr=:15014 @@ -3513,6 +3037,10 @@ spec: value: 'false' - name: CLUSTER_ID value: Kubernetes + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory resources: requests: cpu: 500m @@ -3651,6 +3179,10 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [delete] + +- apiGroups: [coordination.k8s.io] + resources: [leases] + verbs: [get, update, patch, create] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/common/istio-cni-1-17/istio-install/base/kustomization.yaml b/common/istio-cni-1-18/istio-install/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-17/istio-install/base/kustomization.yaml rename to common/istio-cni-1-18/istio-install/base/kustomization.yaml diff --git a/common/istio-1-17/istio-install/base/patches/disable-debugging.yaml b/common/istio-cni-1-18/istio-install/base/patches/disable-debugging.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/patches/disable-debugging.yaml rename to common/istio-cni-1-18/istio-install/base/patches/disable-debugging.yaml diff --git a/common/istio-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-cni-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml rename to common/istio-cni-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml diff --git a/common/istio-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-cni-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml rename to common/istio-cni-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml diff --git a/common/istio-1-17/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-cni-1-18/istio-install/base/patches/istiod-remove-pdb.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/patches/istiod-remove-pdb.yaml rename to common/istio-cni-1-18/istio-install/base/patches/istiod-remove-pdb.yaml diff --git a/common/istio-1-17/istio-install/base/patches/service.yaml b/common/istio-cni-1-18/istio-install/base/patches/service.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/patches/service.yaml rename to common/istio-cni-1-18/istio-install/base/patches/service.yaml diff --git a/common/istio-1-17/istio-install/base/x-forwarded-host.yaml b/common/istio-cni-1-18/istio-install/base/x-forwarded-host.yaml similarity index 100% rename from common/istio-1-17/istio-install/base/x-forwarded-host.yaml rename to common/istio-cni-1-18/istio-install/base/x-forwarded-host.yaml diff --git a/common/istio-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml similarity index 100% rename from common/istio-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml rename to common/istio-cni-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml diff --git a/common/istio-cni-1-17/istio-namespace/base/kustomization.yaml b/common/istio-cni-1-18/istio-namespace/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-17/istio-namespace/base/kustomization.yaml rename to common/istio-cni-1-18/istio-namespace/base/kustomization.yaml diff --git a/common/istio-1-17/istio-namespace/base/namespace.yaml b/common/istio-cni-1-18/istio-namespace/base/namespace.yaml similarity index 100% rename from common/istio-1-17/istio-namespace/base/namespace.yaml rename to common/istio-cni-1-18/istio-namespace/base/namespace.yaml diff --git a/common/istio-1-17/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-cni-1-18/kubeflow-istio-resources/base/cluster-roles.yaml similarity index 100% rename from common/istio-1-17/kubeflow-istio-resources/base/cluster-roles.yaml rename to common/istio-cni-1-18/kubeflow-istio-resources/base/cluster-roles.yaml diff --git a/common/istio-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-cni-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml similarity index 100% rename from common/istio-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml rename to common/istio-cni-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml diff --git a/common/istio-1-17/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-18/kubeflow-istio-resources/base/kustomization.yaml similarity index 100% rename from common/istio-1-17/kubeflow-istio-resources/base/kustomization.yaml rename to common/istio-cni-1-18/kubeflow-istio-resources/base/kustomization.yaml diff --git a/common/istio-1-17/profile-overlay.yaml b/common/istio-cni-1-18/profile-overlay.yaml similarity index 100% rename from common/istio-1-17/profile-overlay.yaml rename to common/istio-cni-1-18/profile-overlay.yaml diff --git a/common/istio-1-17/profile.yaml b/common/istio-cni-1-18/profile.yaml similarity index 95% rename from common/istio-1-17/profile.yaml rename to common/istio-cni-1-18/profile.yaml index 9621a5596c..3048418468 100644 --- a/common/istio-1-17/profile.yaml +++ b/common/istio-cni-1-18/profile.yaml @@ -22,7 +22,7 @@ spec: proxyMetadata: {} enablePrometheusMerge: true profile: default - tag: 1.17.5 + tag: 1.18.7 values: base: enableCRDTemplates: false @@ -107,13 +107,6 @@ spec: tracer: zipkin proxy_init: image: proxyv2 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 10m - memory: 10Mi sds: token: aud: istio-ca diff --git a/common/istio-1-17/split-istio-packages b/common/istio-cni-1-18/split-istio-packages similarity index 100% rename from common/istio-1-17/split-istio-packages rename to common/istio-cni-1-18/split-istio-packages diff --git a/common/oidc-client/oauth2-proxy/README.md b/common/oidc-client/oauth2-proxy/README.md index f3699bce7e..4335be8469 100644 --- a/common/oidc-client/oauth2-proxy/README.md +++ b/common/oidc-client/oauth2-proxy/README.md @@ -169,9 +169,9 @@ make the following changes to the `example/kustomization.yaml` file: * use `oauth2-proxy` overlay for istio-install ``` # from - - ../common/istio-1-17/istio-install/base + - ../common/istio-1-18/istio-install/base # to - - ../common/istio-1-17/istio-install/overlays/oauth2-proxy + - ../common/istio-1-18/istio-install/overlays/oauth2-proxy ``` * change `OIDC Authservice` to `oauth2-proxy for OIDC` and use overlay for m2m bearer tokens with self-signed in-cluster issuer @@ -204,12 +204,12 @@ index c1a85789..4a50440c 100644 +++ b/example/kustomization.yaml @@ -38,11 +38,11 @@ resources: # Istio - - ../common/istio-1-17/istio-crds/base - - ../common/istio-1-17/istio-namespace/base --- ../common/istio-1-17/istio-install/base + - ../common/istio-1-18/istio-crds/base + - ../common/istio-1-18/istio-namespace/base +-- ../common/istio-1-18/istio-install/base -# OIDC Authservice -- ../common/oidc-client/oidc-authservice/base -+- ../common/istio-1-17/istio-install/overlays/oauth2-proxy ++- ../common/istio-1-18/istio-install/overlays/oauth2-proxy +# oauth2-proxy for OIDC +- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed # Dex diff --git a/contrib/kserve/README.md b/contrib/kserve/README.md index 4eea52736b..65f42d8b19 100644 --- a/contrib/kserve/README.md +++ b/contrib/kserve/README.md @@ -61,15 +61,15 @@ For upgrading see [UPGRADE.md](UPGRADE.md) ``` 5. Install Istio ```sh - kubectl apply -k ../../common/istio-1-17/istio-crds/base - kubectl apply -k ../../common/istio-1-17/istio-namespace/base - kubectl apply -k ../../common/istio-1-17/istio-install/base + kubectl apply -k ../../common/istio-1-18/istio-crds/base + kubectl apply -k ../../common/istio-1-18/istio-namespace/base + kubectl apply -k ../../common/istio-1-18/istio-install/base ``` 6. Install knative ```sh kubectl apply -k ../../common/knative/knative-serving/overlays/gateways - kubectl apply -k ../../common/istio-1-17/cluster-local-gateway/base - kubectl apply -k ../../common/istio-1-17/kubeflow-istio-resources/base + kubectl apply -k ../../common/istio-1-18/cluster-local-gateway/base + kubectl apply -k ../../common/istio-1-18/kubeflow-istio-resources/base ``` 7. Install kserve ```sh diff --git a/example/kustomization.yaml b/example/kustomization.yaml index c00819031d..f292f0122a 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -37,9 +37,9 @@ resources: - ../common/cert-manager/cert-manager/base - ../common/cert-manager/kubeflow-issuer/base # Istio -- ../common/istio-1-17/istio-crds/base -- ../common/istio-1-17/istio-namespace/base -- ../common/istio-1-17/istio-install/overlays/oauth2-proxy +- ../common/istio-1-18/istio-crds/base +- ../common/istio-1-18/istio-namespace/base +- ../common/istio-1-18/istio-install/overlays/oauth2-proxy # oauth2-proxy - ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed # Dex @@ -47,7 +47,7 @@ resources: # KNative - ../common/knative/knative-serving/overlays/gateways - ../common/knative/knative-eventing/base -- ../common/istio-1-17/cluster-local-gateway/base +- ../common/istio-1-18/cluster-local-gateway/base # Kubeflow namespace - ../common/kubeflow-namespace/base # NetworkPolicies @@ -55,7 +55,7 @@ resources: # Kubeflow Roles - ../common/kubeflow-roles/base # Kubeflow Istio Resources -- ../common/istio-1-17/kubeflow-istio-resources/base +- ../common/istio-1-18/kubeflow-istio-resources/base # Kubeflow Pipelines diff --git a/hack/extract_images.sh b/hack/extract_images.sh index 5db55390b9..96a0158ccb 100755 --- a/hack/extract_images.sh +++ b/hack/extract_images.sh @@ -15,7 +15,7 @@ declare -A wg_dirs=( [automl]="../apps/katib/upstream/installs" [pipelines]="../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env" [training]="../apps/training-operator/upstream/overlays" - [manifests]="../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-17/istio-crds/base ../common/istio-1-17/istio-namespace/base ../common/istio-1-17/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-17/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-17/kubeflow-istio-resources/base" + [manifests]="../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-18/istio-crds/base ../common/istio-1-18/istio-namespace/base ../common/istio-1-18/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-18/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-18/kubeflow-istio-resources/base" [workbenches]="../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/upstream/overlays/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays" [serving]="../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow" [model-registry]="../apps/model-registry/upstream" diff --git a/tests/gh-actions/install_istio-cni.sh b/tests/gh-actions/install_istio-cni.sh index 05b2d0ab0a..9c8cdbbac0 100755 --- a/tests/gh-actions/install_istio-cni.sh +++ b/tests/gh-actions/install_istio-cni.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio-cni ..." -cd common/istio-cni-1-17 +cd common/istio-cni-1-18 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/base | kubectl apply -f - \ No newline at end of file diff --git a/tests/gh-actions/install_knative-cni.sh b/tests/gh-actions/install_knative-cni.sh index 4381f0a000..06787b4adb 100755 --- a/tests/gh-actions/install_knative-cni.sh +++ b/tests/gh-actions/install_knative-cni.sh @@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f - set -e kustomize build common/knative/knative-serving/base | kubectl apply -f - -kustomize build common/istio-cni-1-17/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-cni-1-17/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-cni-1-18/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-cni-1-18/kubeflow-istio-resources/base | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 600s kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh index cf409a64c9..94b3b0f044 100755 --- a/tests/gh-actions/install_knative.sh +++ b/tests/gh-actions/install_knative.sh @@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f - set -e kustomize build common/knative/knative-serving/base | kubectl apply -f - -kustomize build common/istio-1-17/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-1-18/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-1-18/kubeflow-istio-resources/base | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 600s kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving