From a39de80d7cd204f82df0e4aac8dcba5ff31c9ed0 Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Tue, 4 Jun 2024 19:46:14 +0530 Subject: [PATCH 1/2] Upgraded istio to v1.19.10 Signed-off-by: biswajit-9776 --- .../notebook_controller_m2m_test.yaml | 2 +- .github/workflows/pipeline_test.yaml | 2 +- README.md | 12 +- common/{istio-1-18 => istio-1-19}/README.md | 2 +- .../base/cluster-local-gateway.yaml | 45 +- .../base/gateway-authorizationpolicy.yaml | 0 .../cluster-local-gateway/base/gateway.yaml | 0 .../base/kustomization.yaml | 0 .../base/patches/remove-pdb.yaml | 0 .../istio-crds/base/crd.yaml | 122 +- .../istio-crds/base/kustomization.yaml | 0 .../base/deny_all_authorizationpolicy.yaml | 0 .../istio-install/base/gateway.yaml | 0 .../base/gateway_authorizationpolicy.yaml | 0 .../istio-install/base/install.yaml | 1679 +++++++++-------- .../istio-install/base/kustomization.yaml | 0 .../base/patches/disable-debugging.yaml | 0 .../istio-configmap-disable-tracing.yaml | 0 .../istio-ingressgateway-remove-pdb.yaml | 0 .../base/patches/istiod-remove-pdb.yaml | 0 .../istio-install/base/patches/service.yaml | 0 .../istio-install/base/x-forwarded-host.yaml | 0 .../overlays/oauth2-proxy/kustomization.yaml | 0 .../istio-namespace/base/kustomization.yaml | 0 .../istio-namespace/base/namespace.yaml | 0 .../base/cluster-roles.yaml | 0 .../base/kf-istio-resources.yaml | 0 .../base/kustomization.yaml | 0 .../profile-overlay.yaml | 0 .../{istio-1-18 => istio-1-19}/profile.yaml | 4 +- .../split-istio-packages | 0 common/oidc-client/oauth2-proxy/README.md | 12 +- contrib/kserve/README.md | 10 +- example/kustomization.yaml | 10 +- hack/extract_images.sh | 2 +- tests/gh-actions/install_istio.sh | 2 +- .../gh-actions/install_istio_with_ext_auth.sh | 2 +- tests/gh-actions/install_knative.sh | 4 +- 38 files changed, 1025 insertions(+), 885 deletions(-) rename common/{istio-1-18 => istio-1-19}/README.md (98%) rename common/{istio-1-18 => istio-1-19}/cluster-local-gateway/base/cluster-local-gateway.yaml (98%) rename common/{istio-1-18 => istio-1-19}/cluster-local-gateway/base/gateway-authorizationpolicy.yaml (100%) rename common/{istio-1-18 => istio-1-19}/cluster-local-gateway/base/gateway.yaml (100%) rename common/{istio-1-18 => istio-1-19}/cluster-local-gateway/base/kustomization.yaml (100%) rename common/{istio-1-18 => istio-1-19}/cluster-local-gateway/base/patches/remove-pdb.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-crds/base/crd.yaml (98%) rename common/{istio-1-18 => istio-1-19}/istio-crds/base/kustomization.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/deny_all_authorizationpolicy.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/gateway.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/gateway_authorizationpolicy.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/install.yaml (86%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/kustomization.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/patches/disable-debugging.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/patches/istio-configmap-disable-tracing.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/patches/istiod-remove-pdb.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/patches/service.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/base/x-forwarded-host.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-install/overlays/oauth2-proxy/kustomization.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-namespace/base/kustomization.yaml (100%) rename common/{istio-1-18 => istio-1-19}/istio-namespace/base/namespace.yaml (100%) rename common/{istio-1-18 => istio-1-19}/kubeflow-istio-resources/base/cluster-roles.yaml (100%) rename common/{istio-1-18 => istio-1-19}/kubeflow-istio-resources/base/kf-istio-resources.yaml (100%) rename common/{istio-1-18 => istio-1-19}/kubeflow-istio-resources/base/kustomization.yaml (100%) rename common/{istio-1-18 => istio-1-19}/profile-overlay.yaml (100%) rename common/{istio-1-18 => istio-1-19}/profile.yaml (97%) rename common/{istio-1-18 => istio-1-19}/split-istio-packages (100%) diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml index b46a1cf025..ca130cc466 100644 --- a/.github/workflows/notebook_controller_m2m_test.yaml +++ b/.github/workflows/notebook_controller_m2m_test.yaml @@ -38,7 +38,7 @@ jobs: run: ./tests/gh-actions/install_istio_with_ext_auth.sh* - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-18/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-1-19/kubeflow-istio-resources/base | kubectl apply -f - - name: Install KF Multi Tenancy run: ./tests/gh-actions/install_multi_tenancy.sh diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index af7f8bc760..cf4655f40e 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -49,7 +49,7 @@ jobs: run: ./tests/gh-actions/install_multi_tenancy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-18/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-1-19/kubeflow-istio-resources/base | kubectl apply -f - - name: Create KF Profile run: kustomize build common/user-namespace/base | kubectl apply -f - diff --git a/README.md b/README.md index 64c1823347..d32949c533 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ used from the different projects of Kubeflow: | Component | Local Manifests Path | Upstream Revision | | - | - | - | -| Istio | common/istio-1-18 | [1.18.7](https://github.com/istio/istio/releases/tag/1.18.7) | +| Istio | common/istio-1-19 | [1.19.10](https://github.com/istio/istio/releases/tag/1.19.10) | | Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.12.4](https://github.com/knative/serving/releases/tag/knative-v1.12.4)
[v1.12.6](https://github.com/knative/eventing/releases/tag/knative-v1.12.6) | | Cert Manager | common/cert-manager | [1.14.5](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.2) | @@ -208,10 +208,10 @@ Install Istio: ```sh echo "Installing Istio configured with external authorization..." -cd common/istio-1-18 -kustomize build common/istio-1-18/istio-crds/base | kubectl apply -f - -kustomize build common/istio-1-18/istio-namespace/base | kubectl apply -f - -kustomize build common/istio-1-18/istio-install/overlays/oauth2-proxy | kubectl apply -f - +cd common/istio-1-19 +kustomize build common/istio-1-19/istio-crds/base | kubectl apply -f - +kustomize build common/istio-1-19/istio-namespace/base | kubectl apply -f - +kustomize build common/istio-1-19/istio-install/overlays/oauth2-proxy | kubectl apply -f - echo "Waiting for all Istio Pods to become ready..." kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s @@ -247,7 +247,7 @@ Install Knative Serving: ```sh kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f - -kustomize build common/istio-1-18/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-1-19/cluster-local-gateway/base | kubectl apply -f - ``` Optionally, you can install Knative Eventing which can be used for inference request logging: diff --git a/common/istio-1-18/README.md b/common/istio-1-19/README.md similarity index 98% rename from common/istio-1-18/README.md rename to common/istio-1-19/README.md index 8b74be19f6..e4ba791bab 100644 --- a/common/istio-1-18/README.md +++ b/common/istio-1-19/README.md @@ -46,7 +46,7 @@ old version is `X1.Y1.Z1`: $ export PATH="$MANIFESTS_SRC/scripts:$PATH" $ cd $ISTIO_NEW $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml - $ split-istio-packages -f dump.yaml + $ ./split-istio-packages -f dump.yaml $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base $ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base diff --git a/common/istio-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-19/cluster-local-gateway/base/cluster-local-gateway.yaml similarity index 98% rename from common/istio-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml rename to common/istio-1-19/cluster-local-gateway/base/cluster-local-gateway.yaml index 1134c395c1..91dc2b516c 100644 --- a/common/istio-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml +++ b/common/istio-1-19/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -1,15 +1,15 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: cluster-local-gateway-service-account - namespace: istio-system labels: app: cluster-local-gateway + install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-service-account + namespace: istio-system --- apiVersion: apps/v1 kind: Deployment @@ -125,7 +125,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.18.7 + image: docker.io/istio/proxyv2:1.19.10 name: istio-proxy ports: - containerPort: 15020 @@ -237,15 +237,15 @@ spec: apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: cluster-local-gateway - namespace: istio-system labels: app: cluster-local-gateway + install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway + namespace: istio-system spec: minAvailable: 1 selector: @@ -256,28 +256,33 @@ spec: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: cluster-local-gateway-sds - namespace: istio-system labels: - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-sds + namespace: istio-system rules: -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - watch + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: cluster-local-gateway-sds - namespace: istio-system labels: - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-sds + namespace: istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/common/istio-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-1-19/cluster-local-gateway/base/gateway-authorizationpolicy.yaml similarity index 100% rename from common/istio-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml rename to common/istio-1-19/cluster-local-gateway/base/gateway-authorizationpolicy.yaml diff --git a/common/istio-1-18/cluster-local-gateway/base/gateway.yaml b/common/istio-1-19/cluster-local-gateway/base/gateway.yaml similarity index 100% rename from common/istio-1-18/cluster-local-gateway/base/gateway.yaml rename to common/istio-1-19/cluster-local-gateway/base/gateway.yaml diff --git a/common/istio-1-18/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-19/cluster-local-gateway/base/kustomization.yaml similarity index 100% rename from common/istio-1-18/cluster-local-gateway/base/kustomization.yaml rename to common/istio-1-19/cluster-local-gateway/base/kustomization.yaml diff --git a/common/istio-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-19/cluster-local-gateway/base/patches/remove-pdb.yaml similarity index 100% rename from common/istio-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml rename to common/istio-1-19/cluster-local-gateway/base/patches/remove-pdb.yaml diff --git a/common/istio-1-18/istio-crds/base/crd.yaml b/common/istio-1-19/istio-crds/base/crd.yaml similarity index 98% rename from common/istio-1-18/istio-crds/base/crd.yaml rename to common/istio-1-19/istio-crds/base/crd.yaml index 25dc3dce98..5b9880806f 100644 --- a/common/istio-1-18/istio-crds/base/crd.yaml +++ b/common/istio-1-19/istio-crds/base/crd.yaml @@ -386,6 +386,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3230,6 +3231,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3472,6 +3474,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3546,7 +3549,7 @@ spec: behavior. properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified @@ -3583,6 +3586,7 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. @@ -3662,7 +3666,7 @@ spec: behavior. properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified @@ -3699,6 +3703,7 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. @@ -3730,13 +3735,14 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: istiooperators.install.istio.io labels: release: istio + name: istiooperators.install.istio.io spec: conversion: strategy: None @@ -3745,10 +3751,10 @@ spec: kind: IstioOperator listKind: IstioOperatorList plural: istiooperators - singular: istiooperator shortNames: - iop - io + singular: istiooperator scope: Namespaced versions: - additionalPrinterColumns: @@ -3768,8 +3774,6 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - subresources: - status: {} name: v1alpha1 schema: openAPIV3Schema: @@ -3777,6 +3781,9 @@ spec: x-kubernetes-preserve-unknown-fields: true served: true storage: true + subresources: + status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3869,6 +3876,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3934,6 +3942,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4129,6 +4138,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4403,6 +4413,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4500,7 +4511,7 @@ spec: tls: properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified @@ -4537,6 +4548,7 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. @@ -4673,7 +4685,7 @@ spec: tls: properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified @@ -4710,6 +4722,7 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. @@ -4773,6 +4786,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5043,6 +5057,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5570,6 +5585,34 @@ spec: format: double type: number type: object + mirrors: + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + percentage: + properties: + value: + format: double + type: number + type: object + type: object + type: array name: description: The name assigned to the route for debugging purposes. type: string @@ -5639,6 +5682,18 @@ spec: type: string uri: type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object type: object route: description: A HTTP rule can either return a direct_response, @@ -6353,6 +6408,34 @@ spec: format: double type: number type: object + mirrors: + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + percentage: + properties: + value: + format: double + type: number + type: object + type: object + type: array name: description: The name assigned to the route for debugging purposes. type: string @@ -6422,6 +6505,18 @@ spec: type: string uri: type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object type: object route: description: A HTTP rule can either return a direct_response, @@ -6635,6 +6730,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -6676,6 +6772,13 @@ spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: + failStrategy: + description: Specifies the failure behavior for the plugin due to + fatal errors. + enum: + - FAIL_CLOSE + - FAIL_OPEN + type: string imagePullPolicy: enum: - UNSPECIFIED_POLICY @@ -6774,6 +6877,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -6904,6 +7008,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -7228,3 +7333,4 @@ spec: storage: false subresources: status: {} + diff --git a/common/istio-1-18/istio-crds/base/kustomization.yaml b/common/istio-1-19/istio-crds/base/kustomization.yaml similarity index 100% rename from common/istio-1-18/istio-crds/base/kustomization.yaml rename to common/istio-1-19/istio-crds/base/kustomization.yaml diff --git a/common/istio-1-18/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-1-19/istio-install/base/deny_all_authorizationpolicy.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/deny_all_authorizationpolicy.yaml rename to common/istio-1-19/istio-install/base/deny_all_authorizationpolicy.yaml diff --git a/common/istio-1-18/istio-install/base/gateway.yaml b/common/istio-1-19/istio-install/base/gateway.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/gateway.yaml rename to common/istio-1-19/istio-install/base/gateway.yaml diff --git a/common/istio-1-18/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-1-19/istio-install/base/gateway_authorizationpolicy.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/gateway_authorizationpolicy.yaml rename to common/istio-1-19/istio-install/base/gateway_authorizationpolicy.yaml diff --git a/common/istio-1-18/istio-install/base/install.yaml b/common/istio-1-19/istio-install/base/install.yaml similarity index 86% rename from common/istio-1-18/istio-install/base/install.yaml rename to common/istio-1-19/istio-install/base/install.yaml index f038f35845..af0110458d 100644 --- a/common/istio-1-18/istio-install/base/install.yaml +++ b/common/istio-1-19/istio-install/base/install.yaml @@ -1,50 +1,41 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: istio-ingressgateway-service-account - namespace: istio-system labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-service-account + namespace: istio-system --- apiVersion: v1 kind: ServiceAccount metadata: - name: istio-reader-service-account - namespace: istio-system labels: app: istio-reader release: istio ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod + name: istio-reader-service-account namespace: istio-system - labels: - app: istiod - release: istio --- apiVersion: v1 kind: ServiceAccount metadata: - name: istiod-service-account - namespace: istio-system labels: app: istiod release: istio + name: istiod + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-reader-clusterrole-istio-system labels: app: istio-reader release: istio + name: istio-reader-clusterrole-istio-system rules: - apiGroups: - config.istio.io @@ -52,331 +43,337 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io - resources: ['*'] - verbs: [get, list, watch] -- apiGroups: [''] - resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, - secrets] - verbs: [get, list, watch] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list] - resources: [workloadentries] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, list, watch, create, delete] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, list, watch] -- apiGroups: [apps] - resources: [replicasets] - verbs: [get, list, watch] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - endpoints + - pods + - services + - nodes + - replicationcontrollers + - namespaces + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + resources: + - workloadentries + verbs: + - get + - watch + - list +- apiGroups: + - networking.x-k8s.io + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - watch + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-reader-istio-system labels: - app: istio-reader + app: istiod release: istio + name: istiod-clusterrole-istio-system rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - update - apiGroups: - config.istio.io - security.istio.io - networking.istio.io - authentication.istio.io - rbac.istio.io - resources: ['*'] - verbs: [get, list, watch] -- apiGroups: [''] - resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, - secrets] - verbs: [get, list, watch] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list] - resources: [workloadentries] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] -- apiGroups: [apps] - resources: [replicasets] - verbs: [get, list, watch] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] + - telemetry.istio.io + - extensions.istio.io + resources: + - '*' + verbs: + - get + - watch + - list +- apiGroups: + - networking.istio.io + resources: + - workloadentries + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - networking.istio.io + resources: + - workloadentries/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - pods + - nodes + - services + - namespaces + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - '*' +- apiGroups: + - '' + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - networking.x-k8s.io + - gateway.networking.k8s.io + resources: + - '*' + verbs: + - get + - watch + - list +- apiGroups: + - networking.x-k8s.io + - gateway.networking.k8s.io + resources: + - '*' + verbs: + - update + - patch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - update + - patch + - delete +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - watch + - list + - create + - delete +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - watch + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istiod-clusterrole-istio-system labels: app: istiod release: istio -rules: - # sidecar injection controller -- apiGroups: [admissionregistration.k8s.io] - resources: [mutatingwebhookconfigurations] - verbs: [get, list, watch, update, patch] - - # configuration validation webhook controller -- apiGroups: [admissionregistration.k8s.io] - resources: [validatingwebhookconfigurations] - verbs: [get, list, watch, update] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, - rbac.istio.io, telemetry.istio.io, extensions.istio.io] - verbs: [get, watch, list] - resources: ['*'] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries/status] - - # auto-detect installed CRD definitions -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] - - # discovery and routing -- apiGroups: [''] - resources: [pods, nodes, services, namespaces, endpoints] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] - - # ingress controller -- apiGroups: [networking.k8s.io] - resources: [ingresses, ingressclasses] - verbs: [get, list, watch] -- apiGroups: [networking.k8s.io] - resources: [ingresses/status] - verbs: ['*'] - - # required for CA's namespace controller -- apiGroups: [''] - resources: [configmaps] - verbs: [create, get, list, watch, update] - - # Istiod and bootstrap. - - # Used by Istiod to verify the JWT tokens -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - # Used by Istiod to verify gateway SDS -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - # Use for Kubernetes Service APIs -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] - verbs: [get, watch, list] -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] # TODO: should be on just */status but wildcard is not supported - verbs: [update, patch] -- apiGroups: [gateway.networking.k8s.io] - resources: [gatewayclasses] - verbs: [create, update, patch, delete] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] - - # Used for MCS serviceexport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list, create, delete] - - # Used for MCS serviceimport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: name: istiod-gateway-controller-istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: [apps] - verbs: [get, watch, list, update, patch, create, delete] - resources: [deployments] -- apiGroups: [''] - verbs: [get, watch, list, update, patch, create, delete] - resources: [services] -- apiGroups: [''] - verbs: [get, watch, list, update, patch, create, delete] - resources: [serviceaccounts] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio rules: - # sidecar injection controller -- apiGroups: [admissionregistration.k8s.io] - resources: [mutatingwebhookconfigurations] - verbs: [get, list, watch, update, patch] - - # configuration validation webhook controller -- apiGroups: [admissionregistration.k8s.io] - resources: [validatingwebhookconfigurations] - verbs: [get, list, watch, update] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, - rbac.istio.io, telemetry.istio.io] - verbs: [get, watch, list] - resources: ['*'] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries/status] - - # auto-detect installed CRD definitions -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] - - # discovery and routing -- apiGroups: [''] - resources: [pods, nodes, services, namespaces, endpoints] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] - - # ingress controller -- apiGroups: [networking.k8s.io] - resources: [ingresses, ingressclasses] - verbs: [get, list, watch] -- apiGroups: [networking.k8s.io] - resources: [ingresses/status] - verbs: ['*'] - - # required for CA's namespace controller -- apiGroups: [''] - resources: [configmaps] - verbs: [create, get, list, watch, update] - - # Istiod and bootstrap. -- apiGroups: [certificates.k8s.io] +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - '' resources: - - certificatesigningrequests - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: [update, create, get, delete, watch] -- apiGroups: [certificates.k8s.io] + - services + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - '' resources: - - signers - resourceNames: - - kubernetes.io/legacy-unknown - verbs: [approve] - - # Used by Istiod to verify the JWT tokens -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - # Used by Istiod to verify gateway SDS -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - # Use for Kubernetes Service APIs -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] - verbs: [get, watch, list] -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] # TODO: should be on just */status but wildcard is not supported - verbs: [update] -- apiGroups: [gateway.networking.k8s.io] - resources: [gatewayclasses] - verbs: [create, update, patch, delete] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] - - # Used for MCS serviceexport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list, create, delete] - - # Used for MCS serviceimport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] + - serviceaccounts + verbs: + - get + - watch + - list + - update + - patch + - create + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istio-reader-clusterrole-istio-system labels: app: istio-reader release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole name: istio-reader-clusterrole-istio-system -subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-reader-istio-system + name: istio-reader-clusterrole-istio-system subjects: - kind: ServiceAccount name: istio-reader-service-account @@ -385,10 +382,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istiod-clusterrole-istio-system labels: app: istiod release: istio + name: istiod-clusterrole-istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -401,10 +398,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istiod-gateway-controller-istio-system labels: app: istiod release: istio + name: istiod-gateway-controller-istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -414,83 +411,49 @@ subjects: name: istiod namespace: istio-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-istio-system -subjects: -- kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - name: istio-validator-istio-system labels: app: istiod - release: istio istio: istiod istio.io/rev: default + release: istio + name: istio-validator-istio-system webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. -- name: rev.validation.istio.io +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: - # Should change from base but cannot for API compat service: name: istiod namespace: istio-system path: /validate + failurePolicy: Ignore + name: rev.validation.istio.io + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default rules: - - operations: - - CREATE - - UPDATE - apiGroups: + - apiGroups: - security.istio.io - networking.istio.io - telemetry.istio.io - extensions.istio.io apiVersions: - '*' + operations: + - CREATE + - UPDATE resources: - '*' - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore sideEffects: None - admissionReviewVersions: [v1beta1, v1] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - default --- apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - release: istio data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - networks: {} - mesh: |- defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 @@ -508,137 +471,19 @@ data: probes: 3 time: 10s trustDomain: cluster.local ---- -apiVersion: v1 + meshNetworks: 'networks: {}' kind: ConfigMap metadata: - name: istio-sidecar-injector - namespace: istio-system labels: - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: Pilot release: istio + name: istio + namespace: istio-system +--- +apiVersion: v1 data: - - values: |- - { - "global": { - "autoscalingv2API": true, - "caAddress": "", - "caName": "", - "certSigners": [], - "configCluster": false, - "configValidation": true, - "defaultNodeSelector": {}, - "defaultPodDisruptionBudget": { - "enabled": true - }, - "defaultResources": { - "requests": { - "cpu": "10m" - } - }, - "enabled": true, - "externalIstiod": false, - "hub": "docker.io/istio", - "imagePullPolicy": "", - "imagePullSecrets": [], - "istioNamespace": "istio-system", - "istiod": { - "enableAnalysis": false - }, - "jwtPolicy": "third-party-jwt", - "logAsJson": false, - "logging": { - "level": "default:info" - }, - "meshID": "", - "meshNetworks": {}, - "mountMtlsCerts": false, - "multiCluster": { - "clusterName": "", - "enabled": false - }, - "namespace": "istio-system", - "network": "", - "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, - "operatorManageWebhooks": false, - "pilotCertProvider": "istiod", - "priorityClassName": "", - "proxy": { - "autoInject": "enabled", - "clusterDomain": "cluster.local", - "componentLogLevel": "misc:error", - "enableCoreDump": false, - "excludeIPRanges": "", - "excludeInboundPorts": "", - "excludeOutboundPorts": "", - "image": "proxyv2", - "includeIPRanges": "*", - "includeInboundPorts": "*", - "includeOutboundPorts": "", - "logLevel": "warning", - "privileged": false, - "readinessFailureThreshold": 30, - "readinessInitialDelaySeconds": 1, - "readinessPeriodSeconds": 2, - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "statusPort": 15020, - "tracer": "zipkin" - }, - "proxy_init": { - "image": "proxyv2" - }, - "remotePilotAddress": "", - "sds": { - "token": { - "aud": "istio-ca" - } - }, - "sts": { - "servicePort": 0 - }, - "tag": "1.18.7", - "tracer": { - "datadog": {}, - "lightstep": {}, - "stackdriver": {}, - "zipkin": {} - }, - "useMCP": false, - "variant": "" - }, - "istio_cni": { - "enabled": false - }, - "revision": "", - "sidecarInjectorWebhook": { - "alwaysInjectSelector": [], - "defaultTemplates": [], - "enableNamespacesByDefault": false, - "injectedAnnotations": {}, - "neverInjectSelector": [], - "rewriteAppHTTPProbe": true, - "templates": {} - } - } - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. config: |- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template defaultTemplates: [sidecar] @@ -677,6 +522,7 @@ data: {{- end }} {{- end }} {{- end }} + {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: @@ -699,7 +545,7 @@ data: {{- end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} @@ -837,13 +683,16 @@ data: runAsNonRoot: false runAsUser: 0 {{ end }} + {{ if not $nativeSidecar }} containers: + {{ end }} - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} ports: - containerPort: 15090 protocol: TCP @@ -930,6 +779,18 @@ data: ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME @@ -977,7 +838,11 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if $nativeSidecar }} + startupProbe: + {{ else }} readinessProbe: + {{ end }} httpGet: path: /healthz/ready port: 15021 @@ -1160,10 +1025,6 @@ data: - name: {{ . }} {{- end }} {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} gateway: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} @@ -1259,6 +1120,18 @@ data: {{- end}} {{- end}} ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID @@ -1398,10 +1271,6 @@ data: - name: {{ . }} {{- end }} {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} grpc-simple: | metadata: annotations: @@ -1785,10 +1654,6 @@ data: - name: {{ . }} {{- end }} {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} waypoint: | apiVersion: v1 kind: ServiceAccount @@ -1842,7 +1707,17 @@ data: terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - - args: + - name: istio-proxy + ports: + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + image: {{.ProxyImage}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: - proxy - waypoint - --domain @@ -1904,6 +1779,14 @@ data: - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE @@ -1919,9 +1802,6 @@ data: - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} - image: {{.ProxyImage}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - name: istio-proxy resources: limits: cpu: "2" @@ -2021,12 +1901,18 @@ data: uid: "{{.UID}}" spec: ports: - - name: https-hbone - port: 15008 + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} protocol: TCP - appProtocol: https + appProtocol: {{ $val.AppProtocol }} + {{- end }} selector: istio.io/gateway-name: "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} --- kube-gateway: | apiVersion: v1 @@ -2085,6 +1971,10 @@ data: containers: - name: istio-proxy image: "{{ .ProxyImage }}" + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: {{- if .KubeVersion122 }} @@ -2180,6 +2070,14 @@ data: value: "[]" - name: ISTIO_META_APP_CONTAINERS value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - name: ISTIO_META_NODE_NAME @@ -2188,9 +2086,9 @@ data: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} + {{- with (valueOrDefault (index .Labels "topology.istio.io/network") .Values.global.network) }} - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" + value: {{.|quote}} {{- end }} - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName|quote}} @@ -2336,38 +2234,157 @@ data: {{- end }} selector: istio.io/gateway-name: {{.Name}} - {{- if .Spec.Addresses }} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} - type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }} + type: {{ .ServiceType | quote }} --- + values: |- + { + "global": { + "autoscalingv2API": true, + "caAddress": "", + "caName": "", + "certSigners": [], + "configCluster": false, + "configValidation": true, + "defaultNodeSelector": {}, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "enabled": true, + "externalIstiod": false, + "hub": "docker.io/istio", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "jwtPolicy": "third-party-jwt", + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false + }, + "namespace": "istio-system", + "network": "", + "omitSidecarInjectorConfigMap": false, + "oneNamespace": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "enableCoreDump": false, + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "image": "proxyv2", + "includeIPRanges": "*", + "includeInboundPorts": "*", + "includeOutboundPorts": "", + "logLevel": "warning", + "privileged": false, + "readinessFailureThreshold": 30, + "readinessInitialDelaySeconds": 1, + "readinessPeriodSeconds": 2, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "statusPort": 15020, + "tracer": "zipkin" + }, + "proxy_init": { + "image": "proxyv2" + }, + "remotePilotAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "1.19.10", + "tracer": { + "datadog": {}, + "lightstep": {}, + "stackdriver": {}, + "zipkin": {} + }, + "useMCP": false, + "variant": "" + }, + "istio_cni": { + "chained": true, + "enabled": false + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "defaultTemplates": [], + "enableNamespacesByDefault": false, + "injectedAnnotations": {}, + "neverInjectSelector": [], + "reinvocationPolicy": "Never", + "rewriteAppHTTPProbe": true, + "templates": {} + } + } +kind: ConfigMap +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istio-sidecar-injector + namespace: istio-system --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: istio-sidecar-injector labels: - istio.io/rev: default + app: sidecar-injector install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: Pilot - app: sidecar-injector release: istio + name: istio-sidecar-injector webhooks: -- name: rev.namespace.sidecar-injector.istio.io +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: service: name: istiod namespace: istio-system path: /inject port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] + name: rev.namespace.sidecar-injector.istio.io namespaceSelector: matchExpressions: - key: istio.io/rev @@ -2382,21 +2399,28 @@ webhooks: operator: NotIn values: - 'false' -- name: rev.object.sidecar-injector.istio.io + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: service: name: istiod namespace: istio-system path: /inject port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] + name: rev.object.sidecar-injector.istio.io namespaceSelector: matchExpressions: - key: istio.io/rev @@ -2413,21 +2437,28 @@ webhooks: operator: In values: - default -- name: namespace.sidecar-injector.istio.io + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: service: name: istiod namespace: istio-system path: /inject port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] + name: namespace.sidecar-injector.istio.io namespaceSelector: matchExpressions: - key: istio-injection @@ -2440,21 +2471,28 @@ webhooks: operator: NotIn values: - 'false' -- name: object.sidecar-injector.istio.io + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: service: name: istiod namespace: istio-system path: /inject port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] + name: object.sidecar-injector.istio.io namespaceSelector: matchExpressions: - key: istio-injection @@ -2469,19 +2507,30 @@ webhooks: - 'true' - key: istio.io/rev operator: DoesNotExist + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None --- apiVersion: apps/v1 kind: Deployment metadata: - name: istio-ingressgateway - namespace: istio-system labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system spec: selector: matchLabels: @@ -2493,45 +2542,31 @@ spec: maxUnavailable: 25% template: metadata: + annotations: + istio.io/rev: default + prometheus.io/path: /stats/prometheus + prometheus.io/port: '15020' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' labels: app: istio-ingressgateway - istio: ingressgateway + chart: gateways heritage: Tiller + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways release: istio - chart: gateways service.istio.io/canonical-name: istio-ingressgateway service.istio.io/canonical-revision: latest - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways - sidecar.istio.io/inject: 'false' - annotations: - istio.io/rev: default - prometheus.io/port: '15020' - prometheus.io/scrape: 'true' - prometheus.io/path: /stats/prometheus sidecar.istio.io/inject: 'false' spec: - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 - serviceAccountName: istio-ingressgateway-service-account + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + requiredDuringSchedulingIgnoredDuringExecution: containers: - - name: istio-proxy - image: docker.io/istio/proxyv2:1.18.7 - ports: - - containerPort: 15021 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: + - args: - proxy - router - --domain @@ -2539,30 +2574,6 @@ spec: - --proxyLogLevel=warning - --proxyComponentLogLevel=misc:error - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi env: - name: JWT_POLICY value: third-party-jwt @@ -2620,32 +2631,74 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + image: docker.io/istio/proxyv2:1.19.10 + name: istio-proxy + ports: + - containerPort: 15021 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume - mountPath: /var/run/secrets/istio name: istiod-ca-cert - - name: istio-token - mountPath: /var/run/secrets/tokens + - mountPath: /var/run/secrets/tokens + name: istio-token readOnly: true - mountPath: /var/lib/istio/data name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - - name: ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs readOnly: true - - name: ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs readOnly: true + securityContext: + fsGroup: 1337 + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + serviceAccountName: istio-ingressgateway-service-account volumes: - emptyDir: {} name: workload-socket @@ -2653,88 +2706,79 @@ spec: name: credential-socket - emptyDir: {} name: workload-certs - - name: istiod-ca-cert - configMap: + - configMap: name: istio-ca-root-cert - - name: podinfo - downwardAPI: + name: istiod-ca-cert + - downwardAPI: items: - - path: labels - fieldRef: + - fieldRef: fieldPath: metadata.labels - - path: annotations - fieldRef: + path: labels + - fieldRef: fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data - name: istio-token projected: sources: - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 audience: istio-ca - - name: config-volume - configMap: + expirationSeconds: 43200 + path: istio-token + - configMap: name: istio optional: true + name: config-volume - name: ingressgateway-certs secret: - secretName: istio-ingressgateway-certs optional: true + secretName: istio-ingressgateway-certs - name: ingressgateway-ca-certs secret: - secretName: istio-ingressgateway-ca-certs optional: true - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - preferredDuringSchedulingIgnoredDuringExecution: + secretName: istio-ingressgateway-ca-certs --- apiVersion: apps/v1 kind: Deployment metadata: - name: istiod - namespace: istio-system labels: app: istiod - istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot istio: pilot + istio.io/rev: default + operator.istio.io/component: Pilot release: istio + name: istiod + namespace: istio-system spec: + selector: + matchLabels: + istio: pilot strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% - selector: - matchLabels: - istio: pilot template: metadata: + annotations: + ambient.istio.io/redirection: disabled + prometheus.io/port: '15014' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' labels: app: istiod - istio.io/rev: default install.operator.istio.io/owning-resource: unknown - sidecar.istio.io/inject: 'false' - operator.istio.io/component: Pilot istio: pilot - annotations: - prometheus.io/port: '15014' - prometheus.io/scrape: 'true' - ambient.istio.io/redirection: disabled + istio.io/rev: default + operator.istio.io/component: Pilot sidecar.istio.io/inject: 'false' spec: - serviceAccountName: istiod - securityContext: - fsGroup: 1337 containers: - - name: discovery - image: docker.io/istio/pilot:1.18.7 - args: + - args: - discovery - --monitoringAddr=:15014 - --log_output_level=default:info @@ -2742,20 +2786,6 @@ spec: - cluster.local - --keepaliveMaxServerConnectionAge - 30m - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 env: - name: REVISION value: default @@ -2782,10 +2812,6 @@ spec: value: /var/run/secrets/remote/config - name: PILOT_TRACE_SAMPLING value: '1' - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: 'true' - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: 'true' - name: ISTIOD_ADDR value: istiod.istio-system.svc:15012 - name: PILOT_ENABLE_ANALYSIS @@ -2796,40 +2822,63 @@ spec: valueFrom: resourceFieldRef: resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PLATFORM + value: '' + image: docker.io/istio/pilot:1.19.10 + name: discovery + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 resources: requests: cpu: 500m memory: 2048Mi securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true capabilities: drop: - ALL + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens + - mountPath: /var/run/secrets/tokens + name: istio-token readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts + - mountPath: /var/run/secrets/istio-dns + name: local-certs + - mountPath: /etc/cacerts + name: cacerts readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote + - mountPath: /var/run/secrets/remote + name: istio-kubeconfig readOnly: true - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls + - mountPath: /var/run/secrets/istiod/tls + name: istio-csr-dns-cert readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca + - mountPath: /var/run/secrets/istiod/ca + name: istio-csr-ca-configmap readOnly: true + securityContext: + fsGroup: 1337 + serviceAccountName: istiod volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - emptyDir: medium: Memory name: local-certs @@ -2840,38 +2889,36 @@ spec: audience: istio-ca expirationSeconds: 43200 path: istio-token - # Optional: user-generated root - name: cacerts secret: - secretName: cacerts optional: true + secretName: cacerts - name: istio-kubeconfig secret: - secretName: istio-kubeconfig optional: true - # Optional: istio-csr dns pilot certs + secretName: istio-kubeconfig - name: istio-csr-dns-cert secret: - secretName: istiod-tls optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert + secretName: istiod-tls + - configMap: defaultMode: 420 + name: istio-ca-root-cert optional: true + name: istio-csr-ca-configmap --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: istio-ingressgateway - namespace: istio-system labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system spec: minAvailable: 1 selector: @@ -2882,15 +2929,15 @@ spec: apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: istiod - namespace: istio-system labels: app: istiod - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio: pilot + istio.io/rev: default operator.istio.io/component: Pilot release: istio - istio: pilot + name: istiod + namespace: istio-system spec: minAvailable: 1 selector: @@ -2901,72 +2948,75 @@ spec: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: istio-ingressgateway-sds - namespace: istio-system labels: - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: IngressGateways -rules: -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod release: istio + name: istio-ingressgateway-sds + namespace: istio-system rules: -- apiGroups: [networking.istio.io] - verbs: [create] - resources: [gateways] - -- apiGroups: [''] - resources: [secrets] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: [create, get, watch, list, update, delete] - -- apiGroups: [''] - resources: [configmaps] - verbs: [delete] - -- apiGroups: [coordination.k8s.io] - resources: [leases] - verbs: [get, update, patch, create] +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - watch + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: istiod-istio-system - namespace: istio-system labels: app: istiod release: istio + name: istiod + namespace: istio-system rules: -- apiGroups: [networking.istio.io] - verbs: [create] - resources: [gateways] - -- apiGroups: [''] - resources: [secrets] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: [create, get, watch, list, update, delete] +- apiGroups: + - networking.istio.io + resources: + - gateways + verbs: + - create +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - get + - watch + - list + - update + - delete +- apiGroups: + - '' + resources: + - configmaps + verbs: + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - update + - patch + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: istio-ingressgateway-sds - namespace: istio-system labels: - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-sds + namespace: istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -2978,108 +3028,87 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: istiod - namespace: istio-system labels: app: istiod release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod -subjects: -- kind: ServiceAccount name: istiod namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: istiod-istio-system + name: istiod subjects: - kind: ServiceAccount - name: istiod-service-account + name: istiod namespace: istio-system --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: istio-ingressgateway - namespace: istio-system labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system spec: maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istio-ingressgateway - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: istiod - namespace: istio-system labels: app: istiod - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: Pilot + release: istio + name: istiod + namespace: istio-system spec: maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istiod - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 --- apiVersion: v1 kind: Service metadata: - name: istio-ingressgateway - namespace: istio-system annotations: labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system spec: - type: LoadBalancer - selector: - app: istio-ingressgateway - istio: ingressgateway ports: - name: status-port port: 15021 @@ -3093,36 +3122,38 @@ spec: port: 443 protocol: TCP targetPort: 8443 + selector: + app: istio-ingressgateway + istio: ingressgateway + type: LoadBalancer --- apiVersion: v1 kind: Service metadata: - name: istiod - namespace: istio-system labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot app: istiod + install.operator.istio.io/owning-resource: unknown istio: pilot + istio.io/rev: default + operator.istio.io/component: Pilot release: istio + name: istiod + namespace: istio-system spec: ports: - - port: 15010 - name: grpc-xds # plaintext + - name: grpc-xds + port: 15010 protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert + - name: https-dns + port: 15012 protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 + - name: https-webhook + port: 443 protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats + targetPort: 15017 + - name: http-monitoring + port: 15014 protocol: TCP selector: app: istiod - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary istio: pilot diff --git a/common/istio-1-18/istio-install/base/kustomization.yaml b/common/istio-1-19/istio-install/base/kustomization.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/kustomization.yaml rename to common/istio-1-19/istio-install/base/kustomization.yaml diff --git a/common/istio-1-18/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-19/istio-install/base/patches/disable-debugging.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/patches/disable-debugging.yaml rename to common/istio-1-19/istio-install/base/patches/disable-debugging.yaml diff --git a/common/istio-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-1-19/istio-install/base/patches/istio-configmap-disable-tracing.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml rename to common/istio-1-19/istio-install/base/patches/istio-configmap-disable-tracing.yaml diff --git a/common/istio-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-1-19/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml rename to common/istio-1-19/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml diff --git a/common/istio-1-18/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-1-19/istio-install/base/patches/istiod-remove-pdb.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/patches/istiod-remove-pdb.yaml rename to common/istio-1-19/istio-install/base/patches/istiod-remove-pdb.yaml diff --git a/common/istio-1-18/istio-install/base/patches/service.yaml b/common/istio-1-19/istio-install/base/patches/service.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/patches/service.yaml rename to common/istio-1-19/istio-install/base/patches/service.yaml diff --git a/common/istio-1-18/istio-install/base/x-forwarded-host.yaml b/common/istio-1-19/istio-install/base/x-forwarded-host.yaml similarity index 100% rename from common/istio-1-18/istio-install/base/x-forwarded-host.yaml rename to common/istio-1-19/istio-install/base/x-forwarded-host.yaml diff --git a/common/istio-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-19/istio-install/overlays/oauth2-proxy/kustomization.yaml similarity index 100% rename from common/istio-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml rename to common/istio-1-19/istio-install/overlays/oauth2-proxy/kustomization.yaml diff --git a/common/istio-1-18/istio-namespace/base/kustomization.yaml b/common/istio-1-19/istio-namespace/base/kustomization.yaml similarity index 100% rename from common/istio-1-18/istio-namespace/base/kustomization.yaml rename to common/istio-1-19/istio-namespace/base/kustomization.yaml diff --git a/common/istio-1-18/istio-namespace/base/namespace.yaml b/common/istio-1-19/istio-namespace/base/namespace.yaml similarity index 100% rename from common/istio-1-18/istio-namespace/base/namespace.yaml rename to common/istio-1-19/istio-namespace/base/namespace.yaml diff --git a/common/istio-1-18/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-1-19/kubeflow-istio-resources/base/cluster-roles.yaml similarity index 100% rename from common/istio-1-18/kubeflow-istio-resources/base/cluster-roles.yaml rename to common/istio-1-19/kubeflow-istio-resources/base/cluster-roles.yaml diff --git a/common/istio-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-1-19/kubeflow-istio-resources/base/kf-istio-resources.yaml similarity index 100% rename from common/istio-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml rename to common/istio-1-19/kubeflow-istio-resources/base/kf-istio-resources.yaml diff --git a/common/istio-1-18/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-19/kubeflow-istio-resources/base/kustomization.yaml similarity index 100% rename from common/istio-1-18/kubeflow-istio-resources/base/kustomization.yaml rename to common/istio-1-19/kubeflow-istio-resources/base/kustomization.yaml diff --git a/common/istio-1-18/profile-overlay.yaml b/common/istio-1-19/profile-overlay.yaml similarity index 100% rename from common/istio-1-18/profile-overlay.yaml rename to common/istio-1-19/profile-overlay.yaml diff --git a/common/istio-1-18/profile.yaml b/common/istio-1-19/profile.yaml similarity index 97% rename from common/istio-1-18/profile.yaml rename to common/istio-1-19/profile.yaml index 3048418468..c3754eda2e 100644 --- a/common/istio-1-18/profile.yaml +++ b/common/istio-1-19/profile.yaml @@ -22,7 +22,7 @@ spec: proxyMetadata: {} enablePrometheusMerge: true profile: default - tag: 1.18.7 + tag: 1.19.10 values: base: enableCRDTemplates: false @@ -127,8 +127,6 @@ spec: configMap: true cpu: targetAverageUtilization: 80 - enableProtocolSniffingForInbound: true - enableProtocolSniffingForOutbound: true env: {} image: pilot keepaliveMaxServerConnectionAge: 30m diff --git a/common/istio-1-18/split-istio-packages b/common/istio-1-19/split-istio-packages similarity index 100% rename from common/istio-1-18/split-istio-packages rename to common/istio-1-19/split-istio-packages diff --git a/common/oidc-client/oauth2-proxy/README.md b/common/oidc-client/oauth2-proxy/README.md index 4335be8469..df44c6e272 100644 --- a/common/oidc-client/oauth2-proxy/README.md +++ b/common/oidc-client/oauth2-proxy/README.md @@ -169,9 +169,9 @@ make the following changes to the `example/kustomization.yaml` file: * use `oauth2-proxy` overlay for istio-install ``` # from - - ../common/istio-1-18/istio-install/base + - ../common/istio-1-19/istio-install/base # to - - ../common/istio-1-18/istio-install/overlays/oauth2-proxy + - ../common/istio-1-19/istio-install/overlays/oauth2-proxy ``` * change `OIDC Authservice` to `oauth2-proxy for OIDC` and use overlay for m2m bearer tokens with self-signed in-cluster issuer @@ -204,12 +204,12 @@ index c1a85789..4a50440c 100644 +++ b/example/kustomization.yaml @@ -38,11 +38,11 @@ resources: # Istio - - ../common/istio-1-18/istio-crds/base - - ../common/istio-1-18/istio-namespace/base --- ../common/istio-1-18/istio-install/base + - ../common/istio-1-19/istio-crds/base + - ../common/istio-1-19/istio-namespace/base +-- ../common/istio-1-19/istio-install/base -# OIDC Authservice -- ../common/oidc-client/oidc-authservice/base -+- ../common/istio-1-18/istio-install/overlays/oauth2-proxy ++- ../common/istio-1-19/istio-install/overlays/oauth2-proxy +# oauth2-proxy for OIDC +- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed # Dex diff --git a/contrib/kserve/README.md b/contrib/kserve/README.md index 65f42d8b19..169ea6e43d 100644 --- a/contrib/kserve/README.md +++ b/contrib/kserve/README.md @@ -61,15 +61,15 @@ For upgrading see [UPGRADE.md](UPGRADE.md) ``` 5. Install Istio ```sh - kubectl apply -k ../../common/istio-1-18/istio-crds/base - kubectl apply -k ../../common/istio-1-18/istio-namespace/base - kubectl apply -k ../../common/istio-1-18/istio-install/base + kubectl apply -k ../../common/istio-1-19/istio-crds/base + kubectl apply -k ../../common/istio-1-19/istio-namespace/base + kubectl apply -k ../../common/istio-1-19/istio-install/base ``` 6. Install knative ```sh kubectl apply -k ../../common/knative/knative-serving/overlays/gateways - kubectl apply -k ../../common/istio-1-18/cluster-local-gateway/base - kubectl apply -k ../../common/istio-1-18/kubeflow-istio-resources/base + kubectl apply -k ../../common/istio-1-19/cluster-local-gateway/base + kubectl apply -k ../../common/istio-1-19/kubeflow-istio-resources/base ``` 7. Install kserve ```sh diff --git a/example/kustomization.yaml b/example/kustomization.yaml index f292f0122a..523e3fa350 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -37,9 +37,9 @@ resources: - ../common/cert-manager/cert-manager/base - ../common/cert-manager/kubeflow-issuer/base # Istio -- ../common/istio-1-18/istio-crds/base -- ../common/istio-1-18/istio-namespace/base -- ../common/istio-1-18/istio-install/overlays/oauth2-proxy +- ../common/istio-1-19/istio-crds/base +- ../common/istio-1-19/istio-namespace/base +- ../common/istio-1-19/istio-install/overlays/oauth2-proxy # oauth2-proxy - ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed # Dex @@ -47,7 +47,7 @@ resources: # KNative - ../common/knative/knative-serving/overlays/gateways - ../common/knative/knative-eventing/base -- ../common/istio-1-18/cluster-local-gateway/base +- ../common/istio-1-19/cluster-local-gateway/base # Kubeflow namespace - ../common/kubeflow-namespace/base # NetworkPolicies @@ -55,7 +55,7 @@ resources: # Kubeflow Roles - ../common/kubeflow-roles/base # Kubeflow Istio Resources -- ../common/istio-1-18/kubeflow-istio-resources/base +- ../common/istio-1-19/kubeflow-istio-resources/base # Kubeflow Pipelines diff --git a/hack/extract_images.sh b/hack/extract_images.sh index 96a0158ccb..928c70ada9 100755 --- a/hack/extract_images.sh +++ b/hack/extract_images.sh @@ -15,7 +15,7 @@ declare -A wg_dirs=( [automl]="../apps/katib/upstream/installs" [pipelines]="../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env" [training]="../apps/training-operator/upstream/overlays" - [manifests]="../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-18/istio-crds/base ../common/istio-1-18/istio-namespace/base ../common/istio-1-18/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-18/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-18/kubeflow-istio-resources/base" + [manifests]="../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-19/istio-crds/base ../common/istio-1-19/istio-namespace/base ../common/istio-1-19/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-19/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-19/kubeflow-istio-resources/base" [workbenches]="../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/upstream/overlays/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays" [serving]="../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow" [model-registry]="../apps/model-registry/upstream" diff --git a/tests/gh-actions/install_istio.sh b/tests/gh-actions/install_istio.sh index 0e1eb4353d..7ab52359b8 100755 --- a/tests/gh-actions/install_istio.sh +++ b/tests/gh-actions/install_istio.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio ..." -cd common/istio-1-18 +cd common/istio-1-19 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/base | kubectl apply -f - diff --git a/tests/gh-actions/install_istio_with_ext_auth.sh b/tests/gh-actions/install_istio_with_ext_auth.sh index 23dcf4ef0a..bd9512cb44 100755 --- a/tests/gh-actions/install_istio_with_ext_auth.sh +++ b/tests/gh-actions/install_istio_with_ext_auth.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio configured with external authorization..." -cd common/istio-1-18 +cd common/istio-1-19 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f - diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh index 94b3b0f044..72bc77bb71 100755 --- a/tests/gh-actions/install_knative.sh +++ b/tests/gh-actions/install_knative.sh @@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f - set -e kustomize build common/knative/knative-serving/base | kubectl apply -f - -kustomize build common/istio-1-18/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-1-18/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-1-19/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-1-19/kubeflow-istio-resources/base | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 600s kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving From 9bc1d689ac81297195d2e0a6ea6530e0c0226062 Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Tue, 4 Jun 2024 20:31:05 +0530 Subject: [PATCH 2/2] Upgraded istio-cni to v1.19.10 Signed-off-by: biswajit-9776 --- .github/workflows/kserve_cni_test.yaml | 2 +- .../README.md | 2 +- .../base/cluster-local-gateway.yaml | 45 +- .../base/gateway-authorizationpolicy.yaml | 0 .../cluster-local-gateway/base/gateway.yaml | 0 .../base/kustomization.yaml | 0 .../base/patches/remove-pdb.yaml | 0 .../istio-crds/base/crd.yaml | 122 +- .../istio-crds/base/kustomization.yaml | 0 .../base/deny_all_authorizationpolicy.yaml | 0 .../istio-install/base/gateway.yaml | 0 .../base/gateway_authorizationpolicy.yaml | 0 .../istio-install/base/install.yaml | 1922 ++++++++--------- .../istio-install/base/kustomization.yaml | 0 .../base/patches/disable-debugging.yaml | 0 .../istio-configmap-disable-tracing.yaml | 0 .../istio-ingressgateway-remove-pdb.yaml | 0 .../base/patches/istiod-remove-pdb.yaml | 0 .../istio-install/base/patches/service.yaml | 0 .../istio-install/base/x-forwarded-host.yaml | 0 .../overlays/oauth2-proxy/kustomization.yaml | 0 .../istio-namespace/base/kustomization.yaml | 0 .../istio-namespace/base/namespace.yaml | 0 .../base/cluster-roles.yaml | 0 .../base/kf-istio-resources.yaml | 0 .../base/kustomization.yaml | 0 .../profile-overlay.yaml | 0 .../profile.yaml | 4 +- .../split-istio-packages | 0 tests/gh-actions/install_istio-cni.sh | 2 +- tests/gh-actions/install_knative-cni.sh | 4 +- 31 files changed, 999 insertions(+), 1104 deletions(-) rename common/{istio-cni-1-18 => istio-cni-1-19}/README.md (99%) rename common/{istio-cni-1-18 => istio-cni-1-19}/cluster-local-gateway/base/cluster-local-gateway.yaml (98%) rename common/{istio-cni-1-18 => istio-cni-1-19}/cluster-local-gateway/base/gateway-authorizationpolicy.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/cluster-local-gateway/base/gateway.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/cluster-local-gateway/base/kustomization.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/cluster-local-gateway/base/patches/remove-pdb.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-crds/base/crd.yaml (98%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-crds/base/kustomization.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/deny_all_authorizationpolicy.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/gateway.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/gateway_authorizationpolicy.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/install.yaml (81%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/kustomization.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/patches/disable-debugging.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/patches/istio-configmap-disable-tracing.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/patches/istiod-remove-pdb.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/patches/service.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/base/x-forwarded-host.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-install/overlays/oauth2-proxy/kustomization.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-namespace/base/kustomization.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/istio-namespace/base/namespace.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/kubeflow-istio-resources/base/cluster-roles.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/kubeflow-istio-resources/base/kf-istio-resources.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/kubeflow-istio-resources/base/kustomization.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/profile-overlay.yaml (100%) rename common/{istio-cni-1-18 => istio-cni-1-19}/profile.yaml (97%) rename common/{istio-cni-1-18 => istio-cni-1-19}/split-istio-packages (100%) diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml index 013339ebb8..38eb833fe6 100644 --- a/.github/workflows/kserve_cni_test.yaml +++ b/.github/workflows/kserve_cni_test.yaml @@ -6,7 +6,7 @@ on: - tests/gh-actions/kind-cluster.yaml - tests/gh-actions/install_kind.sh - tests/gh-actions/install_kustomize.sh - - common/istio-cni-1-18/** + - common/istio-cni-1-19/** - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - tests/gh-actions/install_knative-cni.sh diff --git a/common/istio-cni-1-18/README.md b/common/istio-cni-1-19/README.md similarity index 99% rename from common/istio-cni-1-18/README.md rename to common/istio-cni-1-19/README.md index 423e729d7e..444c652f02 100644 --- a/common/istio-cni-1-18/README.md +++ b/common/istio-cni-1-19/README.md @@ -49,7 +49,7 @@ old version is `X1.Y1.Z1`: $ export PATH="$MANIFESTS_SRC/scripts:$PATH" $ cd $ISTIO_NEW $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml --set components.cni.enabled=true --set components.cni.namespace=kube-system > dump.yaml - $ split-istio-packages -f dump.yaml + $ ./split-istio-packages -f dump.yaml $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base $ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base diff --git a/common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-cni-1-19/cluster-local-gateway/base/cluster-local-gateway.yaml similarity index 98% rename from common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml rename to common/istio-cni-1-19/cluster-local-gateway/base/cluster-local-gateway.yaml index 1134c395c1..91dc2b516c 100644 --- a/common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml +++ b/common/istio-cni-1-19/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -1,15 +1,15 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: cluster-local-gateway-service-account - namespace: istio-system labels: app: cluster-local-gateway + install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-service-account + namespace: istio-system --- apiVersion: apps/v1 kind: Deployment @@ -125,7 +125,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.18.7 + image: docker.io/istio/proxyv2:1.19.10 name: istio-proxy ports: - containerPort: 15020 @@ -237,15 +237,15 @@ spec: apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: cluster-local-gateway - namespace: istio-system labels: app: cluster-local-gateway + install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway + namespace: istio-system spec: minAvailable: 1 selector: @@ -256,28 +256,33 @@ spec: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: cluster-local-gateway-sds - namespace: istio-system labels: - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-sds + namespace: istio-system rules: -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - watch + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: cluster-local-gateway-sds - namespace: istio-system labels: - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-sds + namespace: istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/common/istio-cni-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-cni-1-19/cluster-local-gateway/base/gateway-authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml rename to common/istio-cni-1-19/cluster-local-gateway/base/gateway-authorizationpolicy.yaml diff --git a/common/istio-cni-1-18/cluster-local-gateway/base/gateway.yaml b/common/istio-cni-1-19/cluster-local-gateway/base/gateway.yaml similarity index 100% rename from common/istio-cni-1-18/cluster-local-gateway/base/gateway.yaml rename to common/istio-cni-1-19/cluster-local-gateway/base/gateway.yaml diff --git a/common/istio-cni-1-18/cluster-local-gateway/base/kustomization.yaml b/common/istio-cni-1-19/cluster-local-gateway/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-18/cluster-local-gateway/base/kustomization.yaml rename to common/istio-cni-1-19/cluster-local-gateway/base/kustomization.yaml diff --git a/common/istio-cni-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-cni-1-19/cluster-local-gateway/base/patches/remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml rename to common/istio-cni-1-19/cluster-local-gateway/base/patches/remove-pdb.yaml diff --git a/common/istio-cni-1-18/istio-crds/base/crd.yaml b/common/istio-cni-1-19/istio-crds/base/crd.yaml similarity index 98% rename from common/istio-cni-1-18/istio-crds/base/crd.yaml rename to common/istio-cni-1-19/istio-crds/base/crd.yaml index 25dc3dce98..5b9880806f 100644 --- a/common/istio-cni-1-18/istio-crds/base/crd.yaml +++ b/common/istio-cni-1-19/istio-crds/base/crd.yaml @@ -386,6 +386,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3230,6 +3231,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3472,6 +3474,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3546,7 +3549,7 @@ spec: behavior. properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified @@ -3583,6 +3586,7 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. @@ -3662,7 +3666,7 @@ spec: behavior. properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified @@ -3699,6 +3703,7 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. @@ -3730,13 +3735,14 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: istiooperators.install.istio.io labels: release: istio + name: istiooperators.install.istio.io spec: conversion: strategy: None @@ -3745,10 +3751,10 @@ spec: kind: IstioOperator listKind: IstioOperatorList plural: istiooperators - singular: istiooperator shortNames: - iop - io + singular: istiooperator scope: Namespaced versions: - additionalPrinterColumns: @@ -3768,8 +3774,6 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - subresources: - status: {} name: v1alpha1 schema: openAPIV3Schema: @@ -3777,6 +3781,9 @@ spec: x-kubernetes-preserve-unknown-fields: true served: true storage: true + subresources: + status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3869,6 +3876,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3934,6 +3942,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4129,6 +4138,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4403,6 +4413,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4500,7 +4511,7 @@ spec: tls: properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified @@ -4537,6 +4548,7 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. @@ -4673,7 +4685,7 @@ spec: tls: properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified @@ -4710,6 +4722,7 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. @@ -4773,6 +4786,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5043,6 +5057,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5570,6 +5585,34 @@ spec: format: double type: number type: object + mirrors: + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + percentage: + properties: + value: + format: double + type: number + type: object + type: object + type: array name: description: The name assigned to the route for debugging purposes. type: string @@ -5639,6 +5682,18 @@ spec: type: string uri: type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object type: object route: description: A HTTP rule can either return a direct_response, @@ -6353,6 +6408,34 @@ spec: format: double type: number type: object + mirrors: + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + percentage: + properties: + value: + format: double + type: number + type: object + type: object + type: array name: description: The name assigned to the route for debugging purposes. type: string @@ -6422,6 +6505,18 @@ spec: type: string uri: type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object type: object route: description: A HTTP rule can either return a direct_response, @@ -6635,6 +6730,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -6676,6 +6772,13 @@ spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: + failStrategy: + description: Specifies the failure behavior for the plugin due to + fatal errors. + enum: + - FAIL_CLOSE + - FAIL_OPEN + type: string imagePullPolicy: enum: - UNSPECIFIED_POLICY @@ -6774,6 +6877,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -6904,6 +7008,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -7228,3 +7333,4 @@ spec: storage: false subresources: status: {} + diff --git a/common/istio-cni-1-18/istio-crds/base/kustomization.yaml b/common/istio-cni-1-19/istio-crds/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-18/istio-crds/base/kustomization.yaml rename to common/istio-cni-1-19/istio-crds/base/kustomization.yaml diff --git a/common/istio-cni-1-18/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-cni-1-19/istio-install/base/deny_all_authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/deny_all_authorizationpolicy.yaml rename to common/istio-cni-1-19/istio-install/base/deny_all_authorizationpolicy.yaml diff --git a/common/istio-cni-1-18/istio-install/base/gateway.yaml b/common/istio-cni-1-19/istio-install/base/gateway.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/gateway.yaml rename to common/istio-cni-1-19/istio-install/base/gateway.yaml diff --git a/common/istio-cni-1-18/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-cni-1-19/istio-install/base/gateway_authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/gateway_authorizationpolicy.yaml rename to common/istio-cni-1-19/istio-install/base/gateway_authorizationpolicy.yaml diff --git a/common/istio-cni-1-18/istio-install/base/install.yaml b/common/istio-cni-1-19/istio-install/base/install.yaml similarity index 81% rename from common/istio-cni-1-18/istio-install/base/install.yaml rename to common/istio-cni-1-19/istio-install/base/install.yaml index 0352653ec5..af0110458d 100644 --- a/common/istio-cni-1-18/istio-install/base/install.yaml +++ b/common/istio-cni-1-19/istio-install/base/install.yaml @@ -1,95 +1,41 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: istio-cni - namespace: kube-system - labels: - app: istio-cni - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Cni ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-ingressgateway-service-account - namespace: istio-system labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-service-account + namespace: istio-system --- apiVersion: v1 kind: ServiceAccount metadata: - name: istio-reader-service-account - namespace: istio-system labels: app: istio-reader release: istio ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod + name: istio-reader-service-account namespace: istio-system - labels: - app: istiod - release: istio --- apiVersion: v1 kind: ServiceAccount metadata: - name: istiod-service-account - namespace: istio-system labels: app: istiod release: istio + name: istiod + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-cni - labels: - app: istio-cni - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Cni -rules: -- apiGroups: [''] - resources: [pods, nodes, namespaces] - verbs: [get, list, watch] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni-repair-role - labels: - app: istio-cni - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Cni -rules: -- apiGroups: [''] - resources: [pods] - verbs: [watch, get, list] -- apiGroups: [''] - resources: [pods] - verbs: [delete] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole-istio-system labels: app: istio-reader release: istio + name: istio-reader-clusterrole-istio-system rules: - apiGroups: - config.istio.io @@ -97,368 +43,337 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io - resources: ['*'] - verbs: [get, list, watch] -- apiGroups: [''] - resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, - secrets] - verbs: [get, list, watch] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list] - resources: [workloadentries] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, list, watch, create, delete] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, list, watch] -- apiGroups: [apps] - resources: [replicasets] - verbs: [get, list, watch] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - endpoints + - pods + - services + - nodes + - replicationcontrollers + - namespaces + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + resources: + - workloadentries + verbs: + - get + - watch + - list +- apiGroups: + - networking.x-k8s.io + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - watch + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-reader-istio-system labels: - app: istio-reader + app: istiod release: istio + name: istiod-clusterrole-istio-system rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - update - apiGroups: - config.istio.io - security.istio.io - networking.istio.io - authentication.istio.io - rbac.istio.io - resources: ['*'] - verbs: [get, list, watch] -- apiGroups: [''] - resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, - secrets] - verbs: [get, list, watch] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list] - resources: [workloadentries] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] -- apiGroups: [apps] - resources: [replicasets] - verbs: [get, list, watch] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] + - telemetry.istio.io + - extensions.istio.io + resources: + - '*' + verbs: + - get + - watch + - list +- apiGroups: + - networking.istio.io + resources: + - workloadentries + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - networking.istio.io + resources: + - workloadentries/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - pods + - nodes + - services + - namespaces + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - '*' +- apiGroups: + - '' + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - networking.x-k8s.io + - gateway.networking.k8s.io + resources: + - '*' + verbs: + - get + - watch + - list +- apiGroups: + - networking.x-k8s.io + - gateway.networking.k8s.io + resources: + - '*' + verbs: + - update + - patch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - update + - patch + - delete +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - watch + - list + - create + - delete +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - watch + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istiod-clusterrole-istio-system labels: app: istiod release: istio -rules: - # sidecar injection controller -- apiGroups: [admissionregistration.k8s.io] - resources: [mutatingwebhookconfigurations] - verbs: [get, list, watch, update, patch] - - # configuration validation webhook controller -- apiGroups: [admissionregistration.k8s.io] - resources: [validatingwebhookconfigurations] - verbs: [get, list, watch, update] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, - rbac.istio.io, telemetry.istio.io, extensions.istio.io] - verbs: [get, watch, list] - resources: ['*'] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries/status] - - # auto-detect installed CRD definitions -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] - - # discovery and routing -- apiGroups: [''] - resources: [pods, nodes, services, namespaces, endpoints] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] - - # ingress controller -- apiGroups: [networking.k8s.io] - resources: [ingresses, ingressclasses] - verbs: [get, list, watch] -- apiGroups: [networking.k8s.io] - resources: [ingresses/status] - verbs: ['*'] - - # required for CA's namespace controller -- apiGroups: [''] - resources: [configmaps] - verbs: [create, get, list, watch, update] - - # Istiod and bootstrap. - - # Used by Istiod to verify the JWT tokens -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - # Used by Istiod to verify gateway SDS -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - # Use for Kubernetes Service APIs -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] - verbs: [get, watch, list] -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] # TODO: should be on just */status but wildcard is not supported - verbs: [update, patch] -- apiGroups: [gateway.networking.k8s.io] - resources: [gatewayclasses] - verbs: [create, update, patch, delete] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] - - # Used for MCS serviceexport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list, create, delete] - - # Used for MCS serviceimport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: name: istiod-gateway-controller-istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: [apps] - verbs: [get, watch, list, update, patch, create, delete] - resources: [deployments] -- apiGroups: [''] - verbs: [get, watch, list, update, patch, create, delete] - resources: [services] -- apiGroups: [''] - verbs: [get, watch, list, update, patch, create, delete] - resources: [serviceaccounts] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio rules: - # sidecar injection controller -- apiGroups: [admissionregistration.k8s.io] - resources: [mutatingwebhookconfigurations] - verbs: [get, list, watch, update, patch] - - # configuration validation webhook controller -- apiGroups: [admissionregistration.k8s.io] - resources: [validatingwebhookconfigurations] - verbs: [get, list, watch, update] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, - rbac.istio.io, telemetry.istio.io] - verbs: [get, watch, list] - resources: ['*'] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries/status] - - # auto-detect installed CRD definitions -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] - - # discovery and routing -- apiGroups: [''] - resources: [pods, nodes, services, namespaces, endpoints] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] - - # ingress controller -- apiGroups: [networking.k8s.io] - resources: [ingresses, ingressclasses] - verbs: [get, list, watch] -- apiGroups: [networking.k8s.io] - resources: [ingresses/status] - verbs: ['*'] - - # required for CA's namespace controller -- apiGroups: [''] - resources: [configmaps] - verbs: [create, get, list, watch, update] - - # Istiod and bootstrap. -- apiGroups: [certificates.k8s.io] +- apiGroups: + - apps resources: - - certificatesigningrequests - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: [update, create, get, delete, watch] -- apiGroups: [certificates.k8s.io] + - deployments + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - '' resources: - - signers - resourceNames: - - kubernetes.io/legacy-unknown - verbs: [approve] - - # Used by Istiod to verify the JWT tokens -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - # Used by Istiod to verify gateway SDS -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - # Use for Kubernetes Service APIs -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] - verbs: [get, watch, list] -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] # TODO: should be on just */status but wildcard is not supported - verbs: [update] -- apiGroups: [gateway.networking.k8s.io] - resources: [gatewayclasses] - verbs: [create, update, patch, delete] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] - - # Used for MCS serviceexport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list, create, delete] - - # Used for MCS serviceimport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni - labels: - app: istio-cni - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Cni -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni-repair-rolebinding - labels: - k8s-app: istio-cni-repair - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Cni -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni-repair-role + - services + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - get + - watch + - list + - update + - patch + - create + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istio-reader-clusterrole-istio-system labels: app: istio-reader release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole name: istio-reader-clusterrole-istio-system -subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-reader-istio-system + name: istio-reader-clusterrole-istio-system subjects: - kind: ServiceAccount name: istio-reader-service-account @@ -467,10 +382,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istiod-clusterrole-istio-system labels: app: istiod release: istio + name: istiod-clusterrole-istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -483,10 +398,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istiod-gateway-controller-istio-system labels: app: istiod release: istio + name: istiod-gateway-controller-istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -496,83 +411,49 @@ subjects: name: istiod namespace: istio-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-istio-system -subjects: -- kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - name: istio-validator-istio-system labels: app: istiod - release: istio istio: istiod istio.io/rev: default + release: istio + name: istio-validator-istio-system webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. -- name: rev.validation.istio.io +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: - # Should change from base but cannot for API compat service: name: istiod namespace: istio-system path: /validate + failurePolicy: Ignore + name: rev.validation.istio.io + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default rules: - - operations: - - CREATE - - UPDATE - apiGroups: + - apiGroups: - security.istio.io - networking.istio.io - telemetry.istio.io - extensions.istio.io apiVersions: - '*' + operations: + - CREATE + - UPDATE resources: - '*' - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore sideEffects: None - admissionReviewVersions: [v1beta1, v1] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - default --- apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - release: istio data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - networks: {} - mesh: |- defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 @@ -590,166 +471,19 @@ data: probes: 3 time: 10s trustDomain: cluster.local ---- + meshNetworks: 'networks: {}' kind: ConfigMap -apiVersion: v1 metadata: - name: istio-cni-config - namespace: kube-system labels: - app: istio-cni - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Cni -data: - # The CNI network configuration to add to the plugin chain on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "cniVersion": "0.3.1", - "name": "istio-cni", - "type": "istio-cni", - "log_level": "debug", - "log_uds_address": "__LOG_UDS_ADDRESS__", - - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__", - "cni_bin_dir": "/opt/cni/bin", - "exclude_namespaces": [ "istio-system", "kube-system" ] - } - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: Pilot release: istio + name: istio + namespace: istio-system +--- +apiVersion: v1 data: - - values: |- - { - "global": { - "autoscalingv2API": true, - "caAddress": "", - "caName": "", - "certSigners": [], - "configCluster": false, - "configValidation": true, - "defaultNodeSelector": {}, - "defaultPodDisruptionBudget": { - "enabled": true - }, - "defaultResources": { - "requests": { - "cpu": "10m" - } - }, - "enabled": true, - "externalIstiod": false, - "hub": "docker.io/istio", - "imagePullPolicy": "", - "imagePullSecrets": [], - "istioNamespace": "istio-system", - "istiod": { - "enableAnalysis": false - }, - "jwtPolicy": "third-party-jwt", - "logAsJson": false, - "logging": { - "level": "default:info" - }, - "meshID": "", - "meshNetworks": {}, - "mountMtlsCerts": false, - "multiCluster": { - "clusterName": "", - "enabled": false - }, - "namespace": "istio-system", - "network": "", - "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, - "operatorManageWebhooks": false, - "pilotCertProvider": "istiod", - "priorityClassName": "", - "proxy": { - "autoInject": "enabled", - "clusterDomain": "cluster.local", - "componentLogLevel": "misc:error", - "enableCoreDump": false, - "excludeIPRanges": "", - "excludeInboundPorts": "", - "excludeOutboundPorts": "", - "image": "proxyv2", - "includeIPRanges": "*", - "includeInboundPorts": "*", - "includeOutboundPorts": "", - "logLevel": "warning", - "privileged": false, - "readinessFailureThreshold": 30, - "readinessInitialDelaySeconds": 1, - "readinessPeriodSeconds": 2, - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "statusPort": 15020, - "tracer": "zipkin" - }, - "proxy_init": { - "image": "proxyv2" - }, - "remotePilotAddress": "", - "sds": { - "token": { - "aud": "istio-ca" - } - }, - "sts": { - "servicePort": 0 - }, - "tag": "1.18.7", - "tracer": { - "datadog": {}, - "lightstep": {}, - "stackdriver": {}, - "zipkin": {} - }, - "useMCP": false, - "variant": "" - }, - "istio_cni": { - "enabled": true - }, - "revision": "", - "sidecarInjectorWebhook": { - "alwaysInjectSelector": [], - "defaultTemplates": [], - "enableNamespacesByDefault": false, - "injectedAnnotations": {}, - "neverInjectSelector": [], - "rewriteAppHTTPProbe": true, - "templates": {} - } - } - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. config: |- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template defaultTemplates: [sidecar] @@ -788,6 +522,7 @@ data: {{- end }} {{- end }} {{- end }} + {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: @@ -810,7 +545,7 @@ data: {{- end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} @@ -948,13 +683,16 @@ data: runAsNonRoot: false runAsUser: 0 {{ end }} + {{ if not $nativeSidecar }} containers: + {{ end }} - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} ports: - containerPort: 15090 protocol: TCP @@ -1041,6 +779,18 @@ data: ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME @@ -1088,7 +838,11 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if $nativeSidecar }} + startupProbe: + {{ else }} readinessProbe: + {{ end }} httpGet: path: /healthz/ready port: 15021 @@ -1271,10 +1025,6 @@ data: - name: {{ . }} {{- end }} {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} gateway: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} @@ -1370,6 +1120,18 @@ data: {{- end}} {{- end}} ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID @@ -1509,10 +1271,6 @@ data: - name: {{ . }} {{- end }} {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} grpc-simple: | metadata: annotations: @@ -1896,10 +1654,6 @@ data: - name: {{ . }} {{- end }} {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} waypoint: | apiVersion: v1 kind: ServiceAccount @@ -1953,7 +1707,17 @@ data: terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - - args: + - name: istio-proxy + ports: + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + image: {{.ProxyImage}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: - proxy - waypoint - --domain @@ -2015,6 +1779,14 @@ data: - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE @@ -2030,9 +1802,6 @@ data: - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} - image: {{.ProxyImage}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - name: istio-proxy resources: limits: cpu: "2" @@ -2132,12 +1901,18 @@ data: uid: "{{.UID}}" spec: ports: - - name: https-hbone - port: 15008 + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} protocol: TCP - appProtocol: https + appProtocol: {{ $val.AppProtocol }} + {{- end }} selector: istio.io/gateway-name: "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} --- kube-gateway: | apiVersion: v1 @@ -2196,6 +1971,10 @@ data: containers: - name: istio-proxy image: "{{ .ProxyImage }}" + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: {{- if .KubeVersion122 }} @@ -2291,6 +2070,14 @@ data: value: "[]" - name: ISTIO_META_APP_CONTAINERS value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - name: ISTIO_META_NODE_NAME @@ -2299,9 +2086,9 @@ data: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} + {{- with (valueOrDefault (index .Labels "topology.istio.io/network") .Values.global.network) }} - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" + value: {{.|quote}} {{- end }} - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName|quote}} @@ -2447,38 +2234,157 @@ data: {{- end }} selector: istio.io/gateway-name: {{.Name}} - {{- if .Spec.Addresses }} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} - type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }} + type: {{ .ServiceType | quote }} --- + values: |- + { + "global": { + "autoscalingv2API": true, + "caAddress": "", + "caName": "", + "certSigners": [], + "configCluster": false, + "configValidation": true, + "defaultNodeSelector": {}, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "enabled": true, + "externalIstiod": false, + "hub": "docker.io/istio", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "jwtPolicy": "third-party-jwt", + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false + }, + "namespace": "istio-system", + "network": "", + "omitSidecarInjectorConfigMap": false, + "oneNamespace": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "enableCoreDump": false, + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "image": "proxyv2", + "includeIPRanges": "*", + "includeInboundPorts": "*", + "includeOutboundPorts": "", + "logLevel": "warning", + "privileged": false, + "readinessFailureThreshold": 30, + "readinessInitialDelaySeconds": 1, + "readinessPeriodSeconds": 2, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "statusPort": 15020, + "tracer": "zipkin" + }, + "proxy_init": { + "image": "proxyv2" + }, + "remotePilotAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "1.19.10", + "tracer": { + "datadog": {}, + "lightstep": {}, + "stackdriver": {}, + "zipkin": {} + }, + "useMCP": false, + "variant": "" + }, + "istio_cni": { + "chained": true, + "enabled": false + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "defaultTemplates": [], + "enableNamespacesByDefault": false, + "injectedAnnotations": {}, + "neverInjectSelector": [], + "reinvocationPolicy": "Never", + "rewriteAppHTTPProbe": true, + "templates": {} + } + } +kind: ConfigMap +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istio-sidecar-injector + namespace: istio-system --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: istio-sidecar-injector labels: - istio.io/rev: default + app: sidecar-injector install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: Pilot - app: sidecar-injector release: istio + name: istio-sidecar-injector webhooks: -- name: rev.namespace.sidecar-injector.istio.io +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: service: name: istiod namespace: istio-system path: /inject port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] + name: rev.namespace.sidecar-injector.istio.io namespaceSelector: matchExpressions: - key: istio.io/rev @@ -2493,21 +2399,28 @@ webhooks: operator: NotIn values: - 'false' -- name: rev.object.sidecar-injector.istio.io + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: service: name: istiod namespace: istio-system path: /inject port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] + name: rev.object.sidecar-injector.istio.io namespaceSelector: matchExpressions: - key: istio.io/rev @@ -2524,21 +2437,28 @@ webhooks: operator: In values: - default -- name: namespace.sidecar-injector.istio.io + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: service: name: istiod namespace: istio-system path: /inject port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] + name: namespace.sidecar-injector.istio.io namespaceSelector: matchExpressions: - key: istio-injection @@ -2551,21 +2471,28 @@ webhooks: operator: NotIn values: - 'false' -- name: object.sidecar-injector.istio.io + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1beta1 + - v1 clientConfig: service: name: istiod namespace: istio-system path: /inject port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] + name: object.sidecar-injector.istio.io namespaceSelector: matchExpressions: - key: istio-injection @@ -2580,153 +2507,30 @@ webhooks: - 'true' - key: istio.io/rev operator: DoesNotExist ---- -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: istio-cni-node - namespace: kube-system - labels: - k8s-app: istio-cni-node - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Cni -spec: - selector: - matchLabels: - k8s-app: istio-cni-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - k8s-app: istio-cni-node - sidecar.istio.io/inject: 'false' - annotations: - sidecar.istio.io/inject: 'false' - ambient.istio.io/redirection: disabled - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: '15014' - prometheus.io/path: /metrics - # Custom annotations - spec: - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: istio-cni - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni - image: docker.io/istio/install-cni:1.18.7 - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - privileged: false - command: [install-cni] - args: - - --log_output_level=default:info - env: - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: istio-cni-config - key: cni_network_config - - name: CNI_NET_DIR - value: /etc/cni/net.d - # Deploy as a standalone CNI plugin or as chained? - - name: CHAINED_CNI_PLUGIN - value: 'true' - - name: REPAIR_ENABLED - value: 'true' - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_LABEL_PODS - value: 'false' - # Set to true to enable pod deletion - - name: REPAIR_DELETE_PODS - value: 'true' - - name: REPAIR_RUN_AS_DAEMON - value: 'true' - - name: REPAIR_SIDECAR_ANNOTATION - value: sidecar.istio.io/status - - name: REPAIR_INIT_CONTAINER_NAME - value: istio-validation - - name: REPAIR_BROKEN_POD_LABEL_KEY - value: cni.istio.io/uninitialized - - name: REPAIR_BROKEN_POD_LABEL_VALUE - value: 'true' - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: LOG_LEVEL - value: debug - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-log-dir - resources: - requests: - cpu: 100m - memory: 100Mi - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: /opt/cni/bin - - name: cni-net-dir - hostPath: - path: /etc/cni/net.d - # Used for UDS log - - name: cni-log-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: /var/run/netns + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None --- apiVersion: apps/v1 kind: Deployment metadata: - name: istio-ingressgateway - namespace: istio-system labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system spec: selector: matchLabels: @@ -2738,45 +2542,31 @@ spec: maxUnavailable: 25% template: metadata: + annotations: + istio.io/rev: default + prometheus.io/path: /stats/prometheus + prometheus.io/port: '15020' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' labels: app: istio-ingressgateway - istio: ingressgateway + chart: gateways heritage: Tiller + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways release: istio - chart: gateways service.istio.io/canonical-name: istio-ingressgateway service.istio.io/canonical-revision: latest - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways - sidecar.istio.io/inject: 'false' - annotations: - istio.io/rev: default - prometheus.io/port: '15020' - prometheus.io/scrape: 'true' - prometheus.io/path: /stats/prometheus sidecar.istio.io/inject: 'false' spec: - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 - serviceAccountName: istio-ingressgateway-service-account + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + requiredDuringSchedulingIgnoredDuringExecution: containers: - - name: istio-proxy - image: docker.io/istio/proxyv2:1.18.7 - ports: - - containerPort: 15021 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: + - args: - proxy - router - --domain @@ -2784,30 +2574,6 @@ spec: - --proxyLogLevel=warning - --proxyComponentLogLevel=misc:error - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi env: - name: JWT_POLICY value: third-party-jwt @@ -2865,32 +2631,74 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + image: docker.io/istio/proxyv2:1.19.10 + name: istio-proxy + ports: + - containerPort: 15021 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume - mountPath: /var/run/secrets/istio name: istiod-ca-cert - - name: istio-token - mountPath: /var/run/secrets/tokens + - mountPath: /var/run/secrets/tokens + name: istio-token readOnly: true - mountPath: /var/lib/istio/data name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - - name: ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs readOnly: true - - name: ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs readOnly: true + securityContext: + fsGroup: 1337 + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + serviceAccountName: istio-ingressgateway-service-account volumes: - emptyDir: {} name: workload-socket @@ -2898,88 +2706,79 @@ spec: name: credential-socket - emptyDir: {} name: workload-certs - - name: istiod-ca-cert - configMap: + - configMap: name: istio-ca-root-cert - - name: podinfo - downwardAPI: + name: istiod-ca-cert + - downwardAPI: items: - - path: labels - fieldRef: + - fieldRef: fieldPath: metadata.labels - - path: annotations - fieldRef: + path: labels + - fieldRef: fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data - name: istio-token projected: sources: - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 audience: istio-ca - - name: config-volume - configMap: + expirationSeconds: 43200 + path: istio-token + - configMap: name: istio optional: true + name: config-volume - name: ingressgateway-certs secret: - secretName: istio-ingressgateway-certs optional: true + secretName: istio-ingressgateway-certs - name: ingressgateway-ca-certs secret: - secretName: istio-ingressgateway-ca-certs optional: true - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - preferredDuringSchedulingIgnoredDuringExecution: + secretName: istio-ingressgateway-ca-certs --- apiVersion: apps/v1 kind: Deployment metadata: - name: istiod - namespace: istio-system labels: app: istiod - istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot istio: pilot + istio.io/rev: default + operator.istio.io/component: Pilot release: istio + name: istiod + namespace: istio-system spec: + selector: + matchLabels: + istio: pilot strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% - selector: - matchLabels: - istio: pilot template: metadata: + annotations: + ambient.istio.io/redirection: disabled + prometheus.io/port: '15014' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' labels: app: istiod - istio.io/rev: default install.operator.istio.io/owning-resource: unknown - sidecar.istio.io/inject: 'false' - operator.istio.io/component: Pilot istio: pilot - annotations: - prometheus.io/port: '15014' - prometheus.io/scrape: 'true' - ambient.istio.io/redirection: disabled + istio.io/rev: default + operator.istio.io/component: Pilot sidecar.istio.io/inject: 'false' spec: - serviceAccountName: istiod - securityContext: - fsGroup: 1337 containers: - - name: discovery - image: docker.io/istio/pilot:1.18.7 - args: + - args: - discovery - --monitoringAddr=:15014 - --log_output_level=default:info @@ -2987,20 +2786,6 @@ spec: - cluster.local - --keepaliveMaxServerConnectionAge - 30m - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 env: - name: REVISION value: default @@ -3027,10 +2812,6 @@ spec: value: /var/run/secrets/remote/config - name: PILOT_TRACE_SAMPLING value: '1' - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: 'true' - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: 'true' - name: ISTIOD_ADDR value: istiod.istio-system.svc:15012 - name: PILOT_ENABLE_ANALYSIS @@ -3041,40 +2822,63 @@ spec: valueFrom: resourceFieldRef: resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PLATFORM + value: '' + image: docker.io/istio/pilot:1.19.10 + name: discovery + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 resources: requests: cpu: 500m memory: 2048Mi securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true capabilities: drop: - ALL + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens + - mountPath: /var/run/secrets/tokens + name: istio-token readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts + - mountPath: /var/run/secrets/istio-dns + name: local-certs + - mountPath: /etc/cacerts + name: cacerts readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote + - mountPath: /var/run/secrets/remote + name: istio-kubeconfig readOnly: true - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls + - mountPath: /var/run/secrets/istiod/tls + name: istio-csr-dns-cert readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca + - mountPath: /var/run/secrets/istiod/ca + name: istio-csr-ca-configmap readOnly: true + securityContext: + fsGroup: 1337 + serviceAccountName: istiod volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - emptyDir: medium: Memory name: local-certs @@ -3085,38 +2889,36 @@ spec: audience: istio-ca expirationSeconds: 43200 path: istio-token - # Optional: user-generated root - name: cacerts secret: - secretName: cacerts optional: true + secretName: cacerts - name: istio-kubeconfig secret: - secretName: istio-kubeconfig optional: true - # Optional: istio-csr dns pilot certs + secretName: istio-kubeconfig - name: istio-csr-dns-cert secret: - secretName: istiod-tls optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert + secretName: istiod-tls + - configMap: defaultMode: 420 + name: istio-ca-root-cert optional: true + name: istio-csr-ca-configmap --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: istio-ingressgateway - namespace: istio-system labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system spec: minAvailable: 1 selector: @@ -3127,15 +2929,15 @@ spec: apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: istiod - namespace: istio-system labels: app: istiod - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio: pilot + istio.io/rev: default operator.istio.io/component: Pilot release: istio - istio: pilot + name: istiod + namespace: istio-system spec: minAvailable: 1 selector: @@ -3146,72 +2948,75 @@ spec: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: istio-ingressgateway-sds - namespace: istio-system labels: - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: IngressGateways -rules: -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod release: istio + name: istio-ingressgateway-sds + namespace: istio-system rules: -- apiGroups: [networking.istio.io] - verbs: [create] - resources: [gateways] - -- apiGroups: [''] - resources: [secrets] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: [create, get, watch, list, update, delete] - -- apiGroups: [''] - resources: [configmaps] - verbs: [delete] - -- apiGroups: [coordination.k8s.io] - resources: [leases] - verbs: [get, update, patch, create] +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - watch + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: istiod-istio-system - namespace: istio-system labels: app: istiod release: istio + name: istiod + namespace: istio-system rules: -- apiGroups: [networking.istio.io] - verbs: [create] - resources: [gateways] - -- apiGroups: [''] - resources: [secrets] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: [create, get, watch, list, update, delete] +- apiGroups: + - networking.istio.io + resources: + - gateways + verbs: + - create +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - get + - watch + - list + - update + - delete +- apiGroups: + - '' + resources: + - configmaps + verbs: + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - update + - patch + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: istio-ingressgateway-sds - namespace: istio-system labels: - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-sds + namespace: istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -3223,108 +3028,87 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: istiod - namespace: istio-system labels: app: istiod release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod -subjects: -- kind: ServiceAccount name: istiod namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: istiod-istio-system + name: istiod subjects: - kind: ServiceAccount - name: istiod-service-account + name: istiod namespace: istio-system --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: istio-ingressgateway - namespace: istio-system labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system spec: maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istio-ingressgateway - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: istiod - namespace: istio-system labels: app: istiod - release: istio - istio.io/rev: default install.operator.istio.io/owning-resource: unknown + istio.io/rev: default operator.istio.io/component: Pilot + release: istio + name: istiod + namespace: istio-system spec: maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istiod - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 --- apiVersion: v1 kind: Service metadata: - name: istio-ingressgateway - namespace: istio-system annotations: labels: app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown istio: ingressgateway - release: istio istio.io/rev: default - install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system spec: - type: LoadBalancer - selector: - app: istio-ingressgateway - istio: ingressgateway ports: - name: status-port port: 15021 @@ -3338,36 +3122,38 @@ spec: port: 443 protocol: TCP targetPort: 8443 + selector: + app: istio-ingressgateway + istio: ingressgateway + type: LoadBalancer --- apiVersion: v1 kind: Service metadata: - name: istiod - namespace: istio-system labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot app: istiod + install.operator.istio.io/owning-resource: unknown istio: pilot + istio.io/rev: default + operator.istio.io/component: Pilot release: istio + name: istiod + namespace: istio-system spec: ports: - - port: 15010 - name: grpc-xds # plaintext + - name: grpc-xds + port: 15010 protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert + - name: https-dns + port: 15012 protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 + - name: https-webhook + port: 443 protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats + targetPort: 15017 + - name: http-monitoring + port: 15014 protocol: TCP selector: app: istiod - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary istio: pilot diff --git a/common/istio-cni-1-18/istio-install/base/kustomization.yaml b/common/istio-cni-1-19/istio-install/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/kustomization.yaml rename to common/istio-cni-1-19/istio-install/base/kustomization.yaml diff --git a/common/istio-cni-1-18/istio-install/base/patches/disable-debugging.yaml b/common/istio-cni-1-19/istio-install/base/patches/disable-debugging.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/patches/disable-debugging.yaml rename to common/istio-cni-1-19/istio-install/base/patches/disable-debugging.yaml diff --git a/common/istio-cni-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-cni-1-19/istio-install/base/patches/istio-configmap-disable-tracing.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml rename to common/istio-cni-1-19/istio-install/base/patches/istio-configmap-disable-tracing.yaml diff --git a/common/istio-cni-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-cni-1-19/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml rename to common/istio-cni-1-19/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml diff --git a/common/istio-cni-1-18/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-cni-1-19/istio-install/base/patches/istiod-remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/patches/istiod-remove-pdb.yaml rename to common/istio-cni-1-19/istio-install/base/patches/istiod-remove-pdb.yaml diff --git a/common/istio-cni-1-18/istio-install/base/patches/service.yaml b/common/istio-cni-1-19/istio-install/base/patches/service.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/patches/service.yaml rename to common/istio-cni-1-19/istio-install/base/patches/service.yaml diff --git a/common/istio-cni-1-18/istio-install/base/x-forwarded-host.yaml b/common/istio-cni-1-19/istio-install/base/x-forwarded-host.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/base/x-forwarded-host.yaml rename to common/istio-cni-1-19/istio-install/base/x-forwarded-host.yaml diff --git a/common/istio-cni-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-19/istio-install/overlays/oauth2-proxy/kustomization.yaml similarity index 100% rename from common/istio-cni-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml rename to common/istio-cni-1-19/istio-install/overlays/oauth2-proxy/kustomization.yaml diff --git a/common/istio-cni-1-18/istio-namespace/base/kustomization.yaml b/common/istio-cni-1-19/istio-namespace/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-18/istio-namespace/base/kustomization.yaml rename to common/istio-cni-1-19/istio-namespace/base/kustomization.yaml diff --git a/common/istio-cni-1-18/istio-namespace/base/namespace.yaml b/common/istio-cni-1-19/istio-namespace/base/namespace.yaml similarity index 100% rename from common/istio-cni-1-18/istio-namespace/base/namespace.yaml rename to common/istio-cni-1-19/istio-namespace/base/namespace.yaml diff --git a/common/istio-cni-1-18/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-cni-1-19/kubeflow-istio-resources/base/cluster-roles.yaml similarity index 100% rename from common/istio-cni-1-18/kubeflow-istio-resources/base/cluster-roles.yaml rename to common/istio-cni-1-19/kubeflow-istio-resources/base/cluster-roles.yaml diff --git a/common/istio-cni-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-cni-1-19/kubeflow-istio-resources/base/kf-istio-resources.yaml similarity index 100% rename from common/istio-cni-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml rename to common/istio-cni-1-19/kubeflow-istio-resources/base/kf-istio-resources.yaml diff --git a/common/istio-cni-1-18/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-19/kubeflow-istio-resources/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-18/kubeflow-istio-resources/base/kustomization.yaml rename to common/istio-cni-1-19/kubeflow-istio-resources/base/kustomization.yaml diff --git a/common/istio-cni-1-18/profile-overlay.yaml b/common/istio-cni-1-19/profile-overlay.yaml similarity index 100% rename from common/istio-cni-1-18/profile-overlay.yaml rename to common/istio-cni-1-19/profile-overlay.yaml diff --git a/common/istio-cni-1-18/profile.yaml b/common/istio-cni-1-19/profile.yaml similarity index 97% rename from common/istio-cni-1-18/profile.yaml rename to common/istio-cni-1-19/profile.yaml index 3048418468..c3754eda2e 100644 --- a/common/istio-cni-1-18/profile.yaml +++ b/common/istio-cni-1-19/profile.yaml @@ -22,7 +22,7 @@ spec: proxyMetadata: {} enablePrometheusMerge: true profile: default - tag: 1.18.7 + tag: 1.19.10 values: base: enableCRDTemplates: false @@ -127,8 +127,6 @@ spec: configMap: true cpu: targetAverageUtilization: 80 - enableProtocolSniffingForInbound: true - enableProtocolSniffingForOutbound: true env: {} image: pilot keepaliveMaxServerConnectionAge: 30m diff --git a/common/istio-cni-1-18/split-istio-packages b/common/istio-cni-1-19/split-istio-packages similarity index 100% rename from common/istio-cni-1-18/split-istio-packages rename to common/istio-cni-1-19/split-istio-packages diff --git a/tests/gh-actions/install_istio-cni.sh b/tests/gh-actions/install_istio-cni.sh index 9c8cdbbac0..3f98406517 100755 --- a/tests/gh-actions/install_istio-cni.sh +++ b/tests/gh-actions/install_istio-cni.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio-cni ..." -cd common/istio-cni-1-18 +cd common/istio-cni-1-19 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/base | kubectl apply -f - \ No newline at end of file diff --git a/tests/gh-actions/install_knative-cni.sh b/tests/gh-actions/install_knative-cni.sh index 06787b4adb..a74c83c5f4 100755 --- a/tests/gh-actions/install_knative-cni.sh +++ b/tests/gh-actions/install_knative-cni.sh @@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f - set -e kustomize build common/knative/knative-serving/base | kubectl apply -f - -kustomize build common/istio-cni-1-18/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-cni-1-18/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-cni-1-19/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-cni-1-19/kubeflow-istio-resources/base | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 600s kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving