├── .circleci └── config.yml ├── .editorconfig ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── feature_request.md │ └── support_request.md ├── PULL_REQUEST_TEMPLATE.md ├── SUPPORT.md ├── mergeable.yml └── workflows │ └── ci.yaml ├── .gitignore ├── .golangci.yml ├── .idea └── go.imports.xml ├── .licensei.toml ├── CODEOWNERS ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE ├── Makefile ├── PROJECT ├── README.md ├── api ├── go.mod ├── go.sum ├── options │ ├── options.pb.go │ ├── options.pb.html │ ├── options.proto │ ├── options_deepcopy.gen.go │ └── options_json.gen.go └── v1alpha1 │ ├── common.gen.json │ ├── common.go │ ├── common.pb.go │ ├── common.pb.html │ ├── common.proto │ ├── common_deepcopy.gen.go │ ├── common_json.gen.go │ ├── groupversion_info.go │ ├── istio-operator.gen.json │ ├── istiocontrolplane.gen.json │ ├── istiocontrolplane.pb.go │ ├── istiocontrolplane.pb.html │ ├── istiocontrolplane.proto │ ├── istiocontrolplane_deepcopy.gen.go │ ├── istiocontrolplane_json.gen.go │ ├── istiocontrolplane_types.go │ ├── istiomesh.gen.json │ ├── istiomesh.pb.go │ ├── istiomesh.pb.html │ ├── istiomesh.proto │ ├── istiomesh_deepcopy.gen.go │ ├── istiomesh_json.gen.go │ ├── istiomesh_types.go │ ├── istiomeshgateway.gen.json │ ├── istiomeshgateway.pb.go │ ├── istiomeshgateway.pb.html │ ├── istiomeshgateway.proto │ ├── istiomeshgateway_deepcopy.gen.go │ ├── istiomeshgateway_json.gen.go │ ├── istiomeshgateway_types.go │ └── zz_generated.deepcopy.go ├── build ├── buf.gen.yaml ├── buf.yaml └── fixup_structs │ └── main.go ├── cmd └── docs.go ├── config ├── certmanager │ ├── certificate.yaml │ ├── kustomization.yaml │ └── kustomizeconfig.yaml ├── crd │ ├── bases │ │ └── istio-operator-crds.gen.yaml │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ └── patches │ │ ├── cainjection_in_istiocontrolplanes.yaml │ │ ├── cainjection_in_istiomeshes.yaml │ │ ├── cainjection_in_istiomeshgateways.yaml │ │ ├── webhook_in_istiocontrolplanes.yaml │ │ ├── webhook_in_istiomeshes.yaml │ │ └── webhook_in_istiomeshgateways.yaml ├── default │ ├── kustomization.yaml │ ├── manager_auth_proxy_patch.yaml │ ├── manager_webhook_patch.yaml │ └── webhookcainjection_patch.yaml ├── manager │ ├── kustomization.yaml │ └── manager.yaml ├── prometheus │ ├── kustomization.yaml │ └── monitor.yaml ├── rbac │ ├── auth_proxy_client_clusterrole.yaml │ ├── auth_proxy_role.yaml │ ├── auth_proxy_role_binding.yaml │ ├── auth_proxy_service.yaml │ ├── istiocontrolplane_editor_role.yaml │ ├── istiocontrolplane_viewer_role.yaml │ ├── istiomesh_editor_role.yaml │ ├── istiomesh_viewer_role.yaml │ ├── istiomeshgateway_editor_role.yaml │ ├── istiomeshgateway_viewer_role.yaml │ ├── kustomization.yaml │ ├── leader_election_role.yaml │ ├── leader_election_role_binding.yaml │ ├── role.yaml │ └── role_binding.yaml ├── samples │ ├── servicemesh_v1alpha1_istiocontrolplane.yaml │ ├── servicemesh_v1alpha1_istiomesh.yaml │ └── servicemesh_v1alpha1_istiomeshgateway.yaml └── webhook │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ └── service.yaml ├── controllers ├── common.go ├── defaults.go ├── istiocontrolplane_controller.go ├── meshgateway_controller.go ├── suite_test.go ├── version.go └── version_test.go ├── cue.yaml ├── deploy └── charts │ ├── .editorconfig │ ├── charts.go │ ├── go.mod │ └── istio-operator │ ├── .helmignore │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── crds │ └── istio-operator-crds.gen.yaml │ ├── templates │ ├── _helpers.tpl │ ├── authproxy-rbac.yaml │ ├── authproxy-service.yaml │ ├── namespace.yaml │ ├── operator-deployment.yaml │ ├── operator-rbac.yaml │ └── operator-service.yaml │ └── values.yaml ├── docs ├── crds │ └── v1alpha1 │ │ ├── _index.md │ │ ├── common.md │ │ ├── common.pb.md │ │ ├── istiocontrolplane.pb.md │ │ ├── istiocontrolplane_types.md │ │ ├── istiomesh.pb.md │ │ ├── istiomesh_types.md │ │ ├── istiomeshgateway.pb.md │ │ └── istiomeshgateway_types.md ├── multi-cluster-mesh │ ├── active-active │ │ ├── active-icp-1.yaml │ │ ├── active-icp-2.yaml │ │ ├── demoapp-1.yaml │ │ ├── demoapp-2.yaml │ │ ├── demoapp-vs-dr.yaml │ │ └── multi-cluster-active-active.md │ └── active-passive │ │ ├── active-icp.yaml │ │ ├── demoapp-1.yaml │ │ ├── demoapp-2.yaml │ │ ├── demoapp-vs-dr.yaml │ │ ├── multi-cluster-active-passive.md │ │ └── passive-icp.yaml └── openshift │ ├── gw.yaml │ ├── icp-openshift.yaml │ ├── nad.yaml │ └── openshift.md ├── go.mod ├── go.sum ├── hack └── boilerplate.go.txt ├── internal ├── assets │ ├── assets.go │ └── manifests │ │ ├── base │ │ ├── Chart.yaml │ │ ├── NOTES.txt │ │ ├── crds │ │ │ └── crd-all.gen.yaml │ │ ├── files │ │ │ └── gen-istio-cluster.yaml │ │ ├── kustomization.yaml │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── crds.yaml │ │ │ ├── endpoints.yaml │ │ │ └── services.yaml │ │ ├── values.yaml │ │ └── values.yaml.tpl │ │ ├── istio-cni │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── configmap-cni.yaml │ │ │ ├── daemonset.yaml │ │ │ ├── resource-quota.yaml │ │ │ └── serviceaccount.yaml │ │ ├── values.yaml │ │ └── values.yaml.tpl │ │ ├── istio-discovery │ │ ├── Chart.yaml │ │ ├── NOTES.txt │ │ ├── kustomization.yaml │ │ ├── resources │ │ │ ├── gateway-injection-template.yaml │ │ │ ├── gen-istio.yaml │ │ │ ├── grpc-agent.yaml │ │ │ ├── grpc-simple.yaml │ │ │ └── injection-template.yaml │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── autoscale.yaml │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── configmap-jwks.yaml │ │ │ ├── configmap.yaml │ │ │ ├── deployment.yaml │ │ │ ├── istiod-injector-configmap.yaml │ │ │ ├── mutatingwebhook.yaml │ │ │ ├── poddisruptionbudget.yaml │ │ │ ├── reader-clusterrole.yaml │ │ │ ├── reader-clusterrolebinding.yaml │ │ │ ├── reader-serviceaccount.yaml │ │ │ ├── revision-tags.yaml │ │ │ ├── role.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── service.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── telemetryv2_1.16.yaml │ │ │ ├── telemetryv2_1.17.yaml │ │ │ └── validatingwebhookconfiguration.yaml │ │ ├── values.yaml │ │ └── values.yaml.tpl │ │ ├── istio-meshexpansion │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── istio-cross-network-gw.yaml │ │ │ ├── istio-meshexpansion-mgw.yaml │ │ │ ├── istiod-expansion-gw.yaml │ │ │ └── istiod-expansion-vs.yaml │ │ ├── values.yaml │ │ └── values.yaml.tpl │ │ ├── istio-meshgateway │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── autoscale.yaml │ │ │ ├── deployment.yaml │ │ │ ├── poddisruptionbudget.yaml │ │ │ ├── role.yaml │ │ │ ├── rolebindings.yaml │ │ │ ├── service-ext.yaml │ │ │ ├── service.yaml │ │ │ └── serviceaccount.yaml │ │ ├── values.yaml │ │ └── values.yaml.tpl │ │ ├── istio-sidecar-injector │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── autoscale.yaml │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── deployment.yaml │ │ │ ├── poddisruptionbudget.yaml │ │ │ ├── service.yaml │ │ │ └── serviceaccount.yaml │ │ ├── values.yaml │ │ └── values.yaml.tpl │ │ └── resource-sync-rule │ │ ├── Chart.yaml │ │ ├── templates │ │ ├── _helpers.tpl │ │ ├── istio-ca-root-cert-cluster-feature.yaml │ │ ├── istio-ca-root-cert-controller-clusterrole.yaml │ │ ├── istio-ca-root-cert-reader-clusterrole.yaml │ │ ├── istio-ca-root-cert-resource-sync-rule.yaml │ │ ├── istio-custom-resources-cluster-feature.yaml │ │ ├── istio-custom-resources-controller-clusterrole.yaml │ │ ├── istio-custom-resources-reader-clusterrole.yaml │ │ ├── istio-custom-resources-sync-rule.yaml │ │ ├── istio-multi-cluster-secret-cluster-feature.yaml │ │ ├── istio-multi-cluster-secret-resource-sync-rule.yaml │ │ ├── mesh-cluster-feature.yaml │ │ ├── mesh-controller-clusterrole.yaml │ │ ├── mesh-reader-clusterrole.yaml │ │ ├── mesh-resource-sync-rule.yaml │ │ ├── peer-istio-control-plane-cluster-feature.yaml │ │ ├── peer-istio-control-plane-controller-clusterrole.yaml │ │ ├── peer-istio-control-plane-reader-clusterrole.yaml │ │ └── peer-istio-control-plane-resource-sync-rule.yaml │ │ ├── values.yaml │ │ └── values.yaml.tpl ├── components │ ├── base │ │ ├── base_test.go │ │ ├── reconcile.go │ │ └── testdata │ │ │ ├── icp-expected-resource-dump.yaml │ │ │ ├── icp-expected-values.yaml │ │ │ └── icp-test-cr.yaml │ ├── cni │ │ ├── cni_test.go │ │ ├── reconcile.go │ │ └── testdata │ │ │ ├── icp-expected-resource-dump.yaml │ │ │ ├── icp-expected-values.yaml │ │ │ └── icp-test-cr.yaml │ ├── components.go │ ├── discovery │ │ ├── discovery_test.go │ │ ├── reconcile.go │ │ └── testdata │ │ │ ├── icp-expected-resource-dump.yaml │ │ │ ├── icp-expected-values.yaml │ │ │ ├── icp-passive-expected-resource-dump.yaml │ │ │ ├── icp-passive-expected-values.yaml │ │ │ ├── icp-passive-test-cr.yaml │ │ │ └── icp-test-cr.yaml │ ├── istiomeshgateway │ │ ├── istiomeshgateway_test.go │ │ ├── reconcile.go │ │ └── testdata │ │ │ ├── icp-test-cr.yaml │ │ │ ├── imgw-expected-resource-dump.yaml │ │ │ ├── imgw-expected-values.yaml │ │ │ └── imgw-test-cr.yaml │ ├── meshexpansion │ │ ├── meshexpansion_test.go │ │ ├── reconcile.go │ │ └── testdata │ │ │ ├── icp-test-cr.yaml │ │ │ ├── mex-expected-resource-dump.yaml │ │ │ └── mex-expected-values.yaml │ ├── resourcesyncrule │ │ ├── reconcile.go │ │ ├── resourcesyncrule_test.go │ │ └── testdata │ │ │ ├── icp-active-test-cr.yaml │ │ │ ├── icp-passive-test-cr.yaml │ │ │ ├── rsr-expected-active-resource-dump.yaml │ │ │ ├── rsr-expected-active-values.yaml │ │ │ ├── rsr-expected-passive-resource-dump.yaml │ │ │ └── rsr-expected-passive-values.yaml │ └── sidecarinjector │ │ ├── reconcile.go │ │ ├── sidecarinjector_test.go │ │ └── testdata │ │ ├── icp-expected-resource-dump.yaml │ │ ├── icp-expected-values.yaml │ │ └── icp-test-cr.yaml ├── models │ └── cluster_registry.go └── util │ ├── openshift │ └── predicate.go │ ├── predicate.go │ ├── template.go │ ├── testdata │ ├── expected_values.yaml │ ├── test_istiocontrolplane.yaml │ └── test_values.yaml.tmpl │ ├── util.go │ └── util_test.go ├── main.go ├── pkg ├── k8sutil │ ├── cluster.go │ ├── cluster_secret.go │ ├── endpoints.go │ ├── istiod_endpoints.go │ ├── jwtpolicy.go │ ├── managedbylabels.go │ ├── metadata.go │ ├── ns.go │ ├── resourceversion.go │ └── services.go └── util │ ├── patch.go │ ├── util.go │ └── util_test.go └── scripts ├── download-deps.sh ├── increment_version.sh ├── install-buf.sh ├── install_envtest.sh ├── install_kustomize.sh ├── label-crds.sh ├── remove-istio-dependencies.sh └── update-istio-dependencies.sh /.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2.1 2 | orbs: 3 | helm: banzaicloud/helm@0.0.8 4 | docker: banzaicloud/docker@0.0.7 5 | 6 | executors: 7 | helm311: 8 | docker: 9 | - image: ghcr.io/banzaicloud/helm:0.0.7 10 | 11 | commands: 12 | publish-with-latests: 13 | steps: 14 | - docker/push: 15 | registry: ghcr.io 16 | image: banzaicloud/istio-operator 17 | tag: ${CIRCLE_TAG} 18 | - docker/version-check: 19 | version: ${CIRCLE_TAG} 20 | halt: true 21 | - run: 22 | name: Publish latest 23 | command: | 24 | minor="$(echo ${CIRCLE_TAG} | cut -d '.' -f2)" 25 | docker tag "ghcr.io/banzaicloud/istio-operator:${CIRCLE_TAG}" "ghcr.io/banzaicloud/istio-operator:latest-1.${minor}" 26 | docker push "ghcr.io/banzaicloud/istio-operator:latest-1.${minor}" 27 | 28 | latest="$(git tag | grep -E '^v?[0-9]+\.[0-9]+\.[0-9]+$' | cut -d '.' -f2 | sort -urn | head -n 1)" 29 | if [ "${latest}" -eq "${minor}" ]; then 30 | docker tag "ghcr.io/banzaicloud/istio-operator:${CIRCLE_TAG}" "ghcr.io/banzaicloud/istio-operator:latest" 31 | docker push "ghcr.io/banzaicloud/istio-operator:latest" 32 | fi 33 | 34 | workflows: 35 | version: 2 36 | ci: 37 | jobs: 38 | - docker/build: 39 | name: Build docker image 40 | executor: docker/machine-dlc 41 | image: banzaicloud/istio-operator 42 | tag: ${CIRCLE_BRANCH//\//-} 43 | filters: 44 | tags: 45 | ignore: /.*/ 46 | 47 | - docker/custom-publish: 48 | name: Publish tagged & latest docker image 49 | executor: docker/machine-dlc 50 | context: 51 | - github 52 | image: banzaicloud/istio-operator 53 | login: 54 | - docker/ghcr-login 55 | push: 56 | - publish-with-latests 57 | filters: 58 | tags: 59 | only: /^v?[0-9]+\.[0-9]+\.[0-9]+(?:-(?:dev|rc)\.[0-9]+)?$/ 60 | branches: 61 | ignore: /.*/ 62 | 63 | helm-chart: 64 | jobs: 65 | - helm/lint-chart: 66 | executor: helm311 67 | charts-dir: deploy/charts 68 | filters: 69 | tags: 70 | ignore: /.*/ 71 | 72 | - helm/publish-chart: 73 | context: helm 74 | executor: helm311 75 | charts-dir: deploy/charts 76 | filters: 77 | branches: 78 | ignore: /.*/ 79 | tags: 80 | only: /chart\/istio-operator\/\d+.\d+.\d+/ 81 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | charset = utf-8 5 | end_of_line = lf 6 | indent_size = 4 7 | indent_style = space 8 | insert_final_newline = true 9 | trim_trailing_whitespace = true 10 | 11 | [{*.go,*.mod}] 12 | indent_style = tab 13 | 14 | [{Makefile,*.mk}] 15 | indent_style = tab 16 | 17 | [{*.yaml,*.yml}] 18 | indent_size = 2 19 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve the Istio operator 4 | 5 | --- 6 | 7 | **Describe the bug** 8 | A clear and concise description of what the bug is. 9 | 10 | **Steps to reproduce the issue:** 11 | Please describe the steps to reproduce the issue. 12 | 13 | **Expected behavior** 14 | A clear and concise description of what you expected to happen. 15 | 16 | **Screenshots** 17 | If applicable, add screenshots to help explain your problem. 18 | 19 | **Additional context** 20 | Add any other context about the problem like release number version, branch, etc. 21 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | 5 | --- 6 | 7 | **Is your feature request related to a problem? Please describe.** 8 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 9 | 10 | **Describe the solution you'd like to see** 11 | A clear and concise description of what would you like to happen. 12 | 13 | **Describe alternatives you've considered** 14 | A clear and concise description of any alternative solutions or features you've considered. 15 | 16 | **Additional context** 17 | Add any other context or screenshots about the feature request here. 18 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/support_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: ⛔ Support request 3 | --- 4 | 5 | We use GitHub issues to discuss Istio operator bugs and new features. 6 | For support requests please use the channels listed in [SUPPORT.md](https://github.com/banzaicloud/istio-operator/blob/release-1.11/.github/SUPPORT.md) 7 | 8 | Thanks! 9 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | | Q | A 2 | | --------------- | --- 3 | | Bug fix? | no|yes 4 | | New feature? | no|yes 5 | | API breaks? | no|yes 6 | | Deprecations? | no|yes 7 | | Related tickets | fixes #X, partially #Y, mentioned in #Z 8 | | License | Apache 2.0 9 | 10 | 11 | ### What's in this PR? 12 | 13 | 14 | 15 | ### Why? 16 | 17 | 18 | 19 | ### Additional context 20 | 21 | 22 | 23 | ### Checklist 24 | 25 | 26 | - [ ] Implementation tested 27 | - [ ] Error handling code meets the [guideline](https://github.com/banzaicloud/pipeline/blob/master/docs/error-handling-guide.md) 28 | - [ ] Logging code meets the guideline 29 | - [ ] User guide and development docs updated (if needed) 30 | 31 | ### To Do 32 | 33 | - [ ] If the PR is not complete but you want to discuss the approach, list what remains to be done here 34 | -------------------------------------------------------------------------------- /.github/SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | If you are looking for support for the Istio operator , here are a few options: 4 | 5 | - [GitHub](https://github.com/banzaicloud/istio-operator/issues) 6 | - [Slack](https://slack.banzaicloud.io/) 7 | -------------------------------------------------------------------------------- /.github/mergeable.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | mergeable: 3 | - when: pull_request.* 4 | validate: 5 | - do: title 6 | must_exclude: 7 | regex: '^(\[wip\]|wip:)' 8 | message: 'WIP tag in PR title' 9 | - do: label 10 | must_exclude: 11 | regex: 'wip' 12 | message: 'WIP label on PR' 13 | - do: description 14 | and: 15 | - must_exclude: 16 | regex: '\[ \]' 17 | message: 'Remaining tasks in the description.' 18 | - must_exclude: 19 | regex: 'no\|yes|fixes #X, partially #Y, mentioned in #Z' 20 | message: 'Please fill out the PR template.' 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Binaries for programs and plugins 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | bin 9 | 10 | # Test binary, build with `go test -c` 11 | *.test 12 | 13 | # Output of the go coverage tool, specifically when used with LiteIDE 14 | *.out 15 | 16 | # Kubernetes Generated files - skip generated files, except for vendored files 17 | 18 | !vendor/**/zz_generated.* 19 | 20 | # editor and IDE paraphernalia 21 | *.swp 22 | *.swo 23 | *~ 24 | 25 | .idea/* 26 | !/.idea/go.imports.xml 27 | /.licensei.cache 28 | bin/* 29 | cover.out 30 | 31 | /build/* 32 | !/build/buf.* 33 | !/build/fixup_structs 34 | -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- 1 | run: 2 | skip-dirs: 3 | - .gen 4 | - build 5 | skip-files: 6 | - ".*zz_.*\\.go$" 7 | 8 | linters: 9 | enable-all: true 10 | disable: 11 | - lll 12 | - gochecknoinits 13 | - gochecknoglobals 14 | - funlen 15 | - godot 16 | - godox 17 | - wsl 18 | - dupl 19 | - wrapcheck 20 | - forbidigo 21 | - golint 22 | - exhaustive 23 | - varnamelen 24 | - ireturn 25 | - gci 26 | - forcetypeassert 27 | 28 | # - goconst 29 | # - gocritic 30 | # - gocognit 31 | # - gomnd 32 | # - nestif 33 | # - testpackage 34 | 35 | - mirror 36 | - revive 37 | - contextcheck 38 | - depguard 39 | - exhaustruct 40 | - nonamedreturns 41 | 42 | # special cases only 43 | - exhaustivestruct 44 | 45 | # deprecated 46 | - maligned 47 | - interfacer 48 | - scopelint 49 | - varcheck 50 | - structcheck 51 | - nosnakecase 52 | - deadcode 53 | - ifshort 54 | 55 | linters-settings: 56 | gomnd: 57 | settings: 58 | mnd: 59 | checks: [case,operation,return,assign] 60 | gocognit: 61 | min-complexity: 50 62 | cyclop: 63 | max-complexity: 40 64 | golint: 65 | min-confidence: 0.1 66 | gocyclo: 67 | min-complexity: 40 68 | goimports: 69 | local-prefixes: github.com/banzaicloud,github.com/cisco-open 70 | gocritic: 71 | disabled-checks: 72 | - ifElseChain 73 | maintidx: 74 | under: 10 # todo: set a valid value 75 | gomoddirectives: 76 | replace-local: true 77 | replace-allow-list: 78 | - github.com/golang/protobuf 79 | 80 | issues: 81 | # mainly because of the operator, but we are using helm chart names 82 | # as package names 83 | exclude: 84 | - underscore in package name 85 | - should not use underscores in package names 86 | 87 | exclude-rules: 88 | # zz_ files are messing up the receiver name 89 | - linters: 90 | - stylecheck 91 | text: "ST1016:" 92 | # fake client is still alive 93 | - linters: 94 | - staticcheck 95 | text: "SA1019:" 96 | -------------------------------------------------------------------------------- /.idea/go.imports.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 9 | 10 | -------------------------------------------------------------------------------- /.licensei.toml: -------------------------------------------------------------------------------- 1 | approved = ["mit", "apache-2.0", "bsd-3-clause", "bsd-2-clause", "mpl-2.0"] 2 | 3 | ignored = [ 4 | "github.com/ghodss/yaml", 5 | "github.com/gogo/protobuf", 6 | "google.golang.org/protobuf", 7 | "sigs.k8s.io/yaml", 8 | "gopkg.in/fsnotify.v1", 9 | 10 | "github.com/davecgh/go-spew", # ISC license 11 | "github.com/russross/blackfriday", # BSD-2 12 | "github.com/russross/blackfriday/v2", # BSD-2 13 | "github.com/xeipuuv/gojsonpointer", # Apache2 14 | "github.com/xeipuuv/gojsonreference", # Apache2 15 | "github.com/xeipuuv/gojsonschema", # Apache2 16 | "github.com/russross/blackfriday", # Simplifed BSD 17 | "gomodules.xyz/jsonpatch/v2", # Apache2 18 | 19 | # Unsupported VCS 20 | "cloud.google.com/go", 21 | "google.golang.org/api", 22 | ] 23 | 24 | [header] 25 | ignorePaths = ["build", "vendor"] 26 | 27 | ignoreFiles = [ 28 | "*.pb.go", 29 | "*.gen.go", 30 | "*.gogen.go", 31 | "generated.go", 32 | "zz_generated.deepcopy.go", 33 | "*_test.go", 34 | ] 35 | 36 | template = """/* 37 | Copyright :YEAR: Cisco Systems, Inc. and/or its affiliates. 38 | 39 | Licensed under the Apache License, Version 2.0 (the "License"); 40 | you may not use this file except in compliance with the License. 41 | You may obtain a copy of the License at 42 | 43 | http://www.apache.org/licenses/LICENSE-2.0 44 | 45 | Unless required by applicable law or agreed to in writing, software 46 | distributed under the License is distributed on an "AS IS" BASIS, 47 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 48 | See the License for the specific language governing permissions and 49 | limitations under the License. 50 | */ 51 | """ 52 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Each line is a file pattern followed by one or more owners. 2 | # https://help.github.com/articles/about-codeowners/ 3 | 4 | # These owners will be the default owners for everything in 5 | # the repo. Unless a later match takes precedence. 6 | * @martonsereg @waynz0r @Laci21 7 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ### Issues 2 | 3 | Please format your issues in such a way as to help others who might be facing similar challenges. 4 | Give your issues meaningful titles, that offer context and helps us and the community to understand and quickly ramp up on it. 5 | 6 | We are grateful for any issues submitted. Questions, feature requests or ideas are welcomed. 7 | 8 | ### Pull Requests 9 | 10 | Try to keep pull requests tidy, and be prepared for feedback. Everyone is welcomed to contribute to Istio-operator. 11 | 12 | #### Formatting Go Code 13 | 14 | To get your pull request merged, Golang files must be formatted using the `go fmt` tool. 15 | 16 | #### Linting 17 | 18 | Go code must pass [`lint`](https://github.com/golang/lint) checks. 19 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | ARG GID=1000 2 | ARG UID=1000 3 | 4 | # Build the manager binary 5 | FROM golang:1.21 as builder 6 | ARG GID 7 | ARG UID 8 | 9 | # Create user and group 10 | RUN groupadd -g ${GID} appgroup && \ 11 | useradd -u ${UID} --gid appgroup appuser 12 | 13 | WORKDIR /workspace 14 | # Copy the Go Modules manifests 15 | COPY go.mod go.mod 16 | COPY go.sum go.sum 17 | # Copy the API Go Modules manifests 18 | COPY api/go.mod api/go.mod 19 | COPY api/go.sum api/go.sum 20 | # Copy the deploy/charts Go Modules manifests 21 | COPY deploy/charts/go.mod deploy/charts/go.mod 22 | # cache deps before building and copying source so that we don't need to re-download as much 23 | # and so that source changes don't invalidate our downloaded layer 24 | RUN go mod download 25 | 26 | # Copy the go source 27 | COPY main.go main.go 28 | COPY api/ api/ 29 | COPY controllers/ controllers/ 30 | COPY deploy/ deploy/ 31 | COPY internal/ internal/ 32 | COPY pkg/ pkg/ 33 | COPY Makefile Makefile 34 | 35 | # Build 36 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 make build 37 | 38 | # Use distroless as minimal base image to package the manager binary 39 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 40 | FROM gcr.io/distroless/static:nonroot 41 | ARG GID 42 | ARG UID 43 | 44 | WORKDIR / 45 | COPY --from=builder /workspace/bin/manager /manager 46 | 47 | COPY --from=builder /etc/passwd /etc/passwd 48 | COPY --from=builder /etc/group /etc/group 49 | USER ${UID}:${GID} 50 | 51 | ENTRYPOINT ["/manager"] 52 | -------------------------------------------------------------------------------- /PROJECT: -------------------------------------------------------------------------------- 1 | domain: cisco.com 2 | repo: github.com/banzaicloud/istio-operator 3 | resources: 4 | - group: servicemesh 5 | kind: IstioControlPlane 6 | version: v1alpha1 7 | - group: servicemesh 8 | kind: IstioMeshGateway 9 | version: v1alpha1 10 | - group: servicemesh 11 | kind: IstioMesh 12 | version: v1alpha1 13 | - group: servicemesh 14 | kind: PeerIstioControlPlane 15 | version: v1alpha1 16 | version: "2" 17 | -------------------------------------------------------------------------------- /api/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/banzaicloud/istio-operator/api/v2 2 | 3 | go 1.21 4 | 5 | require ( 6 | github.com/golang/protobuf v1.5.2 7 | google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03 8 | google.golang.org/protobuf v1.28.1 9 | istio.io/api v0.0.0-20221208070204-0528cb6ce63b 10 | k8s.io/api v0.26.1 11 | k8s.io/apimachinery v0.26.1 12 | sigs.k8s.io/controller-runtime v0.14.4 13 | ) 14 | 15 | require ( 16 | github.com/go-logr/logr v1.2.3 // indirect 17 | github.com/gogo/protobuf v1.3.2 // indirect 18 | github.com/google/gofuzz v1.1.0 // indirect 19 | github.com/json-iterator/go v1.1.12 // indirect 20 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 21 | github.com/modern-go/reflect2 v1.0.2 // indirect 22 | golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect 23 | golang.org/x/text v0.5.0 // indirect 24 | gopkg.in/inf.v0 v0.9.1 // indirect 25 | gopkg.in/yaml.v2 v2.4.0 // indirect 26 | k8s.io/klog/v2 v2.80.1 // indirect 27 | k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect 28 | sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect 29 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect 30 | ) 31 | 32 | // needs a fork to support istio operator v2 api int64/uint64 marshalling to integers 33 | replace github.com/golang/protobuf => github.com/luciferinlove/protobuf v0.0.0-20220913214010-c63936d75066 34 | -------------------------------------------------------------------------------- /api/options/options.pb.html: -------------------------------------------------------------------------------- 1 | --- 2 | title: istio_operator.v2.api.options 3 | layout: protoc-gen-docs 4 | generator: protoc-gen-docs 5 | number_of_entries: 0 6 | --- 7 | -------------------------------------------------------------------------------- /api/options/options.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | import "google/protobuf/descriptor.proto"; 18 | 19 | package istio_operator.v2.api.options; 20 | 21 | option go_package = "github.com/banzaicloud/istio-operator/api/v2/options"; 22 | 23 | // mark whether the field is IntOrString type 24 | // available values: 25 | // "true": single field 26 | // "map": map of fields 27 | extend google.protobuf.FieldOptions { 28 | optional string intorstring = 800815; 29 | } 30 | -------------------------------------------------------------------------------- /api/options/options_deepcopy.gen.go: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-deepcopy. DO NOT EDIT. 2 | package options 3 | -------------------------------------------------------------------------------- /api/options/options_json.gen.go: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-jsonshim. DO NOT EDIT. 2 | package options 3 | 4 | import ( 5 | jsonpb "github.com/golang/protobuf/jsonpb" 6 | ) 7 | 8 | var ( 9 | OptionsMarshaler = &jsonpb.Marshaler{Int64Uint64asIntegers: true} 10 | OptionsUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} 11 | ) 12 | -------------------------------------------------------------------------------- /api/v1alpha1/common.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha1 18 | 19 | import ( 20 | "strconv" 21 | 22 | "github.com/golang/protobuf/jsonpb" 23 | resource "k8s.io/apimachinery/pkg/api/resource" 24 | "k8s.io/apimachinery/pkg/util/intstr" 25 | ) 26 | 27 | // define new type from k8s quantity to marshal/unmarshal jsonpb 28 | type Quantity struct { 29 | resource.Quantity `json:"quantity,omitempty"` 30 | } 31 | 32 | // MarshalJSONPB implements the jsonpb.JSONPBMarshaler interface. 33 | func (q *Quantity) MarshalJSONPB(_ *jsonpb.Marshaler) ([]byte, error) { 34 | return q.Quantity.MarshalJSON() 35 | } 36 | 37 | // UnmarshalJSONPB implements the jsonpb.JSONPBUnmarshaler interface. 38 | func (q *Quantity) UnmarshalJSONPB(_ *jsonpb.Unmarshaler, value []byte) error { 39 | // If its a string that isnt wrapped in quotes add them to appease kubernetes unmarshal 40 | if _, err := strconv.Atoi(string(value)); err != nil && len(value) > 0 && value[0] != '"' { 41 | value = append([]byte{'"'}, value...) 42 | value = append(value, '"') 43 | } 44 | 45 | return q.Quantity.UnmarshalJSON(value) 46 | } 47 | 48 | // define new type from k8s intstr to marshal/unmarshal jsonpb 49 | type IntOrString struct { 50 | intstr.IntOrString `json:"intorsting,omitempty"` 51 | } 52 | 53 | // MarshalJSONPB implements the jsonpb.JSONPBMarshaler interface. 54 | func (intstrpb *IntOrString) MarshalJSONPB(_ *jsonpb.Marshaler) ([]byte, error) { 55 | return intstrpb.IntOrString.MarshalJSON() 56 | } 57 | 58 | // UnmarshalJSONPB implements the jsonpb.JSONPBUnmarshaler interface. 59 | func (intstrpb *IntOrString) UnmarshalJSONPB(_ *jsonpb.Unmarshaler, value []byte) error { 60 | // If its a string that isnt wrapped in quotes add them to appease kubernetes unmarshal 61 | if _, err := strconv.Atoi(string(value)); err != nil && len(value) > 0 && value[0] != '"' { 62 | value = append([]byte{'"'}, value...) 63 | value = append(value, '"') 64 | } 65 | return intstrpb.IntOrString.UnmarshalJSON(value) 66 | } 67 | 68 | // FromInt creates an IntOrStringForPB object with an int32 value. 69 | func FromInt(val int) IntOrString { 70 | return IntOrString{intstr.FromInt(val)} 71 | } 72 | 73 | // FromString creates an IntOrStringForPB object with a string value. 74 | func FromString(val string) IntOrString { 75 | return IntOrString{intstr.FromString(val)} 76 | } 77 | -------------------------------------------------------------------------------- /api/v1alpha1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package v1alpha1 contains API Schema definitions for the servicemesh v1alpha1 API group 18 | // +kubebuilder:object:generate=true 19 | // +groupName=servicemesh.cisco.com 20 | package v1alpha1 21 | 22 | import ( 23 | "k8s.io/apimachinery/pkg/runtime/schema" 24 | "sigs.k8s.io/controller-runtime/pkg/scheme" 25 | ) 26 | 27 | var ( 28 | // GroupVersion is group version used to register these objects 29 | GroupVersion = schema.GroupVersion{Group: "servicemesh.cisco.com", Version: "v1alpha1"} 30 | 31 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 32 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 33 | 34 | // AddToScheme adds the types in this group-version to the given scheme. 35 | AddToScheme = SchemeBuilder.AddToScheme 36 | ) 37 | -------------------------------------------------------------------------------- /api/v1alpha1/istiomesh.pb.html: -------------------------------------------------------------------------------- 1 | --- 2 | title: Istio Mesh Spec 3 | description: Istio Mesh descriptor 4 | layout: protoc-gen-docs 5 | generator: protoc-gen-docs 6 | schema: istio-operator.api.v1alpha1.IstioMeshSpec 7 | number_of_entries: 3 8 | --- 9 |

IstioMeshSpec

10 |
11 |

Mesh defines an Istio service mesh

12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 28 | 31 | 32 | 33 |
FieldTypeDescriptionRequired
configMeshConfig 27 | 29 | No 30 |
34 |
35 |

IstioMeshStatus

36 |
37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 55 | 58 | 59 | 60 | 61 | 62 | 66 | 69 | 70 | 71 |
FieldTypeDescriptionRequired
statusConfigState 52 |

Reconciliation status of the Istio mesh

53 | 54 | 		56 | No 57 |
errorMessagestring 63 |

Reconciliation error message if any

64 | 65 | 		67 | No 68 |
72 |
73 |

ConfigState

74 |
75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 87 | 88 | 89 | 90 | 92 | 93 | 94 | 95 | 97 | 98 | 99 | 100 | 102 | 103 | 104 | 105 | 107 | 108 | 109 | 110 | 112 | 113 | 114 |
NameDescription
Unspecified 86 |
Created 91 |
ReconcileFailed 96 |
Reconciling 101 |
Available 106 |
Unmanaged 111 |
115 |
116 | -------------------------------------------------------------------------------- /api/v1alpha1/istiomesh.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | import "google/protobuf/wrappers.proto"; 18 | import "api/v1alpha1/common.proto"; 19 | import "mesh/v1alpha1/config.proto"; 20 | import "google/api/field_behavior.proto"; 21 | import "k8s.io/api/core/v1/generated.proto"; 22 | 23 | // $schema: istio-operator.api.v1alpha1.IstioMeshSpec 24 | // $title: Istio Mesh Spec 25 | // $description: Istio Mesh descriptor 26 | 27 | package istio_operator.v2.api.v1alpha1; 28 | 29 | option go_package = "github.com/banzaicloud/istio-operator/v2/api/v1alpha1"; 30 | 31 | // Mesh defines an Istio service mesh 32 | // 33 | // 44 | // 45 | // 49 | message IstioMeshSpec { 50 | istio.mesh.v1alpha1.MeshConfig config = 1; 51 | } 52 | 53 | // 57 | message IstioMeshStatus { 58 | // Reconciliation status of the Istio mesh 59 | ConfigState status = 1; 60 | 61 | // Reconciliation error message if any 62 | string errorMessage = 2; 63 | } 64 | -------------------------------------------------------------------------------- /api/v1alpha1/istiomesh_deepcopy.gen.go: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-deepcopy. DO NOT EDIT. 2 | package v1alpha1 3 | 4 | import ( 5 | proto "github.com/golang/protobuf/proto" 6 | ) 7 | 8 | // DeepCopyInto supports using IstioMeshSpec within kubernetes types, where deepcopy-gen is used. 9 | func (in *IstioMeshSpec) DeepCopyInto(out *IstioMeshSpec) { 10 | p := proto.Clone(in).(*IstioMeshSpec) 11 | *out = *p 12 | } 13 | 14 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshSpec. Required by controller-gen. 15 | func (in *IstioMeshSpec) DeepCopy() *IstioMeshSpec { 16 | if in == nil { 17 | return nil 18 | } 19 | out := new(IstioMeshSpec) 20 | in.DeepCopyInto(out) 21 | return out 22 | } 23 | 24 | // DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshSpec. Required by controller-gen. 25 | func (in *IstioMeshSpec) DeepCopyInterface() interface{} { 26 | return in.DeepCopy() 27 | } 28 | 29 | // DeepCopyInto supports using IstioMeshStatus within kubernetes types, where deepcopy-gen is used. 30 | func (in *IstioMeshStatus) DeepCopyInto(out *IstioMeshStatus) { 31 | p := proto.Clone(in).(*IstioMeshStatus) 32 | *out = *p 33 | } 34 | 35 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshStatus. Required by controller-gen. 36 | func (in *IstioMeshStatus) DeepCopy() *IstioMeshStatus { 37 | if in == nil { 38 | return nil 39 | } 40 | out := new(IstioMeshStatus) 41 | in.DeepCopyInto(out) 42 | return out 43 | } 44 | 45 | // DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshStatus. Required by controller-gen. 46 | func (in *IstioMeshStatus) DeepCopyInterface() interface{} { 47 | return in.DeepCopy() 48 | } 49 | -------------------------------------------------------------------------------- /api/v1alpha1/istiomesh_json.gen.go: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-jsonshim. DO NOT EDIT. 2 | package v1alpha1 3 | 4 | import ( 5 | bytes "bytes" 6 | jsonpb "github.com/golang/protobuf/jsonpb" 7 | ) 8 | 9 | // MarshalJSON is a custom marshaler for IstioMeshSpec 10 | func (this *IstioMeshSpec) MarshalJSON() ([]byte, error) { 11 | str, err := IstiomeshMarshaler.MarshalToString(this) 12 | return []byte(str), err 13 | } 14 | 15 | // UnmarshalJSON is a custom unmarshaler for IstioMeshSpec 16 | func (this *IstioMeshSpec) UnmarshalJSON(b []byte) error { 17 | return IstiomeshUnmarshaler.Unmarshal(bytes.NewReader(b), this) 18 | } 19 | 20 | // MarshalJSON is a custom marshaler for IstioMeshStatus 21 | func (this *IstioMeshStatus) MarshalJSON() ([]byte, error) { 22 | str, err := IstiomeshMarshaler.MarshalToString(this) 23 | return []byte(str), err 24 | } 25 | 26 | // UnmarshalJSON is a custom unmarshaler for IstioMeshStatus 27 | func (this *IstioMeshStatus) UnmarshalJSON(b []byte) error { 28 | return IstiomeshUnmarshaler.Unmarshal(bytes.NewReader(b), this) 29 | } 30 | 31 | var ( 32 | IstiomeshMarshaler = &jsonpb.Marshaler{Int64Uint64asIntegers: true} 33 | IstiomeshUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} 34 | ) 35 | -------------------------------------------------------------------------------- /api/v1alpha1/istiomesh_types.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha1 18 | 19 | import ( 20 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 | ) 22 | 23 | // +kubebuilder:object:root=true 24 | 25 | // IstioMesh is the Schema for the mesh API 26 | type IstioMesh struct { 27 | metav1.TypeMeta `json:",inline"` 28 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 29 | 30 | Spec *IstioMeshSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 31 | Status *IstioMeshStatus `json:"status,omitempty"` 32 | } 33 | 34 | func (m *IstioMesh) SetStatus(status ConfigState, errorMessage string) { 35 | m.GetStatus().Status = status 36 | m.GetStatus().ErrorMessage = errorMessage 37 | } 38 | 39 | func (m *IstioMesh) GetStatus() *IstioMeshStatus { 40 | if m.Status == nil { 41 | m.Status = &IstioMeshStatus{} 42 | } 43 | 44 | return m.Status 45 | } 46 | 47 | func (m *IstioMesh) GetSpec() *IstioMeshSpec { 48 | if m.Spec != nil { 49 | return m.Spec 50 | } 51 | 52 | return nil 53 | } 54 | 55 | // +kubebuilder:object:root=true 56 | 57 | // IstioMeshList contains a list of IstioMesh 58 | type IstioMeshList struct { 59 | metav1.TypeMeta `json:",inline"` 60 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 61 | Items []IstioMesh `json:"items" protobuf:"bytes,2,rep,name=items"` 62 | } 63 | 64 | func init() { 65 | SchemeBuilder.Register(&IstioMesh{}, &IstioMeshList{}) 66 | } 67 | -------------------------------------------------------------------------------- /api/v1alpha1/istiomeshgateway_deepcopy.gen.go: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-deepcopy. DO NOT EDIT. 2 | package v1alpha1 3 | 4 | import ( 5 | proto "github.com/golang/protobuf/proto" 6 | ) 7 | 8 | // DeepCopyInto supports using IstioMeshGatewaySpec within kubernetes types, where deepcopy-gen is used. 9 | func (in *IstioMeshGatewaySpec) DeepCopyInto(out *IstioMeshGatewaySpec) { 10 | p := proto.Clone(in).(*IstioMeshGatewaySpec) 11 | *out = *p 12 | } 13 | 14 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewaySpec. Required by controller-gen. 15 | func (in *IstioMeshGatewaySpec) DeepCopy() *IstioMeshGatewaySpec { 16 | if in == nil { 17 | return nil 18 | } 19 | out := new(IstioMeshGatewaySpec) 20 | in.DeepCopyInto(out) 21 | return out 22 | } 23 | 24 | // DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewaySpec. Required by controller-gen. 25 | func (in *IstioMeshGatewaySpec) DeepCopyInterface() interface{} { 26 | return in.DeepCopy() 27 | } 28 | 29 | // DeepCopyInto supports using Properties within kubernetes types, where deepcopy-gen is used. 30 | func (in *Properties) DeepCopyInto(out *Properties) { 31 | p := proto.Clone(in).(*Properties) 32 | *out = *p 33 | } 34 | 35 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Properties. Required by controller-gen. 36 | func (in *Properties) DeepCopy() *Properties { 37 | if in == nil { 38 | return nil 39 | } 40 | out := new(Properties) 41 | in.DeepCopyInto(out) 42 | return out 43 | } 44 | 45 | // DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Properties. Required by controller-gen. 46 | func (in *Properties) DeepCopyInterface() interface{} { 47 | return in.DeepCopy() 48 | } 49 | 50 | // DeepCopyInto supports using IstioMeshGatewayStatus within kubernetes types, where deepcopy-gen is used. 51 | func (in *IstioMeshGatewayStatus) DeepCopyInto(out *IstioMeshGatewayStatus) { 52 | p := proto.Clone(in).(*IstioMeshGatewayStatus) 53 | *out = *p 54 | } 55 | 56 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewayStatus. Required by controller-gen. 57 | func (in *IstioMeshGatewayStatus) DeepCopy() *IstioMeshGatewayStatus { 58 | if in == nil { 59 | return nil 60 | } 61 | out := new(IstioMeshGatewayStatus) 62 | in.DeepCopyInto(out) 63 | return out 64 | } 65 | 66 | // DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewayStatus. Required by controller-gen. 67 | func (in *IstioMeshGatewayStatus) DeepCopyInterface() interface{} { 68 | return in.DeepCopy() 69 | } 70 | -------------------------------------------------------------------------------- /api/v1alpha1/istiomeshgateway_json.gen.go: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-jsonshim. DO NOT EDIT. 2 | package v1alpha1 3 | 4 | import ( 5 | bytes "bytes" 6 | jsonpb "github.com/golang/protobuf/jsonpb" 7 | ) 8 | 9 | // MarshalJSON is a custom marshaler for IstioMeshGatewaySpec 10 | func (this *IstioMeshGatewaySpec) MarshalJSON() ([]byte, error) { 11 | str, err := IstiomeshgatewayMarshaler.MarshalToString(this) 12 | return []byte(str), err 13 | } 14 | 15 | // UnmarshalJSON is a custom unmarshaler for IstioMeshGatewaySpec 16 | func (this *IstioMeshGatewaySpec) UnmarshalJSON(b []byte) error { 17 | return IstiomeshgatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this) 18 | } 19 | 20 | // MarshalJSON is a custom marshaler for Properties 21 | func (this *Properties) MarshalJSON() ([]byte, error) { 22 | str, err := IstiomeshgatewayMarshaler.MarshalToString(this) 23 | return []byte(str), err 24 | } 25 | 26 | // UnmarshalJSON is a custom unmarshaler for Properties 27 | func (this *Properties) UnmarshalJSON(b []byte) error { 28 | return IstiomeshgatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this) 29 | } 30 | 31 | // MarshalJSON is a custom marshaler for IstioMeshGatewayStatus 32 | func (this *IstioMeshGatewayStatus) MarshalJSON() ([]byte, error) { 33 | str, err := IstiomeshgatewayMarshaler.MarshalToString(this) 34 | return []byte(str), err 35 | } 36 | 37 | // UnmarshalJSON is a custom unmarshaler for IstioMeshGatewayStatus 38 | func (this *IstioMeshGatewayStatus) UnmarshalJSON(b []byte) error { 39 | return IstiomeshgatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this) 40 | } 41 | 42 | var ( 43 | IstiomeshgatewayMarshaler = &jsonpb.Marshaler{Int64Uint64asIntegers: true} 44 | IstiomeshgatewayUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} 45 | ) 46 | -------------------------------------------------------------------------------- /build/buf.gen.yaml: -------------------------------------------------------------------------------- 1 | # buf.gen.yaml sets up the generation configuration for all of our plugins. 2 | # Note: buf does not allow multi roots that are within each other; as a result, the common-protos folders are 3 | # symlinked into the top level directory. 4 | version: v1 5 | plugins: 6 | - name: go 7 | out: . 8 | opt: paths=source_relative 9 | - name: go-grpc 10 | out: . 11 | opt: paths=source_relative 12 | - name: golang-deepcopy 13 | out: . 14 | opt: paths=source_relative 15 | - name: golang-jsonshim 16 | out: . 17 | opt: paths=source_relative 18 | - name: docs 19 | out: . 20 | opt: warnings=false,dictionary=./dictionaries/en-US,custom_word_list=./dictionaries/custom.txt,per_file=true,mode=html_fragment_with_front_matter 21 | -------------------------------------------------------------------------------- /build/buf.yaml: -------------------------------------------------------------------------------- 1 | version: v1 2 | lint: 3 | use: 4 | - BASIC 5 | except: 6 | - FIELD_LOWER_SNAKE_CASE 7 | - PACKAGE_DIRECTORY_MATCH 8 | allow_comment_ignores: true 9 | -------------------------------------------------------------------------------- /cmd/docs.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "fmt" 21 | "path/filepath" 22 | 23 | "emperror.dev/errors" 24 | "github.com/MakeNowJust/heredoc" 25 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 26 | 27 | "github.com/banzaicloud/operator-tools/pkg/docgen" 28 | ) 29 | 30 | var logger = zap.New(zap.UseDevMode(true)) 31 | 32 | func main() { 33 | crds() 34 | } 35 | 36 | func crds() { 37 | lister := docgen.NewSourceLister( 38 | map[string]docgen.SourceDir{ 39 | "v1alpha1": {Path: "api/v1alpha1", DestPath: "docs/crds/v1alpha1"}, 40 | }, 41 | logger.WithName("crdlister")) 42 | 43 | lister.IgnoredSources = []string{ 44 | ".*.deepcopy", 45 | ".*.json", 46 | ".*_test", 47 | ".*_info", 48 | } 49 | 50 | lister.DefaultValueFromTagExtractor = func(tag string) string { 51 | return docgen.GetPrefixedValue(tag, `plugin:\"default:(.*)\"`) 52 | } 53 | 54 | lister.Index = docgen.NewDoc(docgen.DocItem{ 55 | Name: "_index", 56 | DestPath: "docs/crds/v1alpha1", 57 | }, logger.WithName("crds")) 58 | 59 | lister.Header = heredoc.Doc(` 60 | --- 61 | title: Available CRDs 62 | generated_file: true 63 | --- 64 | 65 | The following CRDs are available. For details, click the name of the CRD. 66 | 67 | | Name | Description | Version | 68 | |---|---|---|`, 69 | ) 70 | 71 | lister.Footer = heredoc.Doc(` 72 | `) 73 | 74 | lister.DocGeneratedHook = func(document *docgen.Doc) error { 75 | relPath, err := filepath.Rel(lister.Index.Item.DestPath, document.Item.DestPath) 76 | if err != nil { 77 | return errors.WrapIff(err, "failed to determine relpath for %s", document.Item.DestPath) 78 | } 79 | lister.Index.Append(fmt.Sprintf("| **[%s](%s/)** | %s | %s |", 80 | document.DisplayName, 81 | filepath.Join(relPath, document.Item.Name), 82 | document.Desc, 83 | document.Item.Category)) 84 | 85 | return nil 86 | } 87 | 88 | if err := lister.Generate(); err != nil { 89 | panic(err) 90 | } 91 | } 92 | -------------------------------------------------------------------------------- /config/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for 4 | # breaking changes 5 | apiVersion: cert-manager.io/v1alpha2 6 | kind: Issuer 7 | metadata: 8 | name: selfsigned-issuer 9 | namespace: system 10 | spec: 11 | selfSigned: {} 12 | --- 13 | apiVersion: cert-manager.io/v1alpha2 14 | kind: Certificate 15 | metadata: 16 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 17 | namespace: system 18 | spec: 19 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 20 | dnsNames: 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 22 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 23 | issuerRef: 24 | kind: Issuer 25 | name: selfsigned-issuer 26 | secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize 27 | -------------------------------------------------------------------------------- /config/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /config/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/istio-operator-crds.gen.yaml 6 | # +kubebuilder:scaffold:crdkustomizeresource 7 | 8 | patchesStrategicMerge: 9 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. 10 | # patches here are for enabling the conversion webhook for each CRD 11 | #- patches/webhook_in_istiocontrolplanes.yaml 12 | #- patches/webhook_in_istiomeshes.yaml 13 | #- patches/webhook_in_istiomeshgateways.yaml 14 | # +kubebuilder:scaffold:crdkustomizewebhookpatch 15 | 16 | # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. 17 | # patches here are for enabling the CA injection for each CRD 18 | #- patches/cainjection_in_istiocontrolplanes.yaml 19 | #- patches/cainjection_in_istiomeshes.yaml 20 | #- patches/cainjection_in_istiomeshgateways.yaml 21 | # +kubebuilder:scaffold:crdkustomizecainjectionpatch 22 | 23 | # the following config is for teaching kustomize how to do kustomization for CRDs. 24 | configurations: 25 | - kustomizeconfig.yaml 26 | -------------------------------------------------------------------------------- /config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhookClientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhookClientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_istiocontrolplanes.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: istiocontrolplanes.servicemesh.cisco.com 9 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_istiomeshes.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: istiomeshes.servicemesh.cisco.com 9 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_istiomeshgateways.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: istiomeshgateways.servicemesh.cisco.com 9 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_istiocontrolplanes.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: istiocontrolplanes.servicemesh.cisco.com 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_istiomeshes.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: istiomeshes.servicemesh.cisco.com 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_istiomeshgateways.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: istiomeshgateways.servicemesh.cisco.com 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Adds namespace to all resources. 2 | namespace: istio-system 3 | 4 | # Value of this field is prepended to the 5 | # names of all resources, e.g. a deployment named 6 | # "wordpress" becomes "alices-wordpress". 7 | # Note that it should also match with the prefix (text before '-') of the namespace 8 | # field above. 9 | namePrefix: istio-operator- 10 | 11 | # Labels to add to all resources and selectors. 12 | #commonLabels: 13 | # someName: someValue 14 | 15 | bases: 16 | - ../crd 17 | - ../rbac 18 | - ../manager 19 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in 20 | # crd/kustomization.yaml 21 | #- ../webhook 22 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. 23 | #- ../certmanager 24 | # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. 25 | #- ../prometheus 26 | 27 | patchesStrategicMerge: 28 | # Protect the /metrics endpoint by putting it behind auth. 29 | # If you want your controller-manager to expose the /metrics 30 | # endpoint w/o any authn/z, please comment the following line. 31 | - manager_auth_proxy_patch.yaml 32 | 33 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in 34 | # crd/kustomization.yaml 35 | #- manager_webhook_patch.yaml 36 | 37 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 38 | # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. 39 | # 'CERTMANAGER' needs to be enabled to use ca injection 40 | #- webhookcainjection_patch.yaml 41 | 42 | # the following config is for teaching kustomize how to do var substitution 43 | vars: 44 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. 45 | #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR 46 | # objref: 47 | # kind: Certificate 48 | # group: cert-manager.io 49 | # version: v1alpha2 50 | # name: serving-cert # this name should match the one in certificate.yaml 51 | # fieldref: 52 | # fieldpath: metadata.namespace 53 | #- name: CERTIFICATE_NAME 54 | # objref: 55 | # kind: Certificate 56 | # group: cert-manager.io 57 | # version: v1alpha2 58 | # name: serving-cert # this name should match the one in certificate.yaml 59 | #- name: SERVICE_NAMESPACE # namespace of the service 60 | # objref: 61 | # kind: Service 62 | # version: v1 63 | # name: webhook-service 64 | # fieldref: 65 | # fieldpath: metadata.namespace 66 | #- name: SERVICE_NAME 67 | # objref: 68 | # kind: Service 69 | # version: v1 70 | # name: webhook-service 71 | -------------------------------------------------------------------------------- /config/default/manager_auth_proxy_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch inject a sidecar container which is a HTTP proxy for the 2 | # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: controller-manager 7 | namespace: system 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - name: kube-rbac-proxy 13 | image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 14 | args: 15 | - "--secure-listen-address=0.0.0.0:8443" 16 | - "--upstream=http://127.0.0.1:8080/" 17 | - "--logtostderr=true" 18 | - "--v=10" 19 | ports: 20 | - containerPort: 8443 21 | name: https 22 | - name: manager 23 | args: 24 | - "--metrics-addr=127.0.0.1:8080" 25 | - "--leader-election-enabled" 26 | -------------------------------------------------------------------------------- /config/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: webhook-server-cert 24 | -------------------------------------------------------------------------------- /config/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 9 | --- 10 | apiVersion: admissionregistration.k8s.io/v1 11 | kind: ValidatingWebhookConfiguration 12 | metadata: 13 | name: validating-webhook-configuration 14 | annotations: 15 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 16 | -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | images: 6 | - name: controller 7 | newName: ghcr.io/banzaicloud/istio-operator 8 | -------------------------------------------------------------------------------- /config/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: system 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: controller-manager 12 | namespace: system 13 | labels: 14 | control-plane: controller-manager 15 | spec: 16 | selector: 17 | matchLabels: 18 | control-plane: controller-manager 19 | replicas: 1 20 | template: 21 | metadata: 22 | labels: 23 | control-plane: controller-manager 24 | spec: 25 | containers: 26 | - command: 27 | - /manager 28 | args: 29 | - --leader-election-enabled 30 | image: controller:latest 31 | name: manager 32 | resources: 33 | requests: 34 | cpu: 200m 35 | memory: 256Mi 36 | terminationGracePeriodSeconds: 60 37 | -------------------------------------------------------------------------------- /config/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: controller-manager 8 | name: controller-manager-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | selector: 15 | matchLabels: 16 | control-plane: controller-manager 17 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_client_clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: metrics-reader 5 | rules: 6 | - nonResourceURLs: ["/metrics"] 7 | verbs: ["get"] 8 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: proxy-role 5 | rules: 6 | - apiGroups: ["authentication.k8s.io"] 7 | resources: 8 | - tokenreviews 9 | verbs: ["create"] 10 | - apiGroups: ["authorization.k8s.io"] 11 | resources: 12 | - subjectaccessreviews 13 | verbs: ["create"] 14 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: controller-manager-metrics-service 7 | namespace: system 8 | spec: 9 | ports: 10 | - name: https 11 | port: 8443 12 | targetPort: https 13 | selector: 14 | control-plane: controller-manager 15 | -------------------------------------------------------------------------------- /config/rbac/istiocontrolplane_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit istiocontrolplanes. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istiocontrolplane-editor-role 6 | rules: 7 | - apiGroups: 8 | - servicemesh.cisco.com 9 | resources: 10 | - istiocontrolplanes 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - servicemesh.cisco.com 21 | resources: 22 | - istiocontrolplanes/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/istiocontrolplane_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view istiocontrolplanes. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istiocontrolplane-viewer-role 6 | rules: 7 | - apiGroups: 8 | - servicemesh.cisco.com 9 | resources: 10 | - istiocontrolplanes 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - servicemesh.cisco.com 17 | resources: 18 | - istiocontrolplanes/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/istiomesh_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit istiomeshes. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istiomesh-editor-role 6 | rules: 7 | - apiGroups: 8 | - servicemesh.cisco.com 9 | resources: 10 | - istiomeshes 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - servicemesh.cisco.com 21 | resources: 22 | - istiomeshes/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/istiomesh_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view istiomeshes. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istiomesh-viewer-role 6 | rules: 7 | - apiGroups: 8 | - servicemesh.cisco.com 9 | resources: 10 | - istiomeshes 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - servicemesh.cisco.com 17 | resources: 18 | - istiomeshes/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/istiomeshgateway_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit istiomeshgateways. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istiomeshgateway-editor-role 6 | rules: 7 | - apiGroups: 8 | - servicemesh.cisco.com 9 | resources: 10 | - istiomeshgateways 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - servicemesh.cisco.com 21 | resources: 22 | - istiomeshgateways/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/istiomeshgateway_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view istiomeshgateways. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istiomeshgateway-viewer-role 6 | rules: 7 | - apiGroups: 8 | - servicemesh.cisco.com 9 | resources: 10 | - istiomeshgateways 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - servicemesh.cisco.com 17 | resources: 18 | - istiomeshgateways/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - leader_election_role.yaml 5 | - leader_election_role_binding.yaml 6 | # Comment the following 4 lines if you want to disable 7 | # the auth proxy (https://github.com/brancz/kube-rbac-proxy) 8 | # which protects your /metrics endpoint. 9 | - auth_proxy_service.yaml 10 | - auth_proxy_role.yaml 11 | - auth_proxy_role_binding.yaml 12 | - auth_proxy_client_clusterrole.yaml 13 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/samples/servicemesh_v1alpha1_istiomesh.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioMesh 3 | metadata: 4 | name: mesh1 5 | spec: 6 | config: 7 | connectTimeout: 9s 8 | -------------------------------------------------------------------------------- /config/samples/servicemesh_v1alpha1_istiomeshgateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioMeshGateway 3 | metadata: 4 | name: imgw-sample 5 | spec: 6 | deployment: 7 | metadata: 8 | labels: 9 | app: imgw-sample 10 | gateway-name: imgw-sample 11 | gateway-type: ingress 12 | istio: imgw-sample 13 | replicas: 14 | count: 1 15 | min: 1 16 | max: 1 17 | resources: 18 | limits: 19 | cpu: "2" 20 | memory: 1Gi 21 | requests: 22 | cpu: 100m 23 | memory: 128Mi 24 | securityContext: 25 | runAsGroup: 0 26 | runAsNonRoot: false 27 | runAsUser: 0 28 | istioControlPlane: 29 | name: icp-v117x-sample 30 | namespace: istio-system 31 | runAsRoot: true 32 | service: 33 | ports: 34 | - name: http 35 | port: 80 36 | protocol: TCP 37 | targetPort: 9080 38 | type: LoadBalancer 39 | type: ingress 40 | -------------------------------------------------------------------------------- /config/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: controller-manager 13 | -------------------------------------------------------------------------------- /controllers/common.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers 18 | 19 | import ( 20 | "k8s.io/client-go/discovery" 21 | ctrl "sigs.k8s.io/controller-runtime" 22 | 23 | "github.com/banzaicloud/istio-operator/v2/internal/components" 24 | pkgUtil "github.com/banzaicloud/istio-operator/v2/pkg/util" 25 | "github.com/banzaicloud/k8s-objectmatcher/patch" 26 | "github.com/banzaicloud/operator-tools/pkg/helm/templatereconciler" 27 | "github.com/banzaicloud/operator-tools/pkg/logger" 28 | "github.com/banzaicloud/operator-tools/pkg/reconciler" 29 | ) 30 | 31 | func NewComponentReconciler(r components.Reconciler, newComponentFunc components.NewComponentReconcilerFunc, logger logger.Logger) (components.ComponentReconciler, error) { 32 | config, err := ctrl.GetConfig() 33 | if err != nil { 34 | return nil, err 35 | } 36 | 37 | var d discovery.DiscoveryInterface 38 | if d, err = discovery.NewDiscoveryClientForConfig(config); err != nil { 39 | return nil, err 40 | } 41 | 42 | return newComponentFunc( 43 | templatereconciler.NewHelmReconcilerWith( 44 | r.GetClient(), 45 | r.GetScheme(), 46 | logger.GetLogrLogger(), 47 | d, 48 | templatereconciler.WithNativeReconcilerOptions( 49 | reconciler.NativeReconcilerSetControllerRef(), 50 | ), 51 | templatereconciler.WithGenericReconcilerOptions( 52 | reconciler.WithEnableRecreateWorkload(), 53 | reconciler.WithRecreateErrorMessageIgnored(), 54 | reconciler.WithPatchMaker(pkgUtil.NewProtoCompatiblePatchMaker()), 55 | reconciler.WithPatchCalculateOptions(patch.IgnoreStatusFields(), reconciler.IgnoreManagedFields()), 56 | ), 57 | templatereconciler.ManageNamespace(false), 58 | ), 59 | ), nil 60 | } 61 | -------------------------------------------------------------------------------- /controllers/defaults.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers 18 | 19 | import ( 20 | "context" 21 | 22 | "emperror.dev/errors" 23 | "k8s.io/client-go/rest" 24 | "sigs.k8s.io/controller-runtime/pkg/client" 25 | 26 | "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" 27 | "github.com/banzaicloud/istio-operator/v2/pkg/k8sutil" 28 | "github.com/banzaicloud/operator-tools/pkg/logger" 29 | ) 30 | 31 | func setDynamicDefaults(ctx context.Context, kubeClient client.Client, icp *v1alpha1.IstioControlPlane, k8sConfig *rest.Config, logger logger.Logger, clusterRegistryAPIEnabled bool) error { 32 | if icp.Spec.JwtPolicy == v1alpha1.JWTPolicyType_JWTPolicyType_UNSPECIFIED { 33 | // try to detect supported jwt policy 34 | supportedJWTPolicy, err := k8sutil.DetectSupportedJWTPolicy(k8sConfig) 35 | if err != nil { 36 | logger.Error(err, "could not detect supported jwt policy") 37 | } else { 38 | icp.Spec.JwtPolicy = supportedJWTPolicy 39 | logger.V(1).Info("supported jwt policy", "policy", icp.Spec.JwtPolicy) 40 | } 41 | } 42 | 43 | if icp.Spec.ClusterID == "" { 44 | icp.Spec.ClusterID = "Kubernetes" 45 | if clusterRegistryAPIEnabled { 46 | cluster, err := k8sutil.GetLocalCluster(ctx, kubeClient) 47 | if err != nil { 48 | return errors.WithStackIf(err) 49 | } 50 | 51 | icp.Spec.ClusterID = cluster.GetName() 52 | } 53 | } 54 | 55 | return nil 56 | } 57 | -------------------------------------------------------------------------------- /controllers/suite_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers_test 18 | 19 | import ( 20 | "path/filepath" 21 | "testing" 22 | 23 | . "github.com/onsi/ginkgo" 24 | . "github.com/onsi/gomega" 25 | "k8s.io/client-go/kubernetes/scheme" 26 | "k8s.io/client-go/rest" 27 | "sigs.k8s.io/controller-runtime/pkg/client" 28 | "sigs.k8s.io/controller-runtime/pkg/envtest" 29 | logf "sigs.k8s.io/controller-runtime/pkg/log" 30 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 31 | 32 | // +kubebuilder:scaffold:imports 33 | servicemeshv1alpha1 "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" 34 | ) 35 | 36 | // These tests use Ginkgo (BDD-style Go testing framework). Refer to 37 | // http://onsi.github.io/ginkgo/ to learn more about Ginkgo. 38 | 39 | var ( 40 | cfg *rest.Config 41 | k8sClient client.Client 42 | testEnv *envtest.Environment 43 | ) 44 | 45 | func TestAPIs(t *testing.T) { 46 | t.Parallel() 47 | RegisterFailHandler(Fail) 48 | 49 | RunSpecs(t, "Controller Suite") 50 | } 51 | 52 | var _ = BeforeSuite(func(done Done) { 53 | logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) 54 | 55 | By("bootstrapping test environment") 56 | testEnv = &envtest.Environment{ 57 | CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, 58 | } 59 | 60 | var err error 61 | cfg, err = testEnv.Start() 62 | Expect(err).ToNot(HaveOccurred()) 63 | Expect(cfg).ToNot(BeNil()) 64 | 65 | err = servicemeshv1alpha1.AddToScheme(scheme.Scheme) 66 | Expect(err).NotTo(HaveOccurred()) 67 | 68 | err = servicemeshv1alpha1.AddToScheme(scheme.Scheme) 69 | Expect(err).NotTo(HaveOccurred()) 70 | 71 | // +kubebuilder:scaffold:scheme 72 | 73 | k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) 74 | Expect(err).ToNot(HaveOccurred()) 75 | Expect(k8sClient).ToNot(BeNil()) 76 | 77 | close(done) 78 | }, 60) 79 | 80 | var _ = AfterSuite(func() { 81 | By("tearing down the test environment") 82 | err := testEnv.Stop() 83 | Expect(err).ToNot(HaveOccurred()) 84 | }) 85 | -------------------------------------------------------------------------------- /controllers/version.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers 18 | 19 | import "regexp" 20 | 21 | const ( 22 | supportedIstioMinorVersionRegex = "^1\\.17(\\.[0-9]+)?(-.+)?$" 23 | ) 24 | 25 | func IsIstioVersionSupported(version string) bool { 26 | re := regexp.MustCompile(supportedIstioMinorVersionRegex) 27 | 28 | return re.Match([]byte(version)) 29 | } 30 | -------------------------------------------------------------------------------- /controllers/version_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers_test 18 | 19 | import ( 20 | . "github.com/onsi/ginkgo" 21 | . "github.com/onsi/gomega" 22 | 23 | "github.com/banzaicloud/istio-operator/v2/controllers" 24 | ) 25 | 26 | var _ = Describe("IsIstioVersionSupported()", func() { 27 | It("should deny unsupported versions", func() { 28 | for _, version := range []string{"2.15", "2.15.3", "2.15.3-dev", "1.15", "1.15.3", "1.15.3-dev"} { 29 | Expect(controllers.IsIstioVersionSupported(version)).To(BeFalse(), "invalid: "+version) 30 | } 31 | }) 32 | It("should accept all 1.17 versions", func() { 33 | Expect(controllers.IsIstioVersionSupported("1.17")).To(BeTrue()) 34 | }) 35 | It("should accept all 1.17 versions with qualifier", func() { 36 | Expect(controllers.IsIstioVersionSupported("1.17-dev")).To(BeTrue()) 37 | }) 38 | It("should accept micro versions", func() { 39 | Expect(controllers.IsIstioVersionSupported("1.17.8")).To(BeTrue()) 40 | }) 41 | It("should accept micro versions with qualifier", func() { 42 | Expect(controllers.IsIstioVersionSupported("1.17.8-dev")).To(BeTrue()) 43 | }) 44 | }) 45 | -------------------------------------------------------------------------------- /cue.yaml: -------------------------------------------------------------------------------- 1 | module: github.com/banzaicloud/istio-operator/v2 2 | 3 | openapi: 4 | selfContained: true 5 | fieldFilter: "min.*|max.*" 6 | 7 | directories: 8 | api/v1alpha1: 9 | - mode: perFile 10 | 11 | all: 12 | title: OpenAPI descriptor for Istio operator types 13 | oapiFilename: api/v1alpha1/istio-operator.gen.json 14 | 15 | crd: 16 | dir: config/crd/bases 17 | filename: istio-operator-crds 18 | maxDescriptionLength: 0 19 | -------------------------------------------------------------------------------- /deploy/charts/.editorconfig: -------------------------------------------------------------------------------- 1 | [*.yaml] 2 | indent_size = 2 3 | -------------------------------------------------------------------------------- /deploy/charts/charts.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package charts 18 | 19 | import ( 20 | "embed" 21 | ) 22 | 23 | var ( 24 | //go:embed istio-operator 25 | //go:embed istio-operator/templates/_helpers.tpl 26 | IstioOperatorChart embed.FS 27 | ) 28 | -------------------------------------------------------------------------------- /deploy/charts/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/banzaicloud/istio-operator/deploy/charts/v2 2 | 3 | go 1.21 4 | -------------------------------------------------------------------------------- /deploy/charts/istio-operator/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /deploy/charts/istio-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-operator 3 | description: istio-operator manages Istio deployments on Kubernetes 4 | keywords: 5 | - istio 6 | - operator 7 | sources: 8 | - https://github.com/banzaicloud/istio-operator/tree/v2 9 | icon: https://istio.io/latest/img/istio-whitelogo-bluebackground-framed.svg 10 | 11 | # Based on support status of Istio releases: https://istio.io/latest/docs/releases/supported-releases/#support-status-of-istio-releases 12 | kubeVersion: ">= 1.23.0-0 < 1.27.0-0" 13 | 14 | version: 2.1.6 15 | appVersion: "v2.17.4" 16 | -------------------------------------------------------------------------------- /deploy/charts/istio-operator/templates/authproxy-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.enabled .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "istio-operator.authProxyName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "istio-operator.authProxyLabels" . | nindent 4 }} 9 | imagePullSecrets: 10 | {{ toYaml .Values.imagePullSecrets | indent 2 }} 11 | --- 12 | apiVersion: rbac.authorization.k8s.io/v1 13 | kind: ClusterRole 14 | metadata: 15 | name: {{ include "istio-operator.authProxyName" . }} 16 | labels: 17 | {{- include "istio-operator.authProxyLabels" . | nindent 4 }} 18 | rules: 19 | - apiGroups: ["authentication.k8s.io"] 20 | resources: 21 | - tokenreviews 22 | verbs: ["create"] 23 | - apiGroups: ["authorization.k8s.io"] 24 | resources: 25 | - subjectaccessreviews 26 | verbs: ["create"] 27 | --- 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: ClusterRoleBinding 30 | metadata: 31 | name: {{ include "istio-operator.authProxyName" . }} 32 | labels: 33 | {{- include "istio-operator.authProxyLabels" . | nindent 4 }} 34 | roleRef: 35 | apiGroup: rbac.authorization.k8s.io 36 | kind: ClusterRole 37 | name: {{ include "istio-operator.authProxyName" . }} 38 | subjects: 39 | - kind: ServiceAccount 40 | name: {{ include "istio-operator.authProxyName" . }} 41 | namespace: {{ .Release.Namespace }} 42 | --- 43 | apiVersion: rbac.authorization.k8s.io/v1 44 | kind: ClusterRole 45 | metadata: 46 | name: {{ include "istio-operator.authProxyName" . }}-metrics-reader 47 | labels: 48 | {{- include "istio-operator.authProxyLabels" . | nindent 4 }} 49 | rules: 50 | - nonResourceURLs: ["/metrics"] 51 | verbs: ["get"] 52 | {{- end }} 53 | -------------------------------------------------------------------------------- /deploy/charts/istio-operator/templates/authproxy-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "istio-operator.authProxyName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | annotations: 8 | prometheus.io/port: "8443" 9 | prometheus.io/scheme: https 10 | prometheus.io/scrape: "true" 11 | labels: 12 | {{- include "istio-operator.authProxyLabels" . | nindent 4 }} 13 | spec: 14 | ports: 15 | - name: https 16 | port: 8443 17 | protocol: TCP 18 | targetPort: https 19 | selector: 20 | {{- include "istio-operator.operatorSelectorLabels" . | nindent 4 }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /deploy/charts/istio-operator/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.useNamespaceResource }} 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | labels: 6 | {{- include "istio-operator.labels" . | nindent 4 }} 7 | name: {{ .Release.Namespace }} 8 | {{- end }} 9 | -------------------------------------------------------------------------------- /deploy/charts/istio-operator/templates/operator-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "istio-operator.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} 7 | annotations: 8 | prometheus.io/scrape: "true" 9 | prometheus.io/port: "8080" 10 | prometheus.io/scheme: http 11 | {{- end }} 12 | labels: 13 | {{- include "istio-operator.operatorLabels" . | nindent 4 }} 14 | spec: 15 | selector: 16 | {{- include "istio-operator.operatorSelectorLabels" . | nindent 4 }} 17 | ports: 18 | - name: https 19 | protocol: TCP 20 | port: 443 21 | targetPort: 9443 22 | {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} 23 | - name: metrics 24 | protocol: TCP 25 | port: 8080 26 | targetPort: 8080 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /deploy/charts/istio-operator/values.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: ghcr.io/banzaicloud/istio-operator 3 | tag: "v2.17.4" 4 | pullPolicy: IfNotPresent 5 | replicaCount: 1 6 | extraArgs: [] 7 | resources: 8 | requests: 9 | cpu: 200m 10 | memory: 256Mi 11 | podAnnotations: 12 | sidecar.istio.io/inject: "false" 13 | podSecurityContext: 14 | runAsNonRoot: true 15 | seccompProfile: 16 | type: RuntimeDefault 17 | securityContext: 18 | allowPrivilegeEscalation: false 19 | capabilities: 20 | drop: 21 | - ALL 22 | nodeSelector: {} 23 | tolerations: [] 24 | affinity: {} 25 | imagePullSecrets: [] 26 | 27 | # If you want the operator to expose the /metrics 28 | prometheusMetrics: 29 | enabled: true 30 | # Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy) 31 | # which protects your /metrics endpoint. 32 | authProxy: 33 | enabled: true 34 | image: 35 | repository: gcr.io/kubebuilder/kube-rbac-proxy 36 | tag: "v0.8.0" 37 | pullPolicy: IfNotPresent 38 | 39 | ## Role Based Access 40 | ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ 41 | ## 42 | rbac: 43 | enabled: true 44 | 45 | nameOverride: "" 46 | fullnameOverride: "" 47 | 48 | useNamespaceResource: false 49 | 50 | leaderElection: 51 | enabled: true 52 | namespace: "istio-system" 53 | nameOverride: "" 54 | 55 | apiServerEndpointAddress: "" 56 | clusterRegistry: 57 | clusterAPI: 58 | enabled: false 59 | resourceSyncRules: 60 | enabled: false 61 | -------------------------------------------------------------------------------- /docs/crds/v1alpha1/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Available CRDs 3 | generated_file: true 4 | --- 5 | 6 | The following CRDs are available. For details, click the name of the CRD. 7 | 8 | | Name | Description | Version | 9 | |---|---|---| 10 | | **[Quantity](common/)** | | v1alpha1 | 11 | | **[ConfigState](common.pb/)** | | v1alpha1 | 12 | | **[ModeType](istiocontrolplane.pb/)** | | v1alpha1 | 13 | | **[SortableIstioControlPlaneItems](istiocontrolplane_types/)** | | v1alpha1 | 14 | | **[IstioMeshSpec](istiomesh.pb/)** | | v1alpha1 | 15 | | **[IstioMesh](istiomesh_types/)** | | v1alpha1 | 16 | | **[GatewayType](istiomeshgateway.pb/)** | | v1alpha1 | 17 | | **[IstioMeshGateway](istiomeshgateway_types/)** | | v1alpha1 | 18 | 19 | -------------------------------------------------------------------------------- /docs/crds/v1alpha1/common.md: -------------------------------------------------------------------------------- 1 | ## Quantity 2 | 3 | define new type from k8s quantity to marshal/unmarshal jsonpb 4 | 5 | ### quantity (resource.Quantity, optional) {#quantity-quantity} 6 | 7 | Default: - 8 | 9 | 10 | ## IntOrString 11 | 12 | define new type from k8s intstr to marshal/unmarshal jsonpb 13 | 14 | ### intorsting (intstr.IntOrString, optional) {#intorstring-intorsting} 15 | 16 | Default: - 17 | 18 | 19 | -------------------------------------------------------------------------------- /docs/crds/v1alpha1/istiocontrolplane_types.md: -------------------------------------------------------------------------------- 1 | ## IstioControlPlane 2 | 3 | IstioControlPlane is the Schema for the istiocontrolplanes API 4 | 5 | ### (metav1.TypeMeta, required) {#istiocontrolplane-} 6 | 7 | Default: - 8 | 9 | ### metadata (metav1.ObjectMeta, optional) {#istiocontrolplane-metadata} 10 | 11 | Default: - 12 | 13 | ### spec (*IstioControlPlaneSpec, optional) {#istiocontrolplane-spec} 14 | 15 | Default: - 16 | 17 | ### status (IstioControlPlaneStatus, optional) {#istiocontrolplane-status} 18 | 19 | Default: - 20 | 21 | 22 | ## IstioControlPlaneWithProperties 23 | 24 | ### istioControlPlane (*IstioControlPlane, optional) {#istiocontrolplanewithproperties-istiocontrolplane} 25 | 26 | Default: - 27 | 28 | ### properties (IstioControlPlaneProperties, optional) {#istiocontrolplanewithproperties-properties} 29 | 30 | Default: - 31 | 32 | 33 | ## IstioControlPlaneProperties 34 | 35 | Properties of the IstioControlPlane 36 | 37 | ### mesh (*IstioMesh, optional) {#istiocontrolplaneproperties-mesh} 38 | 39 | Default: - 40 | 41 | ### meshNetworks (*v1alpha1.MeshNetworks, optional) {#istiocontrolplaneproperties-meshnetworks} 42 | 43 | Default: - 44 | 45 | ### trustedRootCACertificatePEMs ([]string, optional) {#istiocontrolplaneproperties-trustedrootcacertificatepems} 46 | 47 | Default: - 48 | 49 | 50 | ## IstioControlPlaneList 51 | 52 | IstioControlPlaneList contains a list of IstioControlPlane 53 | 54 | ### (metav1.TypeMeta, required) {#istiocontrolplanelist-} 55 | 56 | Default: - 57 | 58 | ### metadata (metav1.ListMeta, optional) {#istiocontrolplanelist-metadata} 59 | 60 | Default: - 61 | 62 | ### items ([]IstioControlPlane, required) {#istiocontrolplanelist-items} 63 | 64 | Default: - 65 | 66 | 67 | ## PeerIstioControlPlane 68 | 69 | PeerIstioControlPlane is the Schema for the clone of the istiocontrolplanes API 70 | 71 | ### (metav1.TypeMeta, required) {#peeristiocontrolplane-} 72 | 73 | Default: - 74 | 75 | ### metadata (metav1.ObjectMeta, optional) {#peeristiocontrolplane-metadata} 76 | 77 | Default: - 78 | 79 | ### spec (*IstioControlPlaneSpec, optional) {#peeristiocontrolplane-spec} 80 | 81 | Default: - 82 | 83 | ### status (IstioControlPlaneStatus, optional) {#peeristiocontrolplane-status} 84 | 85 | Default: - 86 | 87 | 88 | ## PeerIstioControlPlaneList 89 | 90 | PeerIstioControlPlaneList contains a list of PeerIstioControlPlane 91 | 92 | ### (metav1.TypeMeta, required) {#peeristiocontrolplanelist-} 93 | 94 | Default: - 95 | 96 | ### metadata (metav1.ListMeta, optional) {#peeristiocontrolplanelist-metadata} 97 | 98 | Default: - 99 | 100 | ### items ([]PeerIstioControlPlane, required) {#peeristiocontrolplanelist-items} 101 | 102 | Default: - 103 | 104 | 105 | -------------------------------------------------------------------------------- /docs/crds/v1alpha1/istiomesh.pb.md: -------------------------------------------------------------------------------- 1 | ## IstioMeshSpec 2 | 3 | Mesh defines an Istio service mesh 4 | 5 | 16 | 17 | 21 | 22 | ### config (*v1alpha1.MeshConfig, optional) {#istiomeshspec-config} 23 | 24 | Default: - 25 | 26 | ### - (struct{}, required) {#istiomeshspec--} 27 | 28 | Default: - 29 | 30 | ### - ([]byte, required) {#istiomeshspec--} 31 | 32 | Default: - 33 | 34 | ### - (int32, required) {#istiomeshspec--} 35 | 36 | Default: - 37 | 38 | 39 | ## IstioMeshStatus 40 | 41 | 45 | 46 | ### status (ConfigState, optional) {#istiomeshstatus-status} 47 | 48 | Reconciliation status of the Istio mesh 49 | 50 | Default: - 51 | 52 | ### errorMessage (string, optional) {#istiomeshstatus-errormessage} 53 | 54 | Reconciliation error message if any 55 | 56 | Default: - 57 | 58 | ### - (struct{}, required) {#istiomeshstatus--} 59 | 60 | Default: - 61 | 62 | ### - ([]byte, required) {#istiomeshstatus--} 63 | 64 | Default: - 65 | 66 | ### - (int32, required) {#istiomeshstatus--} 67 | 68 | Default: - 69 | 70 | 71 | -------------------------------------------------------------------------------- /docs/crds/v1alpha1/istiomesh_types.md: -------------------------------------------------------------------------------- 1 | ## IstioMesh 2 | 3 | IstioMesh is the Schema for the mesh API 4 | 5 | ### (metav1.TypeMeta, required) {#istiomesh-} 6 | 7 | Default: - 8 | 9 | ### metadata (metav1.ObjectMeta, optional) {#istiomesh-metadata} 10 | 11 | Default: - 12 | 13 | ### spec (*IstioMeshSpec, optional) {#istiomesh-spec} 14 | 15 | Default: - 16 | 17 | ### status (IstioMeshStatus, optional) {#istiomesh-status} 18 | 19 | Default: - 20 | 21 | 22 | ## IstioMeshList 23 | 24 | IstioMeshList contains a list of IstioMesh 25 | 26 | ### (metav1.TypeMeta, required) {#istiomeshlist-} 27 | 28 | Default: - 29 | 30 | ### metadata (metav1.ListMeta, optional) {#istiomeshlist-metadata} 31 | 32 | Default: - 33 | 34 | ### items ([]IstioMesh, required) {#istiomeshlist-items} 35 | 36 | Default: - 37 | 38 | 39 | -------------------------------------------------------------------------------- /docs/crds/v1alpha1/istiomeshgateway_types.md: -------------------------------------------------------------------------------- 1 | ## IstioMeshGateway 2 | 3 | IstioMeshGateway is the Schema for the istiomeshgateways API 4 | 5 | ### (metav1.TypeMeta, required) {#istiomeshgateway-} 6 | 7 | Default: - 8 | 9 | ### metadata (metav1.ObjectMeta, optional) {#istiomeshgateway-metadata} 10 | 11 | Default: - 12 | 13 | ### spec (*IstioMeshGatewaySpec, optional) {#istiomeshgateway-spec} 14 | 15 | Default: - 16 | 17 | ### status (IstioMeshGatewayStatus, optional) {#istiomeshgateway-status} 18 | 19 | Default: - 20 | 21 | 22 | ## IstioMeshGatewayWithProperties 23 | 24 | ### istiomeshgateway (*IstioMeshGateway, optional) {#istiomeshgatewaywithproperties-istiomeshgateway} 25 | 26 | Default: - 27 | 28 | ### properties (IstioMeshGatewayProperties, optional) {#istiomeshgatewaywithproperties-properties} 29 | 30 | Default: - 31 | 32 | 33 | ## IstioMeshGatewayProperties 34 | 35 | Properties of the IstioMeshGateway 36 | 37 | ### revision (string, optional) {#istiomeshgatewayproperties-revision} 38 | 39 | Default: - 40 | 41 | ### enablePrometheusMerge (*bool, optional) {#istiomeshgatewayproperties-enableprometheusmerge} 42 | 43 | Default: - 44 | 45 | ### injectionTemplate (string, optional) {#istiomeshgatewayproperties-injectiontemplate} 46 | 47 | Default: - 48 | 49 | ### injectionChecksum (string, optional) {#istiomeshgatewayproperties-injectionchecksum} 50 | 51 | Default: - 52 | 53 | ### meshConfigChecksum (string, optional) {#istiomeshgatewayproperties-meshconfigchecksum} 54 | 55 | Default: - 56 | 57 | ### istioControlPlane (*IstioControlPlane, optional) {#istiomeshgatewayproperties-istiocontrolplane} 58 | 59 | Default: - 60 | 61 | ### generateExternalService (bool, optional) {#istiomeshgatewayproperties-generateexternalservice} 62 | 63 | Default: - 64 | 65 | 66 | ## IstioMeshGatewayList 67 | 68 | IstioMeshGatewayList contains a list of IstioMeshGateway 69 | 70 | ### (metav1.TypeMeta, required) {#istiomeshgatewaylist-} 71 | 72 | Default: - 73 | 74 | ### metadata (metav1.ListMeta, optional) {#istiomeshgatewaylist-metadata} 75 | 76 | Default: - 77 | 78 | ### items ([]IstioMeshGateway, required) {#istiomeshgatewaylist-items} 79 | 80 | Default: - 81 | 82 | 83 | -------------------------------------------------------------------------------- /docs/multi-cluster-mesh/active-active/active-icp-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: icp-v117x 5 | namespace: istio-system 6 | annotations: 7 | controlplane.istio.servicemesh.cisco.com/namespace-injection-source: "true" 8 | spec: 9 | version: 1.17.8 10 | mode: ACTIVE 11 | networkName: network1 12 | meshExpansion: 13 | enabled: true 14 | istiod: 15 | deployment: 16 | env: 17 | - name: ISTIO_MULTIROOT_MESH 18 | value: "true" 19 | meshConfig: 20 | defaultConfig: 21 | proxyMetadata: 22 | PROXY_CONFIG_XDS_AGENT: "true" 23 | -------------------------------------------------------------------------------- /docs/multi-cluster-mesh/active-active/active-icp-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: icp-v117x 5 | namespace: istio-system 6 | spec: 7 | version: 1.17.8 8 | mode: ACTIVE 9 | networkName: network2 10 | meshExpansion: 11 | enabled: true 12 | istiod: 13 | deployment: 14 | env: 15 | - name: ISTIO_MULTIROOT_MESH 16 | value: "true" 17 | meshConfig: 18 | defaultConfig: 19 | proxyMetadata: 20 | PROXY_CONFIG_XDS_AGENT: "true" 21 | -------------------------------------------------------------------------------- /docs/multi-cluster-mesh/active-active/demoapp-vs-dr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | namespace: default 6 | spec: 7 | hosts: 8 | - reviews 9 | http: 10 | - match: 11 | - port: 9080 12 | route: 13 | - destination: 14 | host: reviews 15 | port: 16 | number: 9080 17 | subset: v1 18 | weight: 50 19 | - destination: 20 | host: reviews 21 | port: 22 | number: 9080 23 | subset: v2 24 | weight: 50 25 | --- 26 | apiVersion: networking.istio.io/v1beta1 27 | kind: DestinationRule 28 | metadata: 29 | name: reviews 30 | namespace: default 31 | spec: 32 | host: reviews 33 | subsets: 34 | - labels: 35 | version: v1 36 | name: v1 37 | - labels: 38 | version: v2 39 | name: v2 40 | - labels: 41 | version: v3 42 | name: v3 43 | trafficPolicy: 44 | tls: 45 | mode: ISTIO_MUTUAL -------------------------------------------------------------------------------- /docs/multi-cluster-mesh/active-passive/active-icp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: icp-v117x 5 | namespace: istio-system 6 | annotations: 7 | controlplane.istio.servicemesh.cisco.com/namespace-injection-source: "true" 8 | spec: 9 | version: 1.17.8 10 | mode: ACTIVE 11 | networkName: network1 12 | meshExpansion: 13 | enabled: true 14 | -------------------------------------------------------------------------------- /docs/multi-cluster-mesh/active-passive/demoapp-vs-dr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | namespace: default 6 | spec: 7 | hosts: 8 | - reviews 9 | http: 10 | - match: 11 | - port: 9080 12 | route: 13 | - destination: 14 | host: reviews 15 | port: 16 | number: 9080 17 | subset: v1 18 | weight: 50 19 | - destination: 20 | host: reviews 21 | port: 22 | number: 9080 23 | subset: v2 24 | weight: 50 25 | --- 26 | apiVersion: networking.istio.io/v1beta1 27 | kind: DestinationRule 28 | metadata: 29 | name: reviews 30 | namespace: default 31 | spec: 32 | host: reviews 33 | subsets: 34 | - labels: 35 | version: v1 36 | name: v1 37 | - labels: 38 | version: v2 39 | name: v2 40 | - labels: 41 | version: v3 42 | name: v3 43 | trafficPolicy: 44 | tls: 45 | mode: ISTIO_MUTUAL -------------------------------------------------------------------------------- /docs/multi-cluster-mesh/active-passive/passive-icp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: icp-v117x 5 | namespace: istio-system 6 | spec: 7 | version: 1.17.8 8 | mode: PASSIVE 9 | networkName: network2 10 | meshExpansion: 11 | enabled: true 12 | -------------------------------------------------------------------------------- /docs/openshift/gw.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioMeshGateway 3 | metadata: 4 | labels: 5 | app: bookinfo 6 | name: demo-imgw 7 | namespace: demoapp 8 | spec: 9 | istioControlPlane: 10 | name: icp-v117x 11 | namespace: istio-system 12 | deployment: 13 | metadata: 14 | labels: 15 | app: bookinfo 16 | service: 17 | ports: 18 | - name: http 19 | port: 80 20 | protocol: TCP 21 | targetPort: 8080 22 | type: LoadBalancer 23 | runAsRoot: true 24 | type: ingress 25 | --- 26 | apiVersion: networking.istio.io/v1alpha3 27 | kind: Gateway 28 | metadata: 29 | name: bookinfo-gateway 30 | namespace: demoapp 31 | spec: 32 | selector: 33 | app: bookinfo 34 | servers: 35 | - port: 36 | number: 80 37 | name: http 38 | protocol: HTTP 39 | hosts: 40 | - "*" 41 | --- 42 | apiVersion: networking.istio.io/v1alpha3 43 | kind: VirtualService 44 | metadata: 45 | name: bookinfo 46 | namespace: demoapp 47 | spec: 48 | hosts: 49 | - "*" 50 | gateways: 51 | - bookinfo-gateway 52 | http: 53 | - match: 54 | - uri: 55 | exact: /productpage 56 | - uri: 57 | prefix: /static 58 | - uri: 59 | exact: /login 60 | - uri: 61 | exact: /logout 62 | - uri: 63 | prefix: /api/v1/products 64 | route: 65 | - destination: 66 | host: productpage 67 | port: 68 | number: 9080 69 | -------------------------------------------------------------------------------- /docs/openshift/nad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "k8s.cni.cncf.io/v1" 2 | kind: NetworkAttachmentDefinition 3 | metadata: 4 | name: istio-cni -------------------------------------------------------------------------------- /docs/openshift/openshift.md: -------------------------------------------------------------------------------- 1 | # Installing Istio-operator on OpenShift 2 | Istio-operator supports OpenShift clusters with full functionality. There are some permissions that are needed for certain Istio components to function. 3 | ## Enable OpenShift specific permissions 4 | Allow Istio CP components to run as UID 1337 5 | 6 | `oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system` 7 | 8 | Allow Istio CNI components to run as privileged containers. This is needed to set iptables rules on nodes, to allow istio to function. 9 | 10 | `oc adm policy add-scc-to-group privileged system:serviceaccounts:istio-system` 11 | 12 | Allow Istio sidecar proxies to run as UID 1337 in the demoapp namespace. This step is needed for any namespaces where sidecar injection is enabled. 13 | 14 | `oc adm policy add-scc-to-group anyuid system:serviceaccounts:demoapp` 15 | 16 | ## Deploy Istio Control Plane 17 | `kubectl apply -n istio-system -f docs/openshift/icp-openshift.yaml` 18 | 19 | ## Deploy Demo app and Istio Gateway 20 | ``` 21 | kubectl create ns demoapp 22 | kubectl label namespace demoapp istio.io/rev=icp-v117x.istio-system 23 | kubectl apply -n demoapp -f docs/openshift/gw.yaml 24 | kubectl apply -n demoapp -f docs/openshift/nad.yaml 25 | kubectl -n demoapp apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml 26 | ``` 27 | 28 | 29 | -------------------------------------------------------------------------------- /hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | -------------------------------------------------------------------------------- /internal/assets/assets.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package assets 18 | 19 | import ( 20 | "embed" 21 | "io/fs" 22 | ) 23 | 24 | var ( 25 | //go:embed manifests/base 26 | //go:embed manifests/base/templates/_helpers.tpl 27 | baseChart embed.FS 28 | BaseChart = GetSubFS(baseChart, "manifests/base") 29 | 30 | //go:embed manifests/istio-discovery 31 | //go:embed manifests/istio-discovery/templates/_helpers.tpl 32 | discoveryChart embed.FS 33 | DiscoveryChart = GetSubFS(discoveryChart, "manifests/istio-discovery") 34 | 35 | //go:embed manifests/istio-cni 36 | //go:embed manifests/istio-cni/templates/_helpers.tpl 37 | cniChart embed.FS 38 | CNIChart = GetSubFS(cniChart, "manifests/istio-cni") 39 | 40 | //go:embed manifests/istio-meshexpansion 41 | //go:embed manifests/istio-meshexpansion/templates/_helpers.tpl 42 | meshExpansionChart embed.FS 43 | MeshExpansionChart = GetSubFS(meshExpansionChart, "manifests/istio-meshexpansion") 44 | 45 | //go:embed manifests/istio-meshgateway 46 | //go:embed manifests/istio-meshgateway/templates/_helpers.tpl 47 | istioMeshGateway embed.FS 48 | IstioMeshGateway = GetSubFS(istioMeshGateway, "manifests/istio-meshgateway") 49 | 50 | //go:embed manifests/istio-sidecar-injector 51 | //go:embed manifests/istio-sidecar-injector/templates/_helpers.tpl 52 | istioSidecarInjector embed.FS 53 | IstioSidecarInjector = GetSubFS(istioSidecarInjector, "manifests/istio-sidecar-injector") 54 | 55 | //go:embed manifests/resource-sync-rule 56 | //go:embed manifests/resource-sync-rule/templates/_helpers.tpl 57 | resourceSyncRule embed.FS 58 | ResourceSyncRule = GetSubFS(resourceSyncRule, "manifests/resource-sync-rule") 59 | ) 60 | 61 | func GetSubFS(fsys fs.FS, dir string) (subFS fs.FS) { 62 | subFS, err := fs.Sub(fsys, dir) 63 | if err != nil { 64 | panic(err) 65 | } 66 | 67 | return 68 | } 69 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: base 3 | version: 1.1.0 4 | tillerVersion: ">=2.7.2" 5 | description: Helm chart for deploying Istio cluster resources and CRDs 6 | keywords: 7 | - istio 8 | sources: 9 | - http://github.com/istio/istio 10 | engine: gotpl 11 | icon: https://istio.io/latest/favicons/android-192x192.png 12 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/NOTES.txt: -------------------------------------------------------------------------------- 1 | Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts. 2 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - resources/gen-istio-cluster.yaml 6 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "revision" -}} 2 | {{- .Values.global.revision | replace "." "-" -}} 3 | {{- end -}} 4 | 5 | {{- define "namespaced-revision" -}} 6 | {{ $revision := (include "revision" .) }} 7 | {{ if $revision eq "default" -}} 8 | {{- $revision -}} 9 | {{- else -}} 10 | {{- printf "%s.%s" $revision .Release.Namespace -}} 11 | {{- end -}} 12 | {{- end -}} 13 | 14 | {{- define "name-with-revision" -}} 15 | {{- if .context.Values.global.revision -}} 16 | {{- printf "%s-%s" .name (include "revision" .context) -}} 17 | {{- else -}} 18 | {{- .name -}} 19 | {{- end -}} 20 | {{- end -}} 21 | 22 | {{- define "name-with-namespaced-revision" -}} 23 | {{- if .context.Values.global.revision -}} 24 | {{- printf "%s-%s" (include "name-with-revision" .) .context.Release.Namespace -}} 25 | {{- else -}} 26 | {{- printf "%s-%s" .name .context.Release.Namespace -}} 27 | {{- end -}} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/templates/crds.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.base.enableCRDTemplates }} 2 | {{ .Files.Get "crds/crd-all.gen.yaml" }} 3 | {{- end }} 4 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/templates/endpoints.yaml: -------------------------------------------------------------------------------- 1 | {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} 2 | # if the remotePilotAddress is an IP addr 3 | apiVersion: v1 4 | kind: Endpoints 5 | metadata: 6 | {{- if not .Values.global.externalIstiod }} 7 | name: {{ include "name-with-revision" ( dict "name" "istiod-remote" "context" $) }} 8 | {{- else }} 9 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 10 | {{- end }} 11 | namespace: {{ .Release.Namespace }} 12 | subsets: 13 | - addresses: 14 | - ip: {{ .Values.global.remotePilotAddress }} 15 | ports: 16 | - port: 15012 17 | name: tcp-istiod 18 | protocol: TCP 19 | - port: 15017 20 | name: tcp-webhook 21 | protocol: TCP 22 | --- 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/templates/services.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.remotePilotAddress }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if not .Values.global.externalIstiod }} 6 | # when local istiod is enabled, we can't use istiod service name to reach the remote control plane 7 | name: {{ include "name-with-revision" ( dict "name" "istiod-remote" "context" $) }} 8 | {{- else }} 9 | # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane 10 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 11 | {{- end }} 12 | namespace: {{ .Release.Namespace }} 13 | spec: 14 | ports: 15 | - port: 15012 16 | name: tcp-istiod 17 | protocol: TCP 18 | - port: 443 19 | targetPort: 15017 20 | name: tcp-webhook 21 | protocol: TCP 22 | {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} 23 | # if the remotePilotAddress is not an IP addr, we use ExternalName 24 | type: ExternalName 25 | externalName: {{ .Values.global.remotePilotAddress }} 26 | {{- end }} 27 | --- 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/values.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | 3 | # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace 4 | # to use for pulling any images in pods that reference this ServiceAccount. 5 | # Must be set for any cluster configured with private docker registry. 6 | imagePullSecrets: [] 7 | 8 | # Used to locate istiod. 9 | istioNamespace: istio-system 10 | 11 | istiod: 12 | enableAnalysis: false 13 | 14 | configValidation: true 15 | externalIstiod: false 16 | remotePilotAddress: "" 17 | 18 | # Revision is set as 'version' label and part of the resource names when installing multiple control planes. 19 | revision: "" 20 | 21 | base: 22 | # Used for helm2 to add the CRDs to templates. 23 | enableCRDTemplates: false 24 | 25 | # Validation webhook configuration url 26 | # For example: https://$remotePilotAddress:15017/validate 27 | validationURL: "" 28 | 29 | # For istioctl usage to disable istio config crds in base 30 | enableIstioConfigCRDs: true 31 | -------------------------------------------------------------------------------- /internal/assets/manifests/base/values.yaml.tpl: -------------------------------------------------------------------------------- 1 | global: 2 | 3 | # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace 4 | # to use for pulling any images in pods that reference this ServiceAccount. 5 | # Must be set for any cluster configured with private docker registry. 6 | imagePullSecrets: [] 7 | 8 | # Used to locate istiod. 9 | istioNamespace: {{ .Namespace }} 10 | 11 | istiod: 12 | enableAnalysis: {{ .GetSpec.GetIstiod.GetEnableAnalysis.GetValue }} 13 | 14 | configValidation: true 15 | externalIstiod: {{ .GetSpec.GetIstiod.GetExternalIstiod.GetEnabled.GetValue }} 16 | 17 | revision: "{{ .Name }}" 18 | 19 | base: 20 | # Used for helm2 to add the CRDs to templates. 21 | enableCRDTemplates: false 22 | 23 | # For istioctl usage to disable istio config crds in base 24 | enableIstioConfigCRDs: true 25 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-cni/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-cni 3 | version: 1.1.0 4 | description: Helm chart for istio-cni components 5 | keywords: 6 | - istio-cni 7 | - istio 8 | sources: 9 | - https://github.com/istio/istio/tree/master/cni 10 | engine: gotpl 11 | icon: https://istio.io/latest/favicons/android-192x192.png 12 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-cni/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "revision" -}} 2 | {{- default "default" (.Values.revision | replace "." "-") -}} 3 | {{- end -}} 4 | 5 | {{- define "namespaced-revision" -}} 6 | {{- $revision := (include "revision" .) -}} 7 | {{- if eq $revision "default" -}} 8 | {{- printf "%s" $revision -}} 9 | {{- else -}} 10 | {{- printf "%s.%s" $revision .Release.Namespace -}} 11 | {{- end -}} 12 | {{- end -}} 13 | 14 | {{- define "name-with-revision" -}} 15 | {{- if .context.Values.revision -}} 16 | {{- printf "%s-%s" .name (include "revision" .context) -}} 17 | {{- else -}} 18 | {{- .name -}} 19 | {{- end -}} 20 | {{- end -}} 21 | 22 | {{- define "name-with-namespaced-revision" -}} 23 | {{- if .context.Values.revision -}} 24 | {{- printf "%s-%s" (include "name-with-revision" .) .context.Release.Namespace -}} 25 | {{- else -}} 26 | {{- .name -}} 27 | {{- end -}} 28 | {{- end -}} 29 | 30 | {{- define "toYamlIf" }} 31 | {{- if .value }} 32 | {{- if .key }} 33 | {{ .key }}: 34 | {{- end }} 35 | {{- if gt (.indent | int) 0 }} 36 | {{ .value | toYaml | indent .indent }} 37 | {{- else }} 38 | {{ .value | toYaml }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-cni/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni" "context" $) }} 5 | labels: 6 | app: istio-cni 7 | release: {{ .Release.Name }} 8 | istio.io/rev: {{ include "namespaced-revision" . }} 9 | rules: 10 | - apiGroups: [""] 11 | resources: 12 | - pods 13 | - namespaces 14 | - nodes 15 | verbs: 16 | - get 17 | --- 18 | {{- if .Values.cni.repair.enabled }} 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRole 21 | metadata: 22 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni-repair" "context" $) }} 23 | labels: 24 | app: istio-cni 25 | release: {{ .Release.Name }} 26 | istio.io/rev: {{ include "namespaced-revision" . }} 27 | rules: 28 | - apiGroups: [""] 29 | resources: ["pods"] 30 | verbs: ["get", "list", "watch", "delete", "patch", "update" ] 31 | - apiGroups: [""] 32 | resources: ["events"] 33 | verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] 34 | {{- end }} 35 | --- 36 | {{- if .Values.cni.taint.enabled }} 37 | apiVersion: rbac.authorization.k8s.io/v1 38 | kind: ClusterRole 39 | metadata: 40 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni-taint" "context" $) }} 41 | labels: 42 | app: istio-cni 43 | release: {{ .Release.Name }} 44 | istio.io/rev: {{ include "namespaced-revision" . }} 45 | rules: 46 | - apiGroups: [""] 47 | resources: ["pods"] 48 | verbs: ["get", "list", "watch", "patch"] 49 | - apiGroups: [""] 50 | resources: ["nodes"] 51 | verbs: ["get", "list", "watch", "update", "patch"] 52 | - apiGroups: [""] 53 | resources: ["configmaps"] 54 | verbs: ["get", "list"] 55 | - apiGroups: ["coordination.k8s.io"] 56 | resources: ["leases"] 57 | verbs: ["get", "list", "create", "update"] 58 | {{- end }} 59 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-cni/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni" "context" $) }} 5 | labels: 6 | app: istio-cni 7 | release: {{ .Release.Name }} 8 | istio.io/rev: {{ include "namespaced-revision" . }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni" "context" $) }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ include "name-with-revision" ( dict "name" "istio-cni" "context" $) }} 16 | namespace: {{ .Release.Namespace }} 17 | --- 18 | {{- if .Values.cni.repair.enabled }} 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni-repair" "context" $) }} 23 | labels: 24 | app: istio-cni 25 | release: {{ .Release.Name }} 26 | istio.io/rev: {{ include "namespaced-revision" . }} 27 | subjects: 28 | - kind: ServiceAccount 29 | name: {{ include "name-with-revision" ( dict "name" "istio-cni" "context" $) }} 30 | namespace: {{ .Release.Namespace }} 31 | roleRef: 32 | apiGroup: rbac.authorization.k8s.io 33 | kind: ClusterRole 34 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni-repair" "context" $) }} 35 | {{- end }} 36 | --- 37 | {{- if ne .Values.cni.psp_cluster_role "" }} 38 | apiVersion: rbac.authorization.k8s.io/v1 39 | kind: RoleBinding 40 | metadata: 41 | name: istio-cni-psp 42 | namespace: {{ .Release.Namespace }} 43 | labels: 44 | app: istio-cni 45 | release: {{ .Release.Name }} 46 | istio.io/rev: {{ include "namespaced-revision" . }} 47 | roleRef: 48 | apiGroup: rbac.authorization.k8s.io 49 | kind: ClusterRole 50 | name: {{ .Values.cni.psp_cluster_role }} 51 | subjects: 52 | - kind: ServiceAccount 53 | name: {{ include "name-with-revision" ( dict "name" "istio-cni" "context" $) }} 54 | namespace: {{ .Release.Namespace }} 55 | {{- end }} 56 | --- 57 | {{- if .Values.cni.taint.enabled }} 58 | apiVersion: rbac.authorization.k8s.io/v1 59 | kind: ClusterRoleBinding 60 | metadata: 61 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni-taint" "context" $) }} 62 | labels: 63 | k8s-app: istio-cni-taint 64 | istio.io/rev: {{ include "namespaced-revision" . }} 65 | subjects: 66 | - kind: ServiceAccount 67 | name: {{ include "name-with-revision" ( dict "name" "istio-cni" "context" $) }} 68 | namespace: {{ .Release.Namespace }} 69 | roleRef: 70 | apiGroup: rbac.authorization.k8s.io 71 | kind: ClusterRole 72 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-cni-taint" "context" $) }} 73 | {{- end }} 74 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-cni/templates/configmap-cni.yaml: -------------------------------------------------------------------------------- 1 | {{- $defaultBinDir := 2 | (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary 3 | "/home/kubernetes/bin" 4 | "/opt/cni/bin" 5 | }} 6 | kind: ConfigMap 7 | apiVersion: v1 8 | metadata: 9 | name: {{ include "name-with-revision" ( dict "name" "istio-cni" "context" $) }} 10 | namespace: {{ .Release.Namespace }} 11 | labels: 12 | app: istio-cni 13 | release: {{ .Release.Name }} 14 | istio.io/rev: {{ include "namespaced-revision" . }} 15 | data: 16 | # The CNI network configuration to add to the plugin chain on each node. The special 17 | # values in this config will be automatically populated. 18 | cni_network_config: |- 19 | { 20 | "cniVersion": "0.3.1", 21 | "name": "istio-cni", 22 | "type": "istio-cni", 23 | "log_level": {{ quote .Values.cni.logLevel }}, 24 | "log_uds_address": "__LOG_UDS_ADDRESS__", 25 | "kubernetes": { 26 | "kubeconfig": "__KUBECONFIG_FILEPATH__", 27 | "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, 28 | "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ], 29 | "include_namespaces": [ {{ range $idx, $ns := .Values.cni.includeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ], 30 | "revision": "__ISTIO_REVISION__" 31 | } 32 | } 33 | --- 34 | {{- if .Values.cni.taint.enabled }} 35 | apiVersion: v1 36 | kind: ConfigMap 37 | metadata: 38 | name: {{ include "name-with-revision" ( dict "name" "istio-cni-taint" "context" $) }} 39 | namespace: {{ .Release.Namespace }} 40 | labels: 41 | app: istio-cni 42 | release: {{ .Release.Name }} 43 | istio.io/rev: {{ include "namespaced-revision" . }} 44 | data: 45 | config: | 46 | - name: {{ include "name-with-revision" ( dict "name" "istio-cni" "context" $) }} 47 | selector: app=istio-cni-node,istio.io/rev={{ include "namespaced-revision" . }} 48 | namespace: {{ .Release.Namespace }} 49 | {{- end }} 50 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-cni/templates/resource-quota.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.cni.resourceQuotas.enabled (ne .Values.cni.resourceQuotas.pods "") }} 2 | apiVersion: v1 3 | kind: ResourceQuota 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istio-cni" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | spec: 8 | hard: 9 | pods: {{ .Values.cni.resourceQuotas.pods | quote }} 10 | scopeSelector: 11 | matchExpressions: 12 | - operator: In 13 | scopeName: PriorityClass 14 | values: 15 | {{ toYaml .Values.cni.resourceQuotas.priorityClasses | indent 6}} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-cni/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{ include "toYamlIf" (dict "value" .Values.global.imagePullSecrets "key" "imagePullSecrets") }} 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istio-cni" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: istio-cni 9 | release: {{ .Release.Name }} 10 | istio.io/rev: {{ include "namespaced-revision" . }} 11 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-discovery 3 | version: 1.2.0 4 | tillerVersion: ">=2.7.2" 5 | description: Helm chart for istio control plane 6 | keywords: 7 | - istio 8 | - istiod 9 | - istio-discovery 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/latest/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/NOTES.txt: -------------------------------------------------------------------------------- 1 | Minimal control plane for Istio. Pilot and mesh config are included. 2 | 3 | MCP and injector should optionally be installed in the same namespace. Alternatively remote 4 | address of an MCP server can be set. 5 | 6 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - resources/gen-istio.yaml 6 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/resources/grpc-simple.yaml: -------------------------------------------------------------------------------- 1 | metadata: 2 | annotations: 3 | sidecar.istio.io/rewriteAppHTTPProbers: "false" 4 | spec: 5 | initContainers: 6 | - name: grpc-bootstrap-init 7 | image: busybox:1.28 8 | volumeMounts: 9 | - mountPath: /var/lib/grpc/data/ 10 | name: grpc-io-proxyless-bootstrap 11 | env: 12 | - name: INSTANCE_IP 13 | valueFrom: 14 | fieldRef: 15 | fieldPath: status.podIP 16 | - name: POD_NAME 17 | valueFrom: 18 | fieldRef: 19 | fieldPath: metadata.name 20 | - name: POD_NAMESPACE 21 | valueFrom: 22 | fieldRef: 23 | fieldPath: metadata.namespace 24 | - name: ISTIO_NAMESPACE 25 | value: | 26 | {{ .Values.global.istioNamespace }} 27 | command: 28 | - sh 29 | - "-c" 30 | - |- 31 | NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" 32 | SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" 33 | echo ' 34 | { 35 | "xds_servers": [ 36 | { 37 | "server_uri": "'${SERVER_URI}'", 38 | "channel_creds": [{"type": "insecure"}], 39 | "server_features" : ["xds_v3"] 40 | } 41 | ], 42 | "node": { 43 | "id": "'${NODE_ID}'", 44 | "metadata": { 45 | "GENERATOR": "grpc" 46 | } 47 | } 48 | }' > /var/lib/grpc/data/bootstrap.json 49 | containers: 50 | {{- range $index, $container := .Spec.Containers }} 51 | - name: {{ $container.Name }} 52 | env: 53 | - name: GRPC_XDS_BOOTSTRAP 54 | value: /var/lib/grpc/data/bootstrap.json 55 | - name: GRPC_GO_LOG_VERBOSITY_LEVEL 56 | value: "99" 57 | - name: GRPC_GO_LOG_SEVERITY_LEVEL 58 | value: info 59 | volumeMounts: 60 | - mountPath: /var/lib/grpc/data/ 61 | name: grpc-io-proxyless-bootstrap 62 | {{- end }} 63 | volumes: 64 | - name: grpc-io-proxyless-bootstrap 65 | emptyDir: {} 66 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "revision" -}} 2 | {{- default "default" (.Values.revision | replace "." "-") -}} 3 | {{- end -}} 4 | 5 | {{- define "namespaced-revision" -}} 6 | {{- $revision := (include "revision" .) -}} 7 | {{- if eq $revision "default" -}} 8 | {{- printf "%s" $revision -}} 9 | {{- else -}} 10 | {{- printf "%s.%s" $revision .Release.Namespace -}} 11 | {{- end -}} 12 | {{- end -}} 13 | 14 | {{- define "name-with-revision" -}} 15 | {{- if .context.Values.revision -}} 16 | {{- printf "%s-%s" .name (include "revision" .context) -}} 17 | {{- else -}} 18 | {{- .name -}} 19 | {{- end -}} 20 | {{- end -}} 21 | 22 | {{- define "name-with-namespaced-revision" -}} 23 | {{- if .context.Values.revision -}} 24 | {{- printf "%s-%s" (include "name-with-revision" .) .context.Release.Namespace -}} 25 | {{- else -}} 26 | {{- .name -}} 27 | {{- end -}} 28 | {{- end -}} 29 | 30 | {{- define "toYamlIf" }} 31 | {{- if .value }} 32 | {{- if .key }} 33 | {{ .key }}: 34 | {{- end }} 35 | {{- if gt (.indent | int) 0 }} 36 | {{ .value | toYaml | indent .indent }} 37 | {{- else }} 38 | {{ .value | toYaml }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq .Values.global.mode "ACTIVE") .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} 2 | apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: istiod 9 | release: {{ .Release.Name }} 10 | istio.io/rev: {{ include "namespaced-revision" . }} 11 | spec: 12 | maxReplicas: {{ .Values.pilot.autoscaleMax }} 13 | minReplicas: {{ .Values.pilot.autoscaleMin }} 14 | scaleTargetRef: 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 18 | metrics: 19 | - type: Resource 20 | resource: 21 | name: cpu 22 | target: 23 | type: Utilization 24 | averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} 25 | --- 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.global.mode "ACTIVE" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istiod" "context" $) }} 6 | labels: 7 | app: istiod 8 | release: {{ .Release.Name }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istiod" "context" $) }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 16 | namespace: {{ .Release.Namespace }} 17 | --- 18 | {{- $gatewayAPIDeployment := true }} 19 | {{- range .Values.pilot.env }} 20 | {{- if and (eq .name "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER") (eq .value "false") }} 21 | {{- $gatewayAPIDeployment = false }} 22 | {{- end }} 23 | {{- end }} 24 | {{- if $gatewayAPIDeployment }} 25 | apiVersion: rbac.authorization.k8s.io/v1 26 | kind: ClusterRoleBinding 27 | metadata: 28 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istiod-gateway-controller" "context" $) }} 29 | labels: 30 | app: istiod 31 | release: {{ .Release.Name }} 32 | roleRef: 33 | apiGroup: rbac.authorization.k8s.io 34 | kind: ClusterRole 35 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istiod-gateway-controller" "context" $) }} 36 | subjects: 37 | - kind: ServiceAccount 38 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 39 | namespace: {{ .Values.global.istioNamespace }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/configmap-jwks.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq .Values.global.mode "ACTIVE") .Values.pilot.jwksResolverExtraRootCA }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "pilot-jwks-extra-cacerts" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | istio.io/rev: {{ include "namespaced-revision" . }} 10 | data: 11 | extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq .Values.global.mode "ACTIVE") .Values.global.defaultPodDisruptionBudget.enabled }} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: istiod 9 | istio.io/rev: {{ include "namespaced-revision" . }} 10 | release: {{ .Release.Name }} 11 | istio: istiod 12 | spec: 13 | {{- if .Values.global.defaultPodDisruptionBudget.maxUnavailable }} 14 | maxUnavailable: {{ .Values.global.defaultPodDisruptionBudget.maxUnavailable }} 15 | {{- else }} 16 | minAvailable: {{ .Values.global.defaultPodDisruptionBudget.minAvailable }} 17 | {{- end }} 18 | selector: 19 | matchLabels: 20 | app: istiod 21 | istio.io/rev: {{ include "namespaced-revision" . }} 22 | --- 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-reader" "context" $) }} 5 | labels: 6 | app: istio-reader 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: 10 | - "config.istio.io" 11 | - "security.istio.io" 12 | - "networking.istio.io" 13 | - "authentication.istio.io" 14 | - "rbac.istio.io" 15 | resources: ["*"] 16 | verbs: ["get", "list", "watch"] 17 | - apiGroups: [""] 18 | resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] 19 | verbs: ["get", "list", "watch"] 20 | - apiGroups: ["networking.istio.io"] 21 | verbs: [ "get", "watch", "list" ] 22 | resources: [ "workloadentries" ] 23 | - apiGroups: ["apiextensions.k8s.io"] 24 | resources: ["customresourcedefinitions"] 25 | verbs: ["get", "list", "watch"] 26 | - apiGroups: ["discovery.k8s.io"] 27 | resources: ["endpointslices"] 28 | verbs: ["get", "list", "watch"] 29 | - apiGroups: ["multicluster.x-k8s.io"] 30 | resources: ["serviceexports"] 31 | verbs: ["get", "list", "watch"] 32 | - apiGroups: ["multicluster.x-k8s.io"] 33 | resources: ["serviceimports"] 34 | verbs: ["get", "list", "watch"] 35 | - apiGroups: ["apps"] 36 | resources: ["replicasets"] 37 | verbs: ["get", "list", "watch"] 38 | - apiGroups: ["authentication.k8s.io"] 39 | resources: ["tokenreviews"] 40 | verbs: ["create"] 41 | - apiGroups: ["authorization.k8s.io"] 42 | resources: ["subjectaccessreviews"] 43 | verbs: ["create"] 44 | {{- if .Values.global.externalIstiod }} 45 | - apiGroups: [""] 46 | resources: ["configmaps"] 47 | verbs: ["create", "get", "list", "watch", "update"] 48 | - apiGroups: ["admissionregistration.k8s.io"] 49 | resources: ["mutatingwebhookconfigurations"] 50 | verbs: ["get", "list", "watch", "update", "patch"] 51 | - apiGroups: ["admissionregistration.k8s.io"] 52 | resources: ["validatingwebhookconfigurations"] 53 | verbs: ["get", "list", "watch", "update"] 54 | {{- end}} 55 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/reader-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-reader" "context" $) }} 5 | labels: 6 | app: istio-reader 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-reader" "context" $) }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ include "name-with-revision" ( dict "name" "istio-reader" "context" $) }} 15 | namespace: {{ .Release.Namespace }} 16 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/reader-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{ if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{ end }} 9 | metadata: 10 | name: {{ include "name-with-revision" ( dict "name" "istio-reader" "context" $) }} 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: istio-reader 14 | release: {{ .Release.Name }} 15 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.global.mode "ACTIVE" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: istiod 9 | release: {{ .Release.Name }} 10 | rules: 11 | # permissions to verify the webhook is ready and rejecting 12 | # invalid config. We use --server-dry-run so no config is persisted. 13 | - apiGroups: ["networking.istio.io"] 14 | verbs: ["create"] 15 | resources: ["gateways"] 16 | 17 | # For storing CA secret 18 | - apiGroups: [""] 19 | resources: ["secrets"] 20 | # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config 21 | verbs: ["create", "get", "watch", "list", "update", "delete"] 22 | 23 | # For status controller, so it can delete the distribution report configmap 24 | - apiGroups: [""] 25 | resources: ["configmaps"] 26 | verbs: ["delete"] 27 | {{- end }} 28 | --- 29 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.global.mode "ACTIVE" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: istiod 9 | release: {{ .Release.Name }} 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: Role 13 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 17 | namespace: {{ .Release.Namespace }} 18 | {{- end }} 19 | --- 20 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: istiod 8 | istio.io/rev: {{ include "namespaced-revision" . }} 9 | istio: istiod 10 | release: {{ .Release.Name }} 11 | spec: 12 | type: ClusterIP 13 | ports: 14 | - port: 15010 15 | name: grpc-xds # plaintext 16 | protocol: TCP 17 | - port: 15012 18 | name: https-dns # mTLS with k8s-signed cert 19 | protocol: TCP 20 | - port: 443 21 | name: https-webhook # validation and injection 22 | targetPort: 15017 23 | protocol: TCP 24 | - port: 15014 25 | name: http-monitoring # prometheus stats 26 | protocol: TCP 27 | {{- if eq .Values.global.mode "PASSIVE" }} 28 | clusterIP: None 29 | clusterIPs: 30 | - None 31 | {{- else }} 32 | selector: 33 | app: istiod 34 | istio.io/rev: {{ include "namespaced-revision" . }} 35 | {{- end }} 36 | --- 37 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.global.mode "ACTIVE" }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{ if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{ end }} 10 | metadata: 11 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | app: istiod 15 | release: {{ .Release.Name }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-discovery/templates/validatingwebhookconfiguration.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq .Values.global.mode "ACTIVE") .Values.global.configValidation }} 2 | apiVersion: admissionregistration.k8s.io/v1 3 | kind: ValidatingWebhookConfiguration 4 | metadata: 5 | {{- if eq .Values.global.distribution "cisco" }} 6 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-validator" "context" $) }} 7 | {{- else }} 8 | name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}.{{ .Release.Namespace }}-{{ .Release.Namespace }}{{- end }} 9 | {{- end }} 10 | labels: 11 | app: istiod 12 | release: {{ .Release.Name }} 13 | istio: istiod 14 | istio.io/rev: {{ include "namespaced-revision" . }} 15 | webhooks: 16 | # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks 17 | # are rejecting invalid configs on a per-revision basis. 18 | - name: rev.validation.istio.io 19 | clientConfig: 20 | # Should change from base but cannot for API compat 21 | {{- if .Values.base.validationURL }} 22 | url: {{ .Values.base.validationURL }} 23 | {{- else }} 24 | service: 25 | name: {{ include "name-with-revision" ( dict "name" "istiod" "context" $) }} 26 | namespace: {{ .Release.Namespace }} 27 | path: "/validate" 28 | {{- end }} 29 | rules: 30 | - operations: 31 | - CREATE 32 | - UPDATE 33 | apiGroups: 34 | - security.istio.io 35 | - networking.istio.io 36 | - telemetry.istio.io 37 | - extensions.istio.io 38 | {{- if .Values.base.validateGateway }} 39 | - gateway.networking.k8s.io 40 | {{- end }} 41 | apiVersions: 42 | - "*" 43 | resources: 44 | - "*" 45 | scope: "*" 46 | # Fail open until the validation webhook is ready. The webhook controller 47 | # will update this to `Fail` and patch in the `caBundle` when the webhook 48 | # endpoint is ready. 49 | failurePolicy: Ignore 50 | sideEffects: None 51 | admissionReviewVersions: ["v1beta1", "v1"] 52 | objectSelector: 53 | matchExpressions: 54 | - key: istio.io/rev 55 | operator: In 56 | values: 57 | - "{{ include "namespaced-revision" . }}" 58 | --- 59 | {{- end }} 60 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshexpansion/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-meshexpansion 3 | version: 1.1.0 4 | description: Helm chart for istio mesh expansion components 5 | keywords: 6 | - istio-meshexpansion 7 | - istio 8 | engine: gotpl 9 | icon: https://istio.io/latest/favicons/android-192x192.png 10 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshexpansion/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "revision" -}} 2 | {{- default "default" (.Values.revision | replace "." "-") -}} 3 | {{- end -}} 4 | 5 | {{- define "namespaced-revision" -}} 6 | {{- $revision := (include "revision" .) -}} 7 | {{- if eq $revision "default" -}} 8 | {{- printf "%s" $revision -}} 9 | {{- else -}} 10 | {{- printf "%s.%s" $revision .Release.Namespace -}} 11 | {{- end -}} 12 | {{- end -}} 13 | 14 | {{- define "name-with-revision" -}} 15 | {{- if .context.Values.revision -}} 16 | {{- printf "%s-%s" .name (include "revision" .context) -}} 17 | {{- else -}} 18 | {{- .name -}} 19 | {{- end -}} 20 | {{- end -}} 21 | 22 | {{- define "name-with-namespaced-revision" -}} 23 | {{- if .context.Values.revision -}} 24 | {{- printf "%s-%s" (include "name-with-revision" .) .context.Release.Namespace -}} 25 | {{- else -}} 26 | {{- .name -}} 27 | {{- end -}} 28 | {{- end -}} 29 | 30 | {{- define "toYamlIf" }} 31 | {{- if .value }} 32 | {{- if .key }} 33 | {{ .key }}: 34 | {{- end }} 35 | {{- if gt (.indent | int) 0 }} 36 | {{ .value | toYaml | indent .indent }} 37 | {{- else }} 38 | {{ .value | toYaml }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | 43 | {{- define "dockerImage" }} 44 | {{- if contains "/" .image }} 45 | image: "{{ .image }}" 46 | {{- else }} 47 | image: "{{ .hub }}/{{ .image }}:{{ .tag }}" 48 | {{- end }} 49 | {{- end }} 50 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshexpansion/templates/istio-cross-network-gw.yaml: -------------------------------------------------------------------------------- 1 | {{ if and (eq .Values.mode "ACTIVE") .Values.exposeClusterServices }} 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: Gateway 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-cross-network" "context" $) }} 6 | spec: 7 | selector: 8 | gateway-name: {{ include "name-with-revision" (dict "name" "istio-meshexpansion" "context" $) }} 9 | gateway-type: ingress 10 | servers: 11 | - port: 12 | number: 15443 13 | name: tls 14 | protocol: TLS 15 | tls: 16 | mode: AUTO_PASSTHROUGH 17 | hosts: 18 | - "*.local" 19 | {{ end }} 20 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshexpansion/templates/istio-meshexpansion-mgw.yaml: -------------------------------------------------------------------------------- 1 | {{- define "service" }} 2 | ports: 3 | - name: tcp-status-port 4 | port: 15021 5 | protocol: TCP 6 | targetPort: 15021 7 | {{ if .Values.exposeIstiod }} 8 | - name: tls-istiod 9 | port: 15012 10 | protocol: TCP 11 | targetPort: 15012 12 | {{ end }} 13 | {{ if .Values.exposeWebhook }} 14 | - name: tls-istiodwebhook 15 | port: 15017 16 | protocol: TCP 17 | targetPort: 15017 18 | {{ end }} 19 | {{ if .Values.exposeClusterServices }} 20 | - name: tls 21 | port: 15443 22 | protocol: TCP 23 | targetPort: 15443 24 | {{ end }} 25 | {{- include "toYamlIf" (dict "value" .Values.service.ports) }} 26 | {{- end }} 27 | 28 | {{- define "deployment" }} 29 | env: 30 | - name: ISTIO_META_ROUTER_MODE 31 | value: sni-dnat 32 | - name: ISTIO_META_REQUESTED_NETWORK_VIEW 33 | value: {{ .Values.network }} 34 | {{- if eq .Values.distribution "cisco" }} 35 | - name: ISTIO_META_LOCAL_ENDPOINTS_ONLY 36 | value: "true" 37 | {{- end }} 38 | {{- include "toYamlIf" (dict "value" .Values.deployment.env) }} 39 | {{- end }} 40 | 41 | apiVersion: servicemesh.cisco.com/v1alpha1 42 | kind: IstioMeshGateway 43 | metadata: 44 | name: {{ include "name-with-revision" (dict "name" "istio-meshexpansion" "context" $) }} 45 | annotations: 46 | meshgateway.istio.servicemesh.cisco.com/generate-external-service: "true" 47 | labels: 48 | istio.io/rev: {{ include "namespaced-revision" . }} 49 | app: istio-meshexpansion-gateway 50 | {{- include "toYamlIf" (dict "value" .Values.metadata.labels) | indent 4 }} 51 | {{- include "toYamlIf" (dict "value" .Values.metadata.annotations "key" "annotations" "indent" 2) | indent 2 }} 52 | spec: 53 | istioControlPlane: 54 | name: {{ .Values.revision }} 55 | namespace: {{ .Release.Namespace }} 56 | runAsRoot: {{ .Values.runAsRoot }} 57 | {{- include "toYamlIf" (dict "value" (merge (include "service" . | fromYaml) .Values.service) "key" "service" "indent" 2) | indent 2 }} 58 | {{- include "toYamlIf" (dict "value" (merge (include "deployment" . | fromYaml) .Values.deployment) "key" "deployment" "indent" 2) | indent 2 }} 59 | type: ingress 60 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshexpansion/templates/istiod-expansion-gw.yaml: -------------------------------------------------------------------------------- 1 | {{ if and (eq .Values.mode "ACTIVE") (or .Values.exposeIstiod .Values.exposeWebhook) }} 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: Gateway 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istiod-expansion" "context" $) }} 6 | spec: 7 | selector: 8 | gateway-name: {{ include "name-with-revision" (dict "name" "istio-meshexpansion" "context" $) }} 9 | gateway-type: ingress 10 | servers: 11 | {{ if .Values.exposeIstiod }} 12 | - port: 13 | name: tls-istiod 14 | number: 15012 15 | protocol: TLS 16 | tls: 17 | mode: PASSTHROUGH 18 | hosts: 19 | - "*" 20 | {{ end }} 21 | {{ if .Values.exposeWebhook }} 22 | - port: 23 | name: tls-istiodwebhook 24 | number: 15017 25 | protocol: TLS 26 | tls: 27 | mode: PASSTHROUGH 28 | hosts: 29 | - "*" 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshexpansion/templates/istiod-expansion-vs.yaml: -------------------------------------------------------------------------------- 1 | {{ if and (eq .Values.mode "ACTIVE") (or .Values.exposeIstiod .Values.exposeWebhook) }} 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: VirtualService 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istiod-expansion" "context" $) }} 6 | spec: 7 | hosts: 8 | - "*" 9 | gateways: 10 | - {{ include "name-with-revision" (dict "name" "istiod-expansion" "context" $) }} 11 | tls: 12 | {{ if .Values.exposeIstiod }} 13 | - match: 14 | - port: 15012 15 | sniHosts: 16 | - "*" 17 | route: 18 | - destination: 19 | host: "{{ include "name-with-revision" ( dict "name" "istiod" "context" $) }}.{{ .Release.Namespace }}.svc.cluster.local" 20 | port: 21 | number: 15012 22 | {{ end }} 23 | {{ if .Values.exposeWebhook }} 24 | - match: 25 | - port: 15017 26 | sniHosts: 27 | - "*" 28 | route: 29 | - destination: 30 | host: "{{ include "name-with-revision" ( dict "name" "istiod" "context" $) }}.{{ .Release.Namespace }}.svc.cluster.local" 31 | port: 32 | number: 443 33 | {{ end }} 34 | {{ end }} 35 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshexpansion/values.yaml: -------------------------------------------------------------------------------- 1 | revision: "" 2 | network: network1 3 | distribution: official 4 | 5 | exposeIstiod: true 6 | exposeWebhook: true 7 | exposeClusterServices: true 8 | 9 | mode: ACTIVE 10 | 11 | runAsRoot: false 12 | metadata: 13 | labels: {} 14 | annotations: {} 15 | deployment: {} 16 | service: 17 | type: LoadBalancer 18 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshexpansion/values.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{ valueIf (dict "key" "revision" "value" .Name) }} 2 | {{ with .GetSpec.GetMeshExpansion }} 3 | {{ valueIf (dict "key" "exposeIstiod" "value" .GetIstiod.GetExpose) }} 4 | {{ valueIf (dict "key" "exposeWebhook" "value" .GetWebhook.GetExpose) }} 5 | {{ valueIf (dict "key" "exposeClusterServices" "value" .GetClusterServices.GetExpose) }} 6 | {{ end }} 7 | {{ with .GetSpec.GetMeshExpansion.GetGateway }} 8 | {{ valueIf (dict "key" "runAsRoot" "value" .GetRunAsRoot) }} 9 | {{ toYamlIf (dict "value" .GetMetadata "key" "metadata") }} 10 | {{ toYamlIf (dict "value" .GetDeployment "key" "deployment") }} 11 | {{ toYamlIf (dict "value" .GetService "key" "service") }} 12 | {{ end }} 13 | {{- if .GetSpec.GetMode }} 14 | mode: {{ .GetSpec.GetMode | toString }} 15 | {{- end }} 16 | {{ valueIf (dict "key" "distribution" "value" .GetSpec.GetDistribution) }} 17 | {{ valueIf (dict "key" "network" "value" .GetSpec.GetNetworkName) }} 18 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-meshgateway 3 | version: 0.2.0 4 | tillerVersion: ">=2.7.2" 5 | description: Helm chart for deploying Istio mesh gateways 6 | keywords: 7 | - istio 8 | - ingressgateway 9 | - egressgateway 10 | - gateways 11 | sources: 12 | - http://github.com/istio/istio 13 | engine: gotpl 14 | icon: https://istio.io/latest/favicons/android-192x192.png 15 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "labels" }} 2 | {{- include "toYamlIf" (dict "value" (merge .labels (dict "gateway-name" .context.Values.deployment.name "gateway-type" .context.Values.type))) }} 3 | {{- end }} 4 | 5 | {{- define "generic.labels" }} 6 | release: {{ .Release.Name }} 7 | {{- if .Values.revision }} 8 | istio.io/rev: {{ .Values.revision }} 9 | {{- end }} 10 | {{- end }} 11 | 12 | {{- define "deployment.labels" }} 13 | {{- include "labels" (dict "context" . "labels" .Values.deployment.metadata.labels) }} 14 | {{- include "generic.labels" . }} 15 | {{- end }} 16 | 17 | {{- define "pod.labels" }} 18 | {{- include "labels" (dict "context" . "labels" .Values.deployment.podMetadata.labels) }} 19 | {{- include "deployment.labels" . }} 20 | {{- end }} 21 | 22 | {{- define "service.labels" }} 23 | {{- include "labels" (dict "context" . "labels" .Values.service.metadata.labels) }} 24 | {{- end }} 25 | 26 | {{- define "toYamlIf" }} 27 | {{- if .value }} 28 | {{- if .key }} 29 | {{ .key }}: 30 | {{- end }} 31 | {{- if gt (.indent | int) 0 }} 32 | {{ .value | toYaml | indent .indent }} 33 | {{- else }} 34 | {{ .value | toYaml }} 35 | {{- end }} 36 | {{- end }} 37 | {{- end }} 38 | 39 | {{- define "revision" -}} 40 | {{- .Values.revision | replace "." "-" -}} 41 | {{- end -}} 42 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := .Values.deployment }} 2 | {{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} 3 | apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "deployment.labels" . | indent 4 }} 10 | spec: 11 | maxReplicas: {{ $gateway.autoscaleMax }} 12 | minReplicas: {{ $gateway.autoscaleMin }} 13 | scaleTargetRef: 14 | apiVersion: apps/v1 15 | kind: Deployment 16 | name: {{ $gateway.name }} 17 | metrics: 18 | - type: Resource 19 | resource: 20 | name: cpu 21 | target: 22 | type: Utilization 23 | averageUtilization: {{ $gateway.cpu.targetAverageUtilization }} 24 | --- 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if or (gt (.Values.deployment.podDisruptionBudget.minAvailable | int) 0) (gt (.Values.deployment.podDisruptionBudget.maxUnavailable | int) 0) }} 2 | {{- $gateway := .Values.deployment }} 3 | apiVersion: policy/v1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "deployment.labels" . | indent 4 }} 10 | spec: 11 | {{- if gt (.Values.deployment.podDisruptionBudget.minAvailable | int) 0 }} 12 | minAvailable: {{ .Values.deployment.podDisruptionBudget.minAvailable }} 13 | {{- end }} 14 | {{- if gt (.Values.deployment.podDisruptionBudget.maxUnavailable | int) 0 }} 15 | maxUnavailable: {{ .Values.deployment.podDisruptionBudget.maxUnavailable }} 16 | {{- end }} 17 | selector: 18 | matchLabels: 19 | {{- include "pod.labels" . | indent 6 }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{- $gateway := .Values.deployment }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ $gateway.name }}-sds 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "deployment.labels" . | indent 4 }} 9 | rules: 10 | - apiGroups: [""] 11 | resources: ["secrets"] 12 | verbs: ["get", "watch", "list"] 13 | --- 14 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/templates/rolebindings.yaml: -------------------------------------------------------------------------------- 1 | {{- $gateway := .Values.deployment }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ $gateway.name }}-sds 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "deployment.labels" . | indent 4 }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: Role 12 | name: {{ $gateway.name }}-sds 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ $gateway.name }}-service-account 16 | --- 17 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/templates/service-ext.yaml: -------------------------------------------------------------------------------- 1 | {{- $gateway := .Values.deployment }} 2 | {{- $service := .Values.service -}} 3 | {{- if and .Values.externalService.addresses (eq $service.type "LoadBalancer") }} 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | name: {{ $gateway.name }}-external 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | meshgateway.istio.servicemesh.cisco.com/external-service: "true" 11 | spec: 12 | type: ClusterIP 13 | clusterIP: None 14 | ports: 15 | {{- range $key, $val := $service.ports }} 16 | - 17 | {{- range $pkey, $pval := $val }} 18 | {{ $pkey}}: {{ $pval }} 19 | {{- end }} 20 | {{- end }} 21 | --- 22 | apiVersion: v1 23 | kind: Endpoints 24 | metadata: 25 | name: {{ $gateway.name }}-external 26 | namespace: {{ .Release.Namespace }} 27 | labels: 28 | meshgateway.istio.servicemesh.cisco.com/external-service: "true" 29 | subsets: 30 | - addresses: 31 | {{- range $val := .Values.externalService.addresses }} 32 | - ip: {{ $val }} 33 | {{- end }} 34 | ports: 35 | {{- range $key, $val := $service.ports }} 36 | - 37 | {{- range $pkey, $pval := $val }} 38 | {{ $pkey}}: {{ $pval }} 39 | {{- end }} 40 | {{- end }} 41 | --- 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $gateway := .Values.deployment }} 2 | {{- $service := .Values.service -}} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | annotations: 9 | {{- range $key, $val := $service.metadata.annotations }} 10 | {{ $key }}: {{ $val | quote }} 11 | {{- end }} 12 | labels: 13 | {{- include "deployment.labels" . | indent 4 }} 14 | spec: 15 | {{- if $service.loadBalancerIP }} 16 | loadBalancerIP: "{{ $service.loadBalancerIP }}" 17 | {{- end }} 18 | {{- if $service.loadBalancerSourceRanges }} 19 | loadBalancerSourceRanges: 20 | {{ toYaml $service.loadBalancerSourceRanges | indent 4 }} 21 | {{- end }} 22 | {{- if $service.externalTrafficPolicy }} 23 | externalTrafficPolicy: {{ $service.externalTrafficPolicy }} 24 | {{- end }} 25 | type: {{ $service.type }} 26 | selector: 27 | {{- include "pod.labels" . | indent 4 }} 28 | ports: 29 | {{- range $key, $val := $service.ports }} 30 | - 31 | {{- range $pkey, $pval := $val }} 32 | {{ $pkey}}: {{ $pval }} 33 | {{- end }} 34 | {{- end }} 35 | --- 36 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $gateway := .Values.deployment }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{ include "toYamlIf" (dict "value" .Values.global.imagePullSecrets "key" "imagePullSecrets") }} 5 | metadata: 6 | name: {{ $gateway.name }}-service-account 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "deployment.labels" . | indent 4 }} 10 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-meshgateway/values.yaml: -------------------------------------------------------------------------------- 1 | # The injection template to use for the gateway. If not set, no injection will be performed. 2 | injectionTemplate: "gateway" 3 | 4 | # Revision is set as 'version' label and part of the resource names when installing multiple control planes. 5 | revision: "default" 6 | 7 | type: ingress 8 | runAsRoot: true 9 | 10 | deployment: 11 | replicaCount: 1 12 | enablePrometheusMerge: true 13 | deploymentStrategy: 14 | type: RollingUpdate 15 | rollingUpdate: 16 | maxSurge: 100% 17 | maxUnavailable: 25% 18 | metadata: 19 | labels: {} 20 | annotations: {} 21 | env: {} 22 | cpu: 23 | targetAverageUtilization: 80 24 | affinity: {} 25 | nodeSelector: {} 26 | priorityClassName: "" 27 | resources: 28 | limits: 29 | cpu: "2" 30 | memory: 1Gi 31 | requests: 32 | cpu: 100m 33 | memory: 128Mi 34 | securityContext: 35 | runAsUser: 1337 36 | runAsGroup: 1337 37 | runAsNonRoot: true 38 | tolerations: [] 39 | volumeMounts: [] 40 | volumes: [] 41 | podDisruptionBudget: {} 42 | podMetadata: 43 | labels: {} 44 | annotations: {} 45 | topologySpreadConstraints: [] 46 | 47 | service: 48 | type: ClusterIP 49 | metadata: {} 50 | ports: [] 51 | selector: {} 52 | 53 | externalService: 54 | addresses: {} 55 | 56 | global: 57 | imagePullPolicy: "IfNotPresent" 58 | imagePullSecrets: [] 59 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-sidecar-injector/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-sidecar-injector 3 | version: 0.2.0 4 | tillerVersion: ">=2.7.2" 5 | description: Helm chart for deploying Istio sidecar injector 6 | keywords: 7 | - istio 8 | - sidecar-injector 9 | sources: 10 | - http://github.com/istio/istio 11 | engine: gotpl 12 | icon: https://istio.io/latest/favicons/android-192x192.png 13 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-sidecar-injector/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.deployment.autoscaleEnabled .Values.deployment.autoscaleMin .Values.deployment.autoscaleMax }} 2 | apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "generic.labels" . | indent 4 }} 9 | spec: 10 | maxReplicas: {{ .Values.deployment.autoscaleMax }} 11 | minReplicas: {{ .Values.deployment.autoscaleMin }} 12 | scaleTargetRef: 13 | apiVersion: apps/v1 14 | kind: Deployment 15 | name: {{ include "name-with-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 16 | metrics: 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | target: 21 | type: Utilization 22 | averageUtilization: {{ .Values.deployment.cpu.targetAverageUtilization }} 23 | --- 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-sidecar-injector/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 5 | labels: 6 | app: istio-sidecar-injector 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: [""] 10 | resources: ["configmaps"] 11 | verbs: ["get", "list", "watch"] 12 | - apiGroups: ["admissionregistration.k8s.io"] 13 | resources: ["mutatingwebhookconfigurations"] 14 | verbs: ["get", "list", "watch", "update", "patch"] 15 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-sidecar-injector/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 5 | labels: 6 | app: istio-sidecar-injector 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: {{ include "name-with-namespaced-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ include "name-with-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 15 | namespace: {{ .Release.Namespace }} 16 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-sidecar-injector/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if or (gt (.Values.deployment.podDisruptionBudget.minAvailable | int) 0) (gt (.Values.deployment.podDisruptionBudget.maxUnavailable | int) 0) }} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "generic.labels" . | indent 4 }} 9 | spec: 10 | {{- if gt (.Values.deployment.podDisruptionBudget.minAvailable | int) 0 }} 11 | minAvailable: {{ .Values.deployment.podDisruptionBudget.minAvailable }} 12 | {{- end }} 13 | {{- if gt (.Values.deployment.podDisruptionBudget.maxUnavailable | int) 0 }} 14 | maxUnavailable: {{ .Values.deployment.podDisruptionBudget.maxUnavailable }} 15 | {{- end }} 16 | selector: 17 | matchLabels: 18 | {{- include "pod.labels" . | indent 6 }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-sidecar-injector/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "name-with-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 5 | namespace: {{ .Release.Namespace }} 6 | {{- include "toYamlIf" (dict "value" .Values.service.metadata.annotations "key" "annotations") | indent 8 }} 7 | labels: 8 | {{- include "generic.labels" . | indent 4 }} 9 | spec: 10 | {{- if .Values.service.loadBalancerIP }} 11 | loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" 12 | {{- end }} 13 | {{- if .Values.service.loadBalancerSourceRanges }} 14 | loadBalancerSourceRanges: 15 | {{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} 16 | {{- end }} 17 | {{- if .Values.service.externalTrafficPolicy }} 18 | externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} 19 | {{- end }} 20 | type: {{ .Values.service.type }} 21 | selector: 22 | {{- include "pod.labels" . | indent 4 }} 23 | ports: 24 | {{- range $key, $val := .Values.service.ports }} 25 | - 26 | {{- range $pkey, $pval := $val }} 27 | {{ $pkey}}: {{ $pval }} 28 | {{- end }} 29 | {{- end }} 30 | --- 31 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-sidecar-injector/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- include "toYamlIf" (dict "value" .Values.global.imagePullSecrets "key" "imagePullSecrets") }} 4 | metadata: 5 | name: {{ include "name-with-revision" ( dict "name" "istio-sidecar-injector" "context" $) }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "generic.labels" . | indent 4 }} 9 | -------------------------------------------------------------------------------- /internal/assets/manifests/istio-sidecar-injector/values.yaml: -------------------------------------------------------------------------------- 1 | revision: "default" 2 | 3 | deployment: 4 | replicaCount: 1 5 | image: banzaicloud/istio-sidecar-injector:v1.10.4-bzc.1 6 | enablePrometheusMerge: true 7 | deploymentStrategy: 8 | type: RollingUpdate 9 | rollingUpdate: 10 | maxSurge: 100% 11 | maxUnavailable: 25% 12 | metadata: 13 | labels: {} 14 | annotations: {} 15 | env: {} 16 | cpu: 17 | targetAverageUtilization: 80 18 | affinity: {} 19 | nodeSelector: {} 20 | priorityClassName: "" 21 | resources: 22 | limits: 23 | cpu: "250m" 24 | memory: 256Mi 25 | requests: 26 | cpu: 100m 27 | memory: 128Mi 28 | securityContext: 29 | fsGroup: 1337 30 | runAsGroup: 1337 31 | runAsNonRoot: true 32 | runAsUser: 1337 33 | tolerations: [] 34 | topologySpreadConstraints: [] 35 | volumeMounts: [] 36 | volumes: [] 37 | podDisruptionBudget: {} 38 | podMetadata: 39 | labels: {} 40 | annotations: {} 41 | livenessProbe: 42 | exec: 43 | command: 44 | - /usr/local/bin/sidecar-injector 45 | - probe 46 | - --probe-path=/tmp/health 47 | - --interval=4s 48 | failureThreshold: 3 49 | initialDelaySeconds: 15 50 | periodSeconds: 4 51 | successThreshold: 1 52 | timeoutSeconds: 1 53 | name: sidecar-injector-webhook 54 | readinessProbe: 55 | exec: 56 | command: 57 | - /usr/local/bin/sidecar-injector 58 | - probe 59 | - --probe-path=/tmp/health 60 | - --interval=4s 61 | failureThreshold: 3 62 | initialDelaySeconds: 15 63 | periodSeconds: 4 64 | successThreshold: 1 65 | timeoutSeconds: 1 66 | 67 | service: 68 | type: ClusterIP 69 | metadata: {} 70 | ports: 71 | - name: https-inject 72 | port: 443 73 | targetPort: 9443 74 | protocol: TCP 75 | - name: http-monitoring 76 | port: 15014 77 | targetPort: 15014 78 | protocol: TCP 79 | selector: {} 80 | 81 | global: 82 | distribution: official 83 | hub: gcr.io/istio-testing 84 | tag: latest 85 | imagePullPolicy: "" 86 | imagePullSecrets: [] 87 | clusterDomain: "cluster.local" 88 | jwtPolicy: "third-party-jwt" 89 | sds: 90 | token: 91 | aud: istio-ca 92 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-resource-sync-rule 3 | version: 1.1.0 4 | description: Helm chart for resource sync rule components for Istio 5 | keywords: 6 | - istio 7 | - resource-sync-rule 8 | engine: gotpl 9 | icon: https://istio.io/latest/favicons/android-192x192.png 10 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "revision" -}} 2 | {{- default "default" (.Values.revision | replace "." "-") -}} 3 | {{- end -}} 4 | 5 | {{- define "namespaced-revision" -}} 6 | {{- $revision := (include "revision" .) -}} 7 | {{- if eq $revision "default" -}} 8 | {{- printf "%s" $revision -}} 9 | {{- else -}} 10 | {{- printf "%s.%s" $revision .Release.Namespace -}} 11 | {{- end -}} 12 | {{- end -}} 13 | 14 | {{- define "name-with-revision" -}} 15 | {{- if .context.Values.revision -}} 16 | {{- printf "%s-%s" .name (include "revision" .context) -}} 17 | {{- else -}} 18 | {{- .name -}} 19 | {{- end -}} 20 | {{- end -}} 21 | 22 | {{- define "name-with-namespaced-revision" -}} 23 | {{- if .context.Values.revision -}} 24 | {{- printf "%s-%s" (include "name-with-revision" .) .context.Release.Namespace -}} 25 | {{- else -}} 26 | {{- .name -}} 27 | {{- end -}} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-ca-root-cert-cluster-feature.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "ACTIVE" }} 2 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 3 | kind: ClusterFeature 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-ca-root-cert-source" "context" $) }} 6 | labels: 7 | release: {{ .Release.Name }} 8 | istio.io/rev: {{ include "namespaced-revision" . }} 9 | spec: 10 | featureName: "istio.servicemesh.cisco.com/ca-root-cert-source" 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-ca-root-cert-controller-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "PASSIVE" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-ca-root-cert-controller" "context" $) }} 6 | labels: 7 | cluster-registry.k8s.cisco.com/controller-aggregated: "true" 8 | release: {{ .Release.Name }} 9 | rules: 10 | - apiGroups: 11 | - "" 12 | resources: 13 | - configmaps 14 | verbs: 15 | - create 16 | - update 17 | - delete 18 | - patch 19 | - get 20 | - list 21 | - watch 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-ca-root-cert-reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "name-with-revision" (dict "name" "istio-ca-root-cert-reader" "context" $) }} 5 | labels: 6 | cluster-registry.k8s.cisco.com/reader-aggregated: "true" 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - configmaps 13 | verbs: 14 | - get 15 | - list 16 | - watch 17 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-ca-root-cert-resource-sync-rule.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "PASSIVE" }} 2 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 3 | kind: ResourceSyncRule 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-ca-root-cert-sink" "context" $) }} 6 | annotations: 7 | cluster-registry.k8s.cisco.com/resource-sync-disabled: "true" 8 | labels: 9 | release: {{ .Release.Name }} 10 | spec: 11 | clusterFeatureMatch: 12 | - featureName: "istio.servicemesh.cisco.com/ca-root-cert-source" 13 | matchLabels: 14 | istio.io/rev: {{ include "namespaced-revision" . }} 15 | groupVersionKind: 16 | kind: ConfigMap 17 | version: v1 18 | rules: 19 | - match: 20 | - objectKey: 21 | {{- if eq .Values.distribution "cisco" }} 22 | name: {{ include "name-with-revision" (dict "name" "istio-ca-root-cert" "context" $) }} 23 | {{- else }} 24 | name: istio-ca-root-cert 25 | {{- end }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-custom-resources-cluster-feature.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "ACTIVE" }} 2 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 3 | kind: ClusterFeature 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-custom-resources-source" "context" $) }} 6 | labels: 7 | release: {{ .Release.Name }} 8 | istio.io/rev: {{ include "namespaced-revision" . }} 9 | spec: 10 | featureName: "istio.servicemesh.cisco.com/custom-resources-source" 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-custom-resources-controller-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "ACTIVE" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-custom-resources-controller" "context" $) }} 6 | labels: 7 | cluster-registry.k8s.cisco.com/controller-aggregated: "true" 8 | release: {{ .Release.Name }} 9 | rules: 10 | - apiGroups: 11 | - networking.istio.io 12 | - telemetry.istio.io 13 | - security.istio.io 14 | resources: [ "*" ] 15 | verbs: 16 | - create 17 | - update 18 | - delete 19 | - patch 20 | - get 21 | - list 22 | - watch 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-custom-resources-reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "ACTIVE" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-custom-resources-reader" "context" $) }} 6 | labels: 7 | cluster-registry.k8s.cisco.com/reader-aggregated: "true" 8 | release: {{ .Release.Name }} 9 | rules: 10 | - apiGroups: 11 | - networking.istio.io 12 | - telemetry.istio.io 13 | - security.istio.io 14 | resources: [ "*" ] 15 | verbs: 16 | - get 17 | - list 18 | - watch 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-multi-cluster-secret-cluster-feature.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 2 | kind: ClusterFeature 3 | metadata: 4 | name: {{ include "name-with-revision" (dict "name" "istio-multi-cluster-secret-source" "context" $) }} 5 | labels: 6 | release: {{ .Release.Name }} 7 | istio.io/rev: {{ include "namespaced-revision" . }} 8 | spec: 9 | featureName: "istio.servicemesh.cisco.com/multi-cluster-secret-source" 10 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/istio-multi-cluster-secret-resource-sync-rule.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "ACTIVE" }} 2 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 3 | kind: ResourceSyncRule 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-multi-cluster-secret-sink" "context" $) }} 6 | annotations: 7 | cluster-registry.k8s.cisco.com/resource-sync-disabled: "true" 8 | labels: 9 | release: {{ .Release.Name }} 10 | spec: 11 | clusterFeatureMatch: 12 | - featureName: "istio.servicemesh.cisco.com/multi-cluster-secret-source" 13 | matchLabels: 14 | istio.io/rev: {{ include "namespaced-revision" . }} 15 | groupVersionKind: 16 | kind: Secret 17 | version: v1 18 | rules: 19 | - match: 20 | - labels: 21 | - matchLabels: 22 | istio.io/rev: {{ include "namespaced-revision" . }} 23 | content: 24 | - key: type 25 | value: k8s.cisco.com/istio-reader-secret 26 | mutations: 27 | labels: 28 | add: 29 | istio/multiCluster: "true" 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/mesh-cluster-feature.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "ACTIVE" }} 2 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 3 | kind: ClusterFeature 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-mesh-source" "context" $) }} 6 | labels: 7 | release: {{ .Release.Name }} 8 | istio.io/rev: {{ include "namespaced-revision" . }} 9 | spec: 10 | featureName: "istio.servicemesh.cisco.com/mesh-source" 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/mesh-controller-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "PASSIVE" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-mesh-controller" "context" $) }} 6 | labels: 7 | cluster-registry.k8s.cisco.com/controller-aggregated: "true" 8 | release: {{ .Release.Name }} 9 | rules: 10 | - apiGroups: ["servicemesh.cisco.com"] 11 | resources: 12 | - istiomeshes 13 | verbs: 14 | - create 15 | - update 16 | - delete 17 | - patch 18 | - get 19 | - list 20 | - watch 21 | - apiGroups: ["servicemesh.cisco.com"] 22 | resources: 23 | - istiomeshes/status 24 | verbs: 25 | - get 26 | - update 27 | - patch 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/mesh-reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "name-with-revision" (dict "name" "istio-mesh-reader" "context" $) }} 5 | labels: 6 | cluster-registry.k8s.cisco.com/reader-aggregated: "true" 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: ["servicemesh.cisco.com"] 10 | resources: 11 | - istiomeshes 12 | verbs: 13 | - get 14 | - list 15 | - watch 16 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/mesh-resource-sync-rule.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "PASSIVE" }} 2 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 3 | kind: ResourceSyncRule 4 | metadata: 5 | name: {{ include "name-with-revision" (dict "name" "istio-mesh-sink" "context" $) }} 6 | annotations: 7 | cluster-registry.k8s.cisco.com/resource-sync-disabled: "true" 8 | labels: 9 | release: {{ .Release.Name }} 10 | spec: 11 | clusterFeatureMatch: 12 | - featureName: "istio.servicemesh.cisco.com/mesh-source" 13 | matchLabels: 14 | istio.io/rev: {{ include "namespaced-revision" . }} 15 | groupVersionKind: 16 | group: servicemesh.cisco.com 17 | kind: IstioMesh 18 | version: v1alpha1 19 | rules: 20 | - match: 21 | - objectKey: 22 | name: {{ .Values.meshID }} 23 | namespace: {{ .Release.Namespace }} 24 | syncStatus: true 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/peer-istio-control-plane-cluster-feature.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 2 | kind: ClusterFeature 3 | metadata: 4 | name: {{ include "name-with-revision" (dict "name" "istio-peeristiocontrolplane-source" "context" $) }} 5 | labels: 6 | release: {{ .Release.Name }} 7 | istio.io/rev: {{ include "namespaced-revision" . }} 8 | spec: 9 | featureName: "istio.servicemesh.cisco.com/peeristiocontrolplane-source" 10 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/peer-istio-control-plane-controller-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "name-with-revision" (dict "name" "istio-peeristiocontrolplane-controller" "context" $) }} 5 | labels: 6 | cluster-registry.k8s.cisco.com/controller-aggregated: "true" 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: ["servicemesh.cisco.com"] 10 | resources: 11 | - istiocontrolplanes 12 | - peeristiocontrolplanes 13 | verbs: 14 | - create 15 | - update 16 | - delete 17 | - patch 18 | - get 19 | - list 20 | - watch 21 | - apiGroups: ["servicemesh.cisco.com"] 22 | resources: 23 | - istiocontrolplanes/status 24 | - peeristiocontrolplanes/status 25 | verbs: 26 | - get 27 | - update 28 | - patch 29 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/peer-istio-control-plane-reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "name-with-revision" (dict "name" "istio-peeristiocontrolplane-reader" "context" $) }} 5 | labels: 6 | cluster-registry.k8s.cisco.com/reader-aggregated: "true" 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: ["servicemesh.cisco.com"] 10 | resources: 11 | - istiocontrolplanes 12 | verbs: 13 | - get 14 | - list 15 | - watch 16 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/templates/peer-istio-control-plane-resource-sync-rule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: clusterregistry.k8s.cisco.com/v1alpha1 2 | kind: ResourceSyncRule 3 | metadata: 4 | name: {{ include "name-with-revision" (dict "name" "istio-peeristiocontrolplane-sink" "context" $) }} 5 | annotations: 6 | cluster-registry.k8s.cisco.com/resource-sync-disabled: "true" 7 | labels: 8 | release: {{ .Release.Name }} 9 | spec: 10 | clusterFeatureMatch: 11 | - featureName: "istio.servicemesh.cisco.com/peeristiocontrolplane-source" 12 | matchLabels: 13 | istio.io/rev: {{ include "namespaced-revision" . }} 14 | groupVersionKind: 15 | group: servicemesh.cisco.com 16 | kind: IstioControlPlane 17 | version: v1alpha1 18 | rules: 19 | - match: 20 | - objectKey: 21 | name: {{ .Values.revision }} 22 | namespace: {{ .Release.Namespace }} 23 | mutations: 24 | groupVersionKind: 25 | kind: PeerIstioControlPlane 26 | overrides: 27 | - parseValue: false 28 | path: /metadata/name 29 | type: replace 30 | value: {{`'{{ printf "%s-%s" .Object.GetName .Cluster.GetName }}'`}} 31 | syncStatus: true 32 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/values.yaml: -------------------------------------------------------------------------------- 1 | revision: "" 2 | mode: ACTIVE 3 | distribution: official 4 | meshID: "" 5 | -------------------------------------------------------------------------------- /internal/assets/manifests/resource-sync-rule/values.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{ valueIf (dict "key" "revision" "value" .Name) }} 2 | {{- if .GetSpec.GetMode }} 3 | mode: {{ .GetSpec.GetMode | toString }} 4 | {{- end }} 5 | {{ valueIf (dict "key" "distribution" "value" .GetSpec.GetDistribution) }} 6 | {{ valueIf (dict "key" "meshID" "value" .GetSpec.GetMeshID) }} 7 | -------------------------------------------------------------------------------- /internal/components/base/testdata/icp-expected-values.yaml: -------------------------------------------------------------------------------- 1 | base: 2 | enableCRDTemplates: false 3 | enableIstioConfigCRDs: true 4 | global: 5 | configValidation: true 6 | externalIstiod: false 7 | imagePullSecrets: [] 8 | istioNamespace: istio-system 9 | istiod: 10 | enableAnalysis: false 11 | revision: cp-v117x 12 | -------------------------------------------------------------------------------- /internal/components/base/testdata/icp-test-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: cp-v117x 5 | namespace: istio-system 6 | spec: 7 | version: "1.17.8" 8 | mode: ACTIVE 9 | -------------------------------------------------------------------------------- /internal/components/discovery/testdata/icp-passive-expected-values.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | istioNamespace: istio-system 3 | meshID: mesh1 4 | mode: PASSIVE 5 | multiCluster: 6 | clusterName: demo-cluster2 7 | network: network1 8 | caName: Citadel 9 | proxy: 10 | tracer: zipkin 11 | meshConfig: 12 | connectTimeout: 5s 13 | rootNamespace: istio-system 14 | revision: cp-v117x 15 | sidecarInjectorWebhook: 16 | defaultTemplates: 17 | - sidecar 18 | - sidecarOverrides 19 | templates: 20 | custom1: | 21 | spec: 22 | containers: 23 | - name: istio-proxy 24 | env: 25 | - name: TEMPLATE 26 | value: custom-passive1 27 | custom2: | 28 | spec: 29 | containers: 30 | - name: istio-proxy 31 | env: 32 | - name: TEMPLATE 33 | value: custom-passive2 34 | gatewayOverrides: | 35 | spec: 36 | containers: 37 | - name: istio-proxy 38 | env: 39 | - name: TEMPLATE 40 | value: gateway-passive 41 | sidecarOverrides: | 42 | spec: 43 | containers: 44 | - name: istio-proxy 45 | env: 46 | - name: TEMPLATE 47 | value: sidecar-passive 48 | -------------------------------------------------------------------------------- /internal/components/discovery/testdata/icp-passive-test-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: cp-v117x 5 | namespace: istio-system 6 | spec: 7 | sidecarInjector: 8 | templates: 9 | sidecar: | 10 | spec: 11 | containers: 12 | - name: istio-proxy 13 | env: 14 | - name: TEMPLATE 15 | value: sidecar-passive 16 | gateway: | 17 | spec: 18 | containers: 19 | - name: istio-proxy 20 | env: 21 | - name: TEMPLATE 22 | value: gateway-passive 23 | customTemplates: 24 | - name: custom1 25 | template: | 26 | spec: 27 | containers: 28 | - name: istio-proxy 29 | env: 30 | - name: TEMPLATE 31 | value: custom-passive1 32 | - name: custom2 33 | template: | 34 | spec: 35 | containers: 36 | - name: istio-proxy 37 | env: 38 | - name: TEMPLATE 39 | value: custom-passive2 40 | meshID: mesh1 41 | clusterID: demo-cluster2 42 | version: "1.17.8" 43 | mode: PASSIVE 44 | networkName: network1 45 | caProvider: Citadel 46 | -------------------------------------------------------------------------------- /internal/components/istiomeshgateway/testdata/icp-test-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: cp-v117x 5 | namespace: istio-system 6 | spec: 7 | meshID: mesh1 8 | clusterID: demo-cluster1 9 | version: "1.17.8" 10 | mode: ACTIVE 11 | containerImageConfiguration: 12 | hub: gcr.io/istio-testing 13 | tag: latest 14 | imagePullPolicy: Always 15 | imagePullSecrets: 16 | - name: pullsecret-1 17 | - name: pullsecret-2 18 | -------------------------------------------------------------------------------- /internal/components/meshexpansion/testdata/icp-test-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: cp-v117x 5 | namespace: istio-system 6 | spec: 7 | version: "1.17.8" 8 | mode: ACTIVE 9 | networkName: network-bogus 10 | distribution: cisco 11 | meshExpansion: 12 | enabled: true 13 | istiod: 14 | expose: true 15 | webhook: 16 | expose: true 17 | clusterServices: 18 | expose: true 19 | gateway: 20 | metadata: 21 | labels: 22 | imgw-label: labelvalue 23 | annotations: 24 | imgw-annotation: annotationvalue 25 | runAsRoot: true 26 | service: 27 | ports: 28 | - name: tcp-smt 29 | port: 56000 30 | protocol: TCP 31 | targetPort: 56000 32 | type: ClusterIP 33 | deployment: 34 | env: 35 | - name: ISTIO_BOGUS_ENV 36 | value: "true" 37 | metadata: 38 | annotations: 39 | deploymentannotation: value 40 | -------------------------------------------------------------------------------- /internal/components/meshexpansion/testdata/mex-expected-values.yaml: -------------------------------------------------------------------------------- 1 | revision: cp-v117x 2 | network: network-bogus 3 | distribution: cisco 4 | exposeClusterServices: true 5 | exposeIstiod: true 6 | exposeWebhook: true 7 | deployment: 8 | metadata: 9 | annotations: 10 | deploymentannotation: value 11 | env: 12 | - name: ISTIO_BOGUS_ENV 13 | value: "true" 14 | metadata: 15 | annotations: 16 | imgw-annotation: annotationvalue 17 | labels: 18 | imgw-label: labelvalue 19 | runAsRoot: true 20 | service: 21 | type: ClusterIP 22 | ports: 23 | - name: tcp-smt 24 | port: 56000 25 | protocol: TCP 26 | targetPort: 56000 27 | mode: ACTIVE 28 | -------------------------------------------------------------------------------- /internal/components/resourcesyncrule/testdata/icp-active-test-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: cp-v117x 5 | namespace: istio-system 6 | spec: 7 | version: "1.17.8" 8 | mode: ACTIVE 9 | distribution: cisco 10 | meshID: mesh1 11 | -------------------------------------------------------------------------------- /internal/components/resourcesyncrule/testdata/icp-passive-test-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: