├── .concourse ├── Dockerfile ├── concourse.yaml └── set-pipeline.sh ├── .drone.yml ├── .gitattributes ├── .gitignore ├── BUGS-AND-FEATURE-REQUESTS.md ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── Makefile.core.mk ├── Makefile.overrides.mk ├── README.md ├── SUPPORT.md ├── base ├── Chart.yaml ├── files │ ├── crd-all.gen.yaml │ ├── crd-certmanager-10.yaml │ ├── crd-certmanager-11.yaml │ └── crd-mixer.yaml ├── kustomization.yaml ├── templates │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── crds.yaml │ ├── endpoints.yaml │ ├── namespaces.yaml │ ├── serviceaccount.yaml │ └── services.yaml └── values.yaml ├── bin ├── cleanup.sh ├── env.sh ├── iop ├── report.sh ├── test.sh ├── testEnvRootMinikube.sh └── with-kind.sh ├── common ├── .commonfiles.sha ├── Makefile.common.mk ├── config │ ├── .golangci.yml │ ├── .hadolint.yml │ ├── .yamllint.yml │ ├── license-lint.yml │ ├── mdl.rb │ ├── sass-lint.yml │ └── tslint.json └── scripts │ ├── check_clean_repo.sh │ ├── gobuild.sh │ ├── lint_copyright_banner.sh │ ├── lint_go.sh │ └── report_build_info.sh ├── docs └── labels.md ├── gateways ├── istio-egress │ ├── Chart.yaml │ ├── NOTES.txt │ ├── templates │ │ ├── _affinity.tpl │ │ ├── _helpers.tpl │ │ ├── autoscale.yaml │ │ ├── deployment.yaml │ │ ├── poddisruptionbudget.yaml │ │ ├── preconfigured.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml └── istio-ingress │ ├── Chart.yaml │ ├── NOTES.txt │ ├── templates │ ├── _affinity.tpl │ ├── addongateway.yaml │ ├── autoscale.yaml │ ├── certificate.yaml │ ├── deployment.yaml │ ├── gateway.yaml │ ├── hosts.yaml │ ├── meshexpansion.yaml │ ├── poddisruptionbudget.yaml │ ├── preconfigured.yaml │ ├── role.yaml │ ├── rolebindings.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ └── sidecar.yaml │ └── values.yaml ├── global.yaml ├── istio-cni ├── Chart.yaml ├── templates │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── configmap-cni.yaml │ ├── daemonset.yaml │ └── serviceaccount.yaml └── values.yaml ├── istio-control ├── istio-autoinject │ ├── Chart.yaml │ ├── NOTES.txt │ ├── files │ │ └── injection-template.yaml │ ├── templates │ │ ├── _affinity.tpl │ │ ├── _helpers.tpl │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── mutatingwebhook.yaml │ │ ├── poddisruptionbudget.yaml │ │ ├── service.yaml │ │ ├── serviceaccount.yaml │ │ └── sidecar-injector-configmap.yaml │ └── values.yaml ├── istio-config │ ├── Chart.yaml │ ├── OWNERS │ ├── README.md │ ├── templates │ │ ├── _affinity.tpl │ │ ├── _helpers.tpl │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── configmap-envoy.yaml │ │ ├── configmap-mesh.yaml │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── poddisruptionbudget.yaml │ │ ├── service.yaml │ │ ├── serviceaccount.yaml │ │ └── validatingwebhookconfiguration.yaml.tpl │ └── values.yaml └── istio-discovery │ ├── Chart.yaml │ ├── NOTES.txt │ ├── files │ └── injection-template.yaml │ ├── templates │ ├── _affinity.tpl │ ├── _helpers.tpl │ ├── autoscale.yaml │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── configmap-envoy.yaml │ ├── configmap-jwks.yaml │ ├── configmap.yaml │ ├── deployment.yaml │ ├── enable-mesh-mtls.yaml │ ├── istiod-injector-configmap.yaml │ ├── poddisruptionbudget.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ ├── telemetryv2_1.4.yaml │ └── telemetryv2_1.5.yaml │ └── values.yaml ├── istio-policy ├── Chart.yaml ├── templates │ ├── _affinity.tpl │ ├── _helpers.tpl │ ├── autoscale.yaml │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── config.yaml │ ├── deployment.yaml │ ├── poddisruptionbudget.yaml │ ├── service.yaml │ └── serviceaccount.yaml └── values.yaml ├── istio-telemetry ├── grafana │ ├── Chart.yaml │ ├── dashboards │ │ ├── citadel-dashboard.json │ │ ├── galley-dashboard.json │ │ ├── istio-mesh-dashboard.json │ │ ├── istio-performance-dashboard.json │ │ ├── istio-service-dashboard.json │ │ ├── istio-workload-dashboard.json │ │ ├── mixer-dashboard.json │ │ └── pilot-dashboard.json │ ├── fix_datasources.sh │ ├── templates │ │ ├── _affinity.tpl │ │ ├── configmap-dashboards.yaml │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── grafana-policy.yaml │ │ ├── pvc.yaml │ │ ├── service.yaml │ │ └── tests │ │ │ └── test-grafana-connection.yaml │ └── values.yaml ├── kiali │ ├── Chart.yaml │ ├── templates │ │ ├── _affinity.tpl │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── configmap.yaml │ │ ├── demosecret.yaml │ │ ├── deployment.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── mixer-telemetry │ ├── Chart.yaml │ ├── templates │ │ ├── _affinity.tpl │ │ ├── autoscale.yaml │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── config.yaml │ │ ├── configmap-envoy.yaml │ │ ├── deployment.yaml │ │ ├── poddisruptionbudget.yaml │ │ ├── service.yaml │ │ ├── serviceaccount.yaml │ │ └── stackdriver.yaml │ └── values.yaml ├── prometheus-operator │ ├── Chart.yaml │ ├── templates │ │ ├── _affinity.tpl │ │ ├── prometheus.yaml │ │ └── servicemonitors.yaml │ └── values.yaml ├── prometheus │ ├── Chart.yaml │ ├── templates │ │ ├── _affinity.tpl │ │ ├── clusterrole.yaml │ │ ├── clusterrolebindings.yaml │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ ├── service.yaml │ │ ├── serviceaccount.yaml │ │ └── tests │ │ │ └── test-prometheus-connection.yaml │ └── values.yaml └── tracing │ ├── Chart.yaml │ ├── templates │ ├── _affinity.tpl │ ├── deployment-jaeger.yaml │ ├── deployment-opencensus.yaml │ ├── deployment-zipkin.yaml │ ├── pvc.yaml │ ├── service-jaeger.yaml │ └── service.yaml │ └── values.yaml ├── istiocoredns ├── Chart.yaml ├── templates │ ├── _affinity.tpl │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── configmap.yaml │ ├── deployment.yaml │ ├── service.yaml │ └── serviceaccount.yaml └── values.yaml ├── kustomize ├── README.md ├── citadel │ └── kustomization.yaml ├── cluster │ ├── clusterrole-12.yaml │ ├── clusterrolebinding-12.yaml │ ├── istiod.yaml │ ├── kustomization.yaml │ └── serviceaccounts-12.yaml ├── default │ └── kustomization.yaml ├── istio-canary │ └── kustomization.yaml ├── istio-ingress │ └── kustomization.yaml └── minimal │ └── kustomization.yaml ├── security ├── certmanager │ ├── Chart.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _affinity.tpl │ │ ├── deployment.yaml │ │ ├── issuer.yaml │ │ ├── poddisruptionbudget.yaml │ │ ├── rbac.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── citadel │ ├── Chart.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _affinity.tpl │ │ ├── _helpers.tpl │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── deployment.yaml │ │ ├── poddisruptionbudget.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml └── nodeagent │ ├── Chart.yaml │ ├── templates │ ├── _affinity.tpl │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── daemonset.yaml │ └── serviceaccount.yaml │ └── values.yaml └── test ├── buildkite ├── Dockerfile ├── README.md ├── install-gcp.sh └── run-local.sh ├── canary ├── canary.mk ├── fortio-cli.yaml ├── fortio.yaml ├── kustomization.yaml ├── mesh.yaml ├── namespace.yaml ├── sidecar.yaml └── values.yaml ├── cloudbuild └── cloudbuild.yaml ├── demo.mk ├── demo ├── allocation.yaml ├── kustomization.yaml ├── mesh.yaml └── values.yaml ├── docker └── Dockerfile ├── install.mk ├── k8s ├── etcd.yaml ├── loadgen.yaml ├── mtls_permissive.yaml ├── mtls_strict.yaml └── sidecar-local.yaml ├── kind ├── ingress-service-micro.yaml ├── ingress-service.yaml ├── kind-docker.yaml ├── kind-prow.yaml ├── kind.yaml └── user-values.yaml ├── knative ├── allocation.yaml ├── crds.yaml ├── kustomization.yaml ├── mesh.yaml ├── namespace.yaml ├── service.yaml ├── serving.yaml └── values.yaml ├── minimal ├── allocation.yaml ├── disable-automtls.yaml └── kustomization.yaml ├── mysql ├── Chart.yaml ├── templates │ ├── client.yaml │ ├── mtls.yaml │ └── server.yaml └── values.yaml ├── noauth.mk ├── simple ├── README.md ├── ingress.yaml ├── mesh.yaml ├── routingrule1.yaml ├── routingrule2.yaml ├── routingruleNoPods.yaml ├── servicesNotInjected.yaml ├── servicesToBeInjected.yaml └── values.yaml └── tests.mk /.concourse/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.11 2 | 3 | # The base circleci image runs as user 'circleci'(3434), with sudo capabilities. 4 | # Based on Debian9. Go installed in /usr/local/go 5 | 6 | # Env: 7 | # GOLANG_VERSION 8 | # GPATH=/go 9 | 10 | # Workdir: /go 11 | 12 | # Also installed docker, docker-compose, dockerize, jq 13 | 14 | ARG K8S_VER=v1.14.0 15 | ARG ETCD_VER=v3.2.15 16 | ARG MINIKUBE_VER=v0.25.0 17 | ARG HELM_VER=v2.7.2 18 | 19 | # The local test cluster config 20 | ARG MASTER_IP=127.0.0.1 21 | ARG MASTER_CLUSTER_IP=10.99.0.1 22 | 23 | # Environment variables used in the build. 24 | ENV GOPATH=/go 25 | ENV KUBECONFIG=/go/out/kube.config 26 | ENV ETCD_DATADIR=/go/out/etcd-data 27 | ENV PATH=/go/bin:/go/out/linux_amd64:$PATH 28 | 29 | # Get etcd, apiserver for the local environment 30 | RUN cd /tmp && \ 31 | curl -L -o etcd.tgz https://github.com/coreos/etcd/releases/download/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz && \ 32 | tar xzf etcd.tgz && \ 33 | mv etcd-${ETCD_VER}-linux-amd64/etcd /usr/local/bin/etcd && \ 34 | rm -rf etcd* 35 | 36 | RUN curl -L -o /tmp/kube-apiserver https://storage.googleapis.com/kubernetes-release/release/${K8S_VER}/bin/linux/amd64/kube-apiserver && \ 37 | chmod +x /tmp/kube-apiserver && \ 38 | mv /tmp/kube-apiserver /usr/local/bin 39 | 40 | RUN go get -u github.com/golang/dep/cmd/dep 41 | 42 | # Tool used to convert 'go test' to junit, for integration with CI dashboard 43 | RUN go get github.com/jstemmer/go-junit-report 44 | 45 | # Install fpm tool 46 | RUN apt-get update && apt-get -qqy install ruby ruby-dev rubygems build-essential autoconf libtool autotools-dev && \ 47 | gem install --no-ri --no-rdoc fpm 48 | 49 | # Include minikube and kubectl in the image 50 | RUN curl -Lo /tmp/kubectl https://storage.googleapis.com/kubernetes-release/release/${K8S_VER}/bin/linux/amd64/kubectl && \ 51 | chmod +x /tmp/kubectl && mv /tmp/kubectl /usr/local/bin/ 52 | 53 | RUN curl -Lo /tmp/minikube https://storage.googleapis.com/minikube/releases/${MINIKUBE_VER}/minikube-linux-amd64 &&\ 54 | chmod +x /tmp/minikube && mv /tmp/minikube /usr/local/bin/ 55 | 56 | # Install helm 57 | RUN cd /tmp && \ 58 | curl -Lo /tmp/helm.tgz https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VER}-linux-amd64.tar.gz && \ 59 | tar xfz helm.tgz && \ 60 | mv linux-amd64/helm /usr/local/bin && \ 61 | rm -rf helm.tgz linux-amd64 62 | 63 | -------------------------------------------------------------------------------- /.concourse/set-pipeline.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | cd "$( dirname "${BASH_SOURCE[0]}" )" 18 | 19 | if [ -z $PIPELINE ] ; then 20 | PIPELINE=istio-installer 21 | fi 22 | if [ -z $TARGET ] ; then 23 | TARGET=concourse-sapcloud 24 | fi 25 | 26 | if [ -n "$1" ] ; then 27 | fly --target $TARGET login --concourse-url $1 28 | fi 29 | 30 | fly -t $TARGET set-pipeline -c concourse.yaml -p $PIPELINE -------------------------------------------------------------------------------- /.drone.yml: -------------------------------------------------------------------------------- 1 | kind: pipeline 2 | name: default 3 | 4 | workspace: 5 | base: /go 6 | path: src/github.com/costinm/istio-install 7 | 8 | steps: 9 | - name: run 10 | image: istio/ci:go1.11-k8s1.10.4-helm2.7.2-minikube0.25 11 | environment: 12 | GOPATH: /home/circleci 13 | DOCKER_HOST: tcp://docker-p:2375 14 | commands: 15 | - go get -u sigs.k8s.io/kind 16 | - /home/circleci/bin/kind create cluster 17 | - export PATH=$PATH:$GOPATH/bin 18 | - export KUBECONFIG="$(kind get kubeconfig-path --name="kind")" 19 | - kubectl apply -f base/ 20 | - bin/iop istio-control discovery istio-control/istio-discovery 21 | 22 | 23 | 24 | services: 25 | - name: docker-p 26 | image: plugins/docker 27 | privileged: true 28 | commands: 29 | - /usr/local/bin/dockerd --data-root /var/lib/docker --host=tcp://0.0.0.0:2375 30 | 31 | # - name: docker 32 | # image: plugins/docker 33 | # commands: 34 | # - /usr/local/bin/dockerd --data-root /var/lib/docker 35 | 36 | #services: 37 | ## Doesn't work - require priv or trusted 38 | ## - name: docker 39 | ## image: docker:dind 40 | ## privileged: true 41 | ## volumes: 42 | ## - name: dockersock 43 | ## path: /var/run 44 | # 45 | #volumes: 46 | # - name: dockersock 47 | # temp: {} 48 | 49 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.descriptor linguist-generated=true 2 | *.descriptor -diff -merge 3 | *.descriptor_set linguist-generated=true 4 | *.descriptor_set -diff -merge 5 | *.pb.html linguist-generated=true 6 | *.pb.go linguist-generated=true 7 | *.gen.go linguist-generated=true 8 | *.gen.yaml linguist-generated=true 9 | *_pb2.py linguist-generated=true 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | test/**/*.gen.yaml 2 | kustomize/**/*.gen.yaml 3 | -------------------------------------------------------------------------------- /BUGS-AND-FEATURE-REQUESTS.md: -------------------------------------------------------------------------------- 1 | # Bugs and Feature Requests 2 | 3 | You can report bugs and feature requests to the Istio team in one of three places: 4 | 5 | - [Product Bugs and Feature Requests](https://github.com/istio/istio/issues) 6 | - [Documentation Bugs and Feature Requests](https://github.com/istio/istio.io/issues) 7 | - [Community and Governance Issues](https://github.com/istio/community/issues) 8 | 9 | For security vulnerabilities, please don't report a bug (which is public) and instead follow 10 | [these procedures](https://istio.io/about/security-vulnerabilities/). 11 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @istio/wg-environments-maintainers 2 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contribution guidelines 2 | 3 | So you want to hack on Istio? Yay! Please refer to Istio's overall 4 | [contribution guidelines](https://github.com/istio/community/blob/master/CONTRIBUTING.md) 5 | to find out how you can help. 6 | -------------------------------------------------------------------------------- /Makefile.overrides.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # this repo is not on the container plan by default 16 | BUILD_WITH_CONTAINER ?= 0 17 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | Here are some resources to help you understand and use Istio: 4 | 5 | - For in-depth information about how to use Istio, visit [istio.io](https://istio.io) 6 | - To ask questions and get assistance from our community, visit [discuss.istio.io](https://discuss.istio.io) 7 | - To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) 8 | -------------------------------------------------------------------------------- /base/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: base 3 | version: 1.1.0 4 | tillerVersion: ">=2.7.2" 5 | description: Helm chart for deploying Istio base components 6 | keywords: 7 | - istio 8 | sources: 9 | - http://github.com/istio/istio 10 | engine: gotpl 11 | icon: https://istio.io/favicons/android-192x192.png 12 | -------------------------------------------------------------------------------- /base/files/crd-certmanager-10.