servicemesh.cisco.com/v1alpha1 2 | kind: IstioControlPlane 3 | metadata: 4 | name: cp-v117x 5 | namespace: istio-system 6 | spec: 7 | version: "1.17.8" 8 | mode: PASSIVE 9 | distribution: cisco 10 | meshID: mesh1 11 | -------------------------------------------------------------------------------- /internal/components/resourcesyncrule/testdata/rsr-expected-active-values.yaml: -------------------------------------------------------------------------------- 1 | revision: cp-v117x 2 | mode: ACTIVE 3 | distribution: cisco 4 | meshID: mesh1 5 | -------------------------------------------------------------------------------- /internal/components/resourcesyncrule/testdata/rsr-expected-passive-values.yaml: -------------------------------------------------------------------------------- 1 | revision: cp-v117x 2 | mode: PASSIVE 3 | distribution: cisco 4 | meshID: mesh1 5 | -------------------------------------------------------------------------------- /internal/components/sidecarinjector/testdata/icp-expected-values.yaml: -------------------------------------------------------------------------------- 1 | revision: cp-v117x 2 | deployment: 3 | image: banzaicloud/istio-sidecar-injector:v1.17.8-bzc.0 4 | metadata: 5 | annotations: 6 | daemonset-annotation: value 7 | labels: 8 | daemonset-label: value 9 | podMetadata: 10 | annotations: 11 | podannotation: podannotationvalue 12 | labels: 13 | podlabel: podlabelvalue 14 | deploymentStrategy: 15 | type: RollingUpdate 16 | rollingUpdate: 17 | maxUnavailable: 1 18 | env: 19 | - name: CNI_ENV_NAME 20 | value: "true" 21 | - name: CNI_ANOTHER_ENV_NAME 22 | value: "standard" 23 | cpu: 24 | targetAverageUtilization: 80 25 | nodeSelector: 26 | disktype: ssd 27 | affinity: 28 | nodeAffinity: 29 | requiredDuringSchedulingIgnoredDuringExecution: 30 | nodeSelectorTerms: 31 | - matchExpressions: 32 | - key: kubernetes.io/e2e-az-name 33 | operator: In 34 | values: 35 | - e2e-az1 36 | - e2e-az2 37 | podAffinity: 38 | requiredDuringSchedulingIgnoredDuringExecution: 39 | - labelSelector: 40 | matchExpressions: 41 | - key: security 42 | operator: In 43 | values: 44 | - S1 45 | topologyKey: topology.kubernetes.io/zone 46 | tolerations: 47 | - key: key1 48 | effect: NoSchedule 49 | operator: Equal 50 | tolerationSeconds: 5 51 | value: value1 52 | volumes: 53 | - name: dddemo 54 | secret: 55 | optional: true 56 | secretName: ssname 57 | - name: config-vol 58 | configMap: 59 | name: log-config 60 | items: 61 | - key: log_level 62 | path: log_level 63 | volumeMounts: 64 | - name: config-vol 65 | mountPath: /etc/config 66 | resources: 67 | limits: 68 | cpu: "3" 69 | memory: 2Gi 70 | requests: 71 | cpu: 100m 72 | memory: 128Mi 73 | securityContext: 74 | runAsGroup: 1337 75 | runAsNonRoot: true 76 | runAsUser: 1337 77 | priorityClassName: system-node-critical 78 | readinessProbe: 79 | exec: 80 | command: 81 | - /usr/local/bin/sidecar-injector 82 | - probe 83 | - --probe-path=/tmp/health 84 | - --interval=4s 85 | failureThreshold: 3 86 | initialDelaySeconds: 4 87 | periodSeconds: 4 88 | successThreshold: 1 89 | timeoutSeconds: 1 90 | global: 91 | distribution: cisco 92 | hub: gcr.io/istio-testing 93 | tag: latest 94 | imagePullPolicy: Always 95 | imagePullSecrets: 96 | - name: pullsecret-1 97 | - name: pullsecret-2 98 | -------------------------------------------------------------------------------- /internal/models/cluster_registry.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package models 18 | 19 | // ClusterRegistryConfiguration contains the settings to cooperate with the cluster registry APIs 20 | type ClusterRegistryConfiguration struct { 21 | ClusterAPI ClusterAPIConfiguration `json:"clusterApi,omitempty"` 22 | ResourceSyncRules ResourceSyncRulesConfiguration `json:"resourceSyncRules,omitempty"` 23 | } 24 | 25 | type ClusterAPIConfiguration struct { 26 | Enabled bool `json:"enabled,omitempty"` 27 | } 28 | 29 | type ResourceSyncRulesConfiguration struct { 30 | Enabled bool `json:"enabled,omitempty"` 31 | } 32 | -------------------------------------------------------------------------------- /internal/util/util_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package util_test 18 | 19 | import ( 20 | "embed" 21 | "testing" 22 | 23 | "github.com/kylelemons/godebug/pretty" 24 | "sigs.k8s.io/yaml" 25 | 26 | "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" 27 | "github.com/banzaicloud/istio-operator/v2/internal/util" 28 | ) 29 | 30 | //go:embed testdata/test_istiocontrolplane.yaml 31 | var icpFile []byte 32 | 33 | //go:embed testdata/test_values.yaml.tmpl 34 | var valuesFS embed.FS 35 | 36 | //go:embed testdata/expected_values.yaml 37 | var expectedValuesFile []byte 38 | 39 | func TestTransformICPSpecToStriMapWithTemplate(t *testing.T) { 40 | t.Parallel() 41 | 42 | var icp *v1alpha1.IstioControlPlane 43 | if err := yaml.Unmarshal(icpFile, &icp); err != nil { 44 | t.Fatal(err) 45 | } 46 | 47 | values, err := util.TransformStructToStriMapWithTemplate(icp, valuesFS, "testdata/test_values.yaml.tmpl") 48 | if err != nil { 49 | t.Fatal(err) 50 | } 51 | 52 | var expectedValues map[string]interface{} 53 | if err := yaml.Unmarshal(expectedValuesFile, &expectedValues); err != nil { 54 | t.Fatal(err) 55 | } 56 | 57 | if diff := pretty.Compare(values, expectedValues); diff != "" { 58 | t.Errorf("diff: (-got +want)\n%s", diff) 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /pkg/k8sutil/cluster.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package k8sutil 18 | 19 | import ( 20 | "context" 21 | 22 | "emperror.dev/errors" 23 | "sigs.k8s.io/controller-runtime/pkg/client" 24 | 25 | clusterregistryv1alpha1 "github.com/cisco-open/cluster-registry-controller/api/v1alpha1" 26 | ) 27 | 28 | func GetLocalCluster(ctx context.Context, kubeClient client.Client) (*clusterregistryv1alpha1.Cluster, error) { 29 | var cluster *clusterregistryv1alpha1.Cluster 30 | 31 | clusters := &clusterregistryv1alpha1.ClusterList{} 32 | err := kubeClient.List(ctx, clusters) 33 | if err != nil { 34 | return cluster, errors.WithStackIf(err) 35 | } 36 | 37 | counter := 0 38 | for _, c := range clusters.Items { 39 | c := c 40 | if c.Status.Type == clusterregistryv1alpha1.ClusterTypeLocal { 41 | counter++ 42 | if counter > 1 { 43 | return cluster, errors.WithStackIf(errors.New("multiple local Cluster CR found, there should only be one")) 44 | } 45 | cluster = &c 46 | } 47 | } 48 | 49 | if counter == 0 { 50 | return cluster, errors.WithStackIf(errors.New("no local Cluster CR found, either there should be one or cluster-registry-api-enabled arg should be set to false")) 51 | } 52 | 53 | return cluster, nil 54 | } 55 | -------------------------------------------------------------------------------- /pkg/k8sutil/endpoints.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package k8sutil 18 | 19 | import ( 20 | "context" 21 | 22 | "emperror.dev/errors" 23 | corev1 "k8s.io/api/core/v1" 24 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 25 | "k8s.io/apimachinery/pkg/types" 26 | "sigs.k8s.io/controller-runtime/pkg/client" 27 | ) 28 | 29 | func CreateK8sEndpoints(name string, namespace string, addresses []corev1.EndpointAddress, ports []corev1.EndpointPort) *corev1.Endpoints { 30 | return &corev1.Endpoints{ 31 | TypeMeta: metav1.TypeMeta{ 32 | Kind: "Endpoints", 33 | APIVersion: corev1.SchemeGroupVersion.String(), 34 | }, 35 | ObjectMeta: metav1.ObjectMeta{ 36 | Name: name, 37 | Namespace: namespace, 38 | }, 39 | Subsets: []corev1.EndpointSubset{ 40 | { 41 | Addresses: addresses, 42 | Ports: ports, 43 | }, 44 | }, 45 | } 46 | } 47 | 48 | func GetEndpoints(ctx context.Context, kubeClient client.Client, name string, namespace string) (*corev1.Endpoints, error) { 49 | endpoints := &corev1.Endpoints{} 50 | err := kubeClient.Get(ctx, types.NamespacedName{ 51 | Name: name, 52 | Namespace: namespace, 53 | }, endpoints) 54 | if err != nil { 55 | return endpoints, errors.WithStackIf(err) 56 | } 57 | 58 | return endpoints, nil 59 | } 60 | 61 | func GetIPsForEndpoints(endpoints *corev1.Endpoints) []string { 62 | var endpointAddresses []string 63 | for _, subset := range endpoints.Subsets { 64 | for _, address := range subset.Addresses { 65 | endpointAddresses = append(endpointAddresses, address.IP) 66 | } 67 | } 68 | 69 | return endpointAddresses 70 | } 71 | -------------------------------------------------------------------------------- /pkg/k8sutil/istiod_endpoints.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package k8sutil 18 | 19 | import ( 20 | "context" 21 | 22 | "emperror.dev/errors" 23 | corev1 "k8s.io/api/core/v1" 24 | "sigs.k8s.io/controller-runtime/pkg/client" 25 | 26 | servicemeshv1alpha1 "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" 27 | ) 28 | 29 | func GetIstiodEndpointAddresses(ctx context.Context, kubeClient client.Client, icpName string, icpNetworkName string, namespace string) ([]corev1.EndpointAddress, error) { 30 | var istiodEndpointAddresses []corev1.EndpointAddress 31 | 32 | picpList := &servicemeshv1alpha1.PeerIstioControlPlaneList{} 33 | err := kubeClient.List(ctx, picpList, client.InNamespace(namespace)) 34 | if err != nil { 35 | return istiodEndpointAddresses, errors.WithStackIf(err) 36 | } 37 | 38 | for _, picp := range picpList.Items { 39 | if picp.GetStatus().IstioControlPlaneName != icpName || picp.Spec.GetMode() != servicemeshv1alpha1.ModeType_ACTIVE { 40 | continue 41 | } 42 | 43 | if picp.Spec.GetNetworkName() == icpNetworkName { 44 | for _, address := range picp.GetStatus().IstiodAddresses { 45 | istiodEndpointAddresses = append(istiodEndpointAddresses, 46 | corev1.EndpointAddress{ 47 | IP: address, 48 | }) 49 | } 50 | } else { 51 | for _, address := range picp.GetStatus().GatewayAddress { 52 | istiodEndpointAddresses = append(istiodEndpointAddresses, 53 | corev1.EndpointAddress{ 54 | IP: address, 55 | }) 56 | } 57 | } 58 | } 59 | 60 | return istiodEndpointAddresses, nil 61 | } 62 | 63 | func GetIstiodEndpointPorts(ctx context.Context, kubeClient client.Client, serviceName string, serviceNamespace string) ([]corev1.EndpointPort, error) { 64 | istiodPorts := []corev1.EndpointPort{} 65 | 66 | service, err := GetService(ctx, kubeClient, serviceName, serviceNamespace) 67 | if err != nil { 68 | return istiodPorts, errors.WithStackIf(err) 69 | } 70 | 71 | for _, port := range service.Spec.Ports { 72 | istiodPorts = append(istiodPorts, corev1.EndpointPort{ 73 | Name: port.Name, 74 | Port: port.Port, 75 | Protocol: port.Protocol, 76 | AppProtocol: port.AppProtocol, 77 | }) 78 | } 79 | 80 | return istiodPorts, nil 81 | } 82 | -------------------------------------------------------------------------------- /pkg/k8sutil/jwtpolicy.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package k8sutil 18 | 19 | import ( 20 | "k8s.io/client-go/discovery" 21 | "k8s.io/client-go/rest" 22 | 23 | servicemeshv1alpha1 "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" 24 | ) 25 | 26 | func DetectSupportedJWTPolicy(k8sConfig *rest.Config) (servicemeshv1alpha1.JWTPolicyType, error) { 27 | d, err := discovery.NewDiscoveryClientForConfig(k8sConfig) 28 | if err != nil { 29 | return servicemeshv1alpha1.JWTPolicyType_JWTPolicyType_UNSPECIFIED, err 30 | } 31 | 32 | _, s, err := d.ServerGroupsAndResources() 33 | if err != nil { 34 | return servicemeshv1alpha1.JWTPolicyType_JWTPolicyType_UNSPECIFIED, err 35 | } 36 | 37 | for _, res := range s { 38 | for _, api := range res.APIResources { 39 | if api.Name == "serviceaccounts/token" { 40 | return servicemeshv1alpha1.JWTPolicyType_THIRD_PARTY_JWT, nil 41 | } 42 | } 43 | } 44 | 45 | return servicemeshv1alpha1.JWTPolicyType_FIRST_PARTY_JWT, nil 46 | } 47 | -------------------------------------------------------------------------------- /pkg/k8sutil/managedbylabels.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package k8sutil 18 | 19 | import ( 20 | "sigs.k8s.io/controller-runtime/pkg/client" 21 | 22 | "github.com/banzaicloud/istio-operator/v2/pkg/util" 23 | "github.com/banzaicloud/operator-tools/pkg/types" 24 | ) 25 | 26 | func SetManagedByLabel(obj client.Object, owner string) { 27 | obj.SetLabels(util.MergeStringMaps(obj.GetLabels(), map[string]string{ 28 | types.ManagedByLabel: owner, 29 | })) 30 | } 31 | 32 | func GetManagedByLabel(obj client.Object) string { 33 | return obj.GetLabels()[types.ManagedByLabel] 34 | } 35 | -------------------------------------------------------------------------------- /pkg/k8sutil/metadata.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package k8sutil 18 | 19 | import ( 20 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 | 22 | "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" 23 | "github.com/banzaicloud/operator-tools/pkg/utils" 24 | ) 25 | 26 | func SetICPMetadataOnObject(object metav1.Object, icp *v1alpha1.IstioControlPlane) { 27 | object.SetOwnerReferences([]metav1.OwnerReference{ 28 | { 29 | APIVersion: icp.GroupVersionKind().GroupVersion().String(), 30 | Kind: icp.GroupVersionKind().Kind, 31 | Name: icp.GetName(), 32 | UID: icp.GetUID(), 33 | Controller: utils.BoolPointer(true), 34 | BlockOwnerDeletion: utils.BoolPointer(true), 35 | }, 36 | }) 37 | object.SetLabels(icp.RevisionLabels()) 38 | } 39 | -------------------------------------------------------------------------------- /pkg/k8sutil/ns.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package k8sutil 18 | 19 | import ( 20 | "context" 21 | 22 | corev1 "k8s.io/api/core/v1" 23 | "sigs.k8s.io/controller-runtime/pkg/client" 24 | ) 25 | 26 | func IsReqeueNeededCosNamespaceTermination(ctx context.Context, cli client.Client, obj client.Object) (bool, error) { 27 | if !obj.GetDeletionTimestamp().IsZero() { 28 | return false, nil 29 | } 30 | 31 | ns := &corev1.Namespace{} 32 | err := cli.Get(ctx, client.ObjectKey{ 33 | Name: obj.GetNamespace(), 34 | }, ns) 35 | if err != nil { 36 | return false, err 37 | } 38 | 39 | return !ns.DeletionTimestamp.IsZero(), nil 40 | } 41 | -------------------------------------------------------------------------------- /pkg/k8sutil/resourceversion.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package k8sutil 18 | 19 | import ( 20 | "emperror.dev/errors" 21 | "github.com/Masterminds/semver/v3" 22 | "sigs.k8s.io/controller-runtime/pkg/client" 23 | 24 | "github.com/banzaicloud/istio-operator/v2/pkg/util" 25 | ) 26 | 27 | const ( 28 | resourceRevisionLabel = "resource.alpha.banzaicloud.io/revision" 29 | ) 30 | 31 | func SetResourceRevisionLabel(obj client.Object, revision string) { 32 | labels := obj.GetLabels() 33 | if labels == nil { 34 | labels = make(map[string]string) 35 | } 36 | 37 | obj.SetLabels(util.MergeStringMaps(labels, map[string]string{ 38 | resourceRevisionLabel: revision, 39 | })) 40 | } 41 | 42 | func GetResourceRevisionLabel(obj client.Object) string { 43 | return obj.GetLabels()[resourceRevisionLabel] 44 | } 45 | 46 | func CheckResourceRevision(obj client.Object, revisionConstraint string) (bool, error) { 47 | semverConstraint, err := semver.NewConstraint(revisionConstraint) 48 | if err != nil { 49 | return false, errors.WrapIf(err, "could not create semver constraint") 50 | } 51 | currentRevision := GetResourceRevisionLabel(obj) 52 | 53 | if currentRevision != "" { 54 | if currentSemver, err := semver.NewVersion(currentRevision); err == nil && !semverConstraint.Check(currentSemver) { 55 | return false, nil 56 | } 57 | } 58 | 59 | return true, nil 60 | } 61 | -------------------------------------------------------------------------------- /pkg/util/util_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022 Cisco Systems, Inc. and/or its affiliates. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package util_test 18 | 19 | import ( 20 | "testing" 21 | 22 | "gotest.tools/v3/assert" 23 | networkingv1alpha3 "istio.io/api/networking/v1alpha3" 24 | "istio.io/client-go/pkg/apis/networking/v1alpha3" 25 | 26 | "github.com/banzaicloud/istio-operator/v2/pkg/util" 27 | "github.com/banzaicloud/k8s-objectmatcher/patch" 28 | ) 29 | 30 | var envoyFilter = &v1alpha3.EnvoyFilter{ 31 | Spec: networkingv1alpha3.EnvoyFilter{ 32 | ConfigPatches: []*networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ 33 | { 34 | ApplyTo: networkingv1alpha3.EnvoyFilter_CLUSTER, 35 | }, 36 | }, 37 | }, 38 | } 39 | 40 | func TestUpstreamPatchMaker(t *testing.T) { 41 | t.Parallel() 42 | 43 | desired := envoyFilter.DeepCopy() 44 | desired.Spec.ConfigPatches[0].ApplyTo = networkingv1alpha3.EnvoyFilter_HTTP_FILTER 45 | 46 | maker := patch.DefaultPatchMaker 47 | _, err := maker.Calculate(envoyFilter, desired) 48 | assert.Error(t, err, "Failed to generate strategic merge patch: unable to find api field in struct EnvoyFilter for the json field \"configPatches\"") 49 | } 50 | 51 | func TestProtoCompatiblePatchMaker(t *testing.T) { 52 | t.Parallel() 53 | 54 | desired := envoyFilter.DeepCopy() 55 | desired.Spec.ConfigPatches[0].ApplyTo = networkingv1alpha3.EnvoyFilter_HTTP_FILTER 56 | 57 | maker := util.NewProtoCompatiblePatchMaker() 58 | r, err := maker.Calculate(envoyFilter, desired) 59 | assert.NilError(t, err) 60 | 61 | assert.Equal(t, string(r.Patch), `{"spec":{"configPatches":[{"applyTo":"HTTP_FILTER"}]}}`) 62 | } 63 | -------------------------------------------------------------------------------- /scripts/increment_version.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | while getopts ":Mmp" opt; do 4 | case $opt in 5 | M ) 6 | relType="major" 7 | ;; 8 | m ) 9 | relType="minor" 10 | ;; 11 | p ) 12 | relType="patch" 13 | ;; 14 | *) 15 | echo "Unexpected flag: -$opt" 16 | exit 1 17 | ;; 18 | esac 19 | done 20 | 21 | if [ -z $relType ]; then 22 | echo "usage: $(basename "$0") [-Mmp] major.minor.patch" 23 | exit 1 24 | fi 25 | 26 | if [ -z "$2" ]; then 27 | echo "usage: $(basename "$0") [-Mmp] major.minor.patch" 28 | exit 1 29 | fi 30 | 31 | version=$2 32 | # shellcheck disable=SC2206 33 | parts=( ${version//./ } ) 34 | 35 | if [ $relType == "major" ]; then 36 | ((parts[0]++)) 37 | parts[1]=0 38 | parts[2]=0 39 | fi 40 | 41 | if [ $relType == "minor" ]; then 42 | ((parts[1]++)) 43 | parts[2]=0 44 | fi 45 | 46 | if [ $relType == "patch" ]; then 47 | ((parts[2]++)) 48 | fi 49 | 50 | echo "${parts[0]}.${parts[1]}.${parts[2]}" 51 | -------------------------------------------------------------------------------- /scripts/install-buf.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | [ -z "${1:-}" ] && { echo "Usage: $0 "; exit 1; } 6 | 7 | version=$1 8 | 9 | target_name=buf-${version} 10 | link_path=bin/buf 11 | 12 | [ -e ${link_path} ] && rm -r ${link_path} 13 | 14 | mkdir -p bin 15 | ln -s "${target_name}" ${link_path} 16 | 17 | if [ ! -e bin/"${target_name}" ]; then 18 | 19 | os=$(uname -s) 20 | arch=$(uname -m) 21 | 22 | # Temporary fix for Apple M1 until envtest is released for darwin-arm64 arch 23 | if [ "$os" == "Darwin" ] && [ "$arch" == "arm64" ]; then 24 | arch="x86_64" 25 | fi 26 | 27 | url="https://github.com/bufbuild/buf/releases/download/v${version}/buf-${os}-${arch}" 28 | curl -f -s -L "${url}" -o bin/"${target_name}" 29 | chmod u+x bin/"${target_name}" 30 | fi 31 | -------------------------------------------------------------------------------- /scripts/install_envtest.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | [ -z "${1:-}" ] && { echo "Usage: $0 "; exit 1; } 6 | 7 | version=$1 8 | 9 | target_dir_name=envtest-${version} 10 | link_path=bin/envtest 11 | 12 | [ -L ${link_path} ] && rm -r ${link_path} 13 | 14 | mkdir -p bin 15 | ln -s "${target_dir_name}" ${link_path} 16 | 17 | if [ ! -e bin/"${target_dir_name}" ]; then 18 | os=$(go env GOOS) 19 | arch=$(go env GOARCH) 20 | 21 | # Temporary fix for Apple M1 until envtest is released for darwin-arm64 arch 22 | if [ "$os" == "darwin" ] && [ "$arch" == "arm64" ]; then 23 | arch="amd64" 24 | fi 25 | curl -sSL "https://go.kubebuilder.io/test-tools/$version/$os/$arch" | tar -xz -C /tmp/ 26 | mv "/tmp/kubebuilder" bin/"${target_dir_name}" 27 | fi 28 | -------------------------------------------------------------------------------- /scripts/install_kustomize.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | [ -z "${1:-}" ] && { echo "Usage: $0 "; exit 1; } 6 | 7 | version=$1 8 | 9 | target_name=kustomize-${version} 10 | link_path=bin/kustomize 11 | 12 | [ -e ${link_path} ] && rm -r ${link_path} 13 | 14 | mkdir -p bin 15 | ln -s "${target_name}" ${link_path} 16 | 17 | if [ ! -e bin/"${target_name}" ]; then 18 | os=$(go env GOOS) 19 | arch=$(go env GOARCH) 20 | 21 | # Temporary fix for Apple M1 until kustomize is released for darwin-arm64 arch 22 | if [ "$os" == "darwin" ] && [ "$arch" == "arm64" ]; then 23 | arch="amd64" 24 | fi 25 | 26 | url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${version}/kustomize_v${version}_${os}_${arch}.tar.gz" 27 | curl -L "${url}" | tar -xz -C /tmp/ 28 | mv "/tmp/kustomize" bin/"${target_name}" 29 | chmod u+x bin/"${target_name}" 30 | fi 31 | -------------------------------------------------------------------------------- /scripts/label-crds.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | dirname=$(dirname "$0") 4 | projectdir=$PWD/$dirname/.. 5 | crdpath=$projectdir/config/crd/bases 6 | 7 | ISTIO_VERSION=${1:-"1.17.8"} 8 | 9 | for name in "$crdpath"/*.yaml; do 10 | sed "$ d" $name > $name.changed 11 | mv $name.changed $name 12 | 13 | "$projectdir"/bin/yq ".metadata.labels.\"resource.alpha.banzaicloud.io/revision\" = \"$ISTIO_VERSION\"" -i "$name" 14 | done 15 | -------------------------------------------------------------------------------- /scripts/remove-istio-dependencies.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | [ -z "${1:-}" ] && { echo "Usage: $0 "; exit 1; } 6 | 7 | build_dir=$1 8 | 9 | pushd ${build_dir} 10 | 11 | echo "cleanup" 12 | rm -rf api common-protos github.com google istio.io k8s.io mesh networking type dictionaries 13 | 14 | popd 15 | -------------------------------------------------------------------------------- /scripts/update-istio-dependencies.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | [ -z "${1:-}" ] && { echo "Usage: $0 "; exit 1; } 6 | 7 | version=$1 8 | 9 | script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" 10 | build_dir=${script_dir}/../build 11 | 12 | ${script_dir}/remove-istio-dependencies.sh ${build_dir} 13 | 14 | pushd ${build_dir} 15 | 16 | echo "clone istio api repository" 17 | git clone -q -b ${version} https://github.com/istio/api 18 | 19 | echo "copy dependencies" 20 | cp -a api/mesh api/networking api/type api/dictionaries . 21 | 22 | for i in `ls -1 api/common-protos`; do cp -a api/common-protos/$i $i; done 23 | 24 | find mesh networking -type f -not -name '*.proto' -exec rm {} \; 25 | 26 | 27 | rm -rf api 28 | 29 | ln -s ../api api 30 | 31 | popd 32 | --------------------------------------------------------------------------------