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: clusterissuers.certmanager.k8s.io 5 | labels: 6 | app: certmanager 7 | chart: certmanager 8 | heritage: Tiller 9 | release: istio 10 | spec: 11 | group: certmanager.k8s.io 12 | versions: 13 | - name: v1alpha1 14 | served: true 15 | storage: true 16 | names: 17 | kind: ClusterIssuer 18 | plural: clusterissuers 19 | scope: Cluster 20 | --- 21 | apiVersion: apiextensions.k8s.io/v1beta1 22 | kind: CustomResourceDefinition 23 | metadata: 24 | name: issuers.certmanager.k8s.io 25 | labels: 26 | app: certmanager 27 | chart: certmanager 28 | heritage: Tiller 29 | release: istio 30 | spec: 31 | group: certmanager.k8s.io 32 | versions: 33 | - name: v1alpha1 34 | served: true 35 | storage: true 36 | names: 37 | kind: Issuer 38 | plural: issuers 39 | scope: Namespaced 40 | --- 41 | apiVersion: apiextensions.k8s.io/v1beta1 42 | kind: CustomResourceDefinition 43 | metadata: 44 | name: certificates.certmanager.k8s.io 45 | labels: 46 | app: certmanager 47 | chart: certmanager 48 | heritage: Tiller 49 | release: istio 50 | spec: 51 | additionalPrinterColumns: 52 | - JSONPath: .status.conditions[?(@.type=="Ready")].status 53 | name: Ready 54 | type: string 55 | - JSONPath: .spec.secretName 56 | name: Secret 57 | type: string 58 | - JSONPath: .spec.issuerRef.name 59 | name: Issuer 60 | type: string 61 | priority: 1 62 | - JSONPath: .status.conditions[?(@.type=="Ready")].message 63 | name: Status 64 | type: string 65 | priority: 1 66 | - JSONPath: .metadata.creationTimestamp 67 | description: |- 68 | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 69 | 70 | Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata 71 | name: Age 72 | type: date 73 | group: certmanager.k8s.io 74 | versions: 75 | - name: v1alpha1 76 | served: true 77 | storage: true 78 | scope: Namespaced 79 | names: 80 | kind: Certificate 81 | plural: certificates 82 | shortNames: 83 | - cert 84 | - certs 85 | --- 86 | -------------------------------------------------------------------------------- /base/files/crd-certmanager-11.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: orders.certmanager.k8s.io 5 | labels: 6 | app: certmanager 7 | chart: certmanager 8 | heritage: Tiller 9 | release: istio 10 | spec: 11 | additionalPrinterColumns: 12 | - JSONPath: .status.state 13 | name: State 14 | type: string 15 | - JSONPath: .spec.issuerRef.name 16 | name: Issuer 17 | type: string 18 | priority: 1 19 | - JSONPath: .status.reason 20 | name: Reason 21 | type: string 22 | priority: 1 23 | - JSONPath: .metadata.creationTimestamp 24 | description: |- 25 | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 26 | 27 | Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata 28 | name: Age 29 | type: date 30 | group: certmanager.k8s.io 31 | versions: 32 | - name: v1alpha1 33 | served: true 34 | storage: true 35 | names: 36 | kind: Order 37 | plural: orders 38 | scope: Namespaced 39 | --- 40 | apiVersion: apiextensions.k8s.io/v1beta1 41 | kind: CustomResourceDefinition 42 | metadata: 43 | name: challenges.certmanager.k8s.io 44 | labels: 45 | app: certmanager 46 | chart: certmanager 47 | heritage: Tiller 48 | release: istio 49 | spec: 50 | additionalPrinterColumns: 51 | - JSONPath: .status.state 52 | name: State 53 | type: string 54 | - JSONPath: .spec.dnsName 55 | name: Domain 56 | type: string 57 | - JSONPath: .status.reason 58 | name: Reason 59 | type: string 60 | - JSONPath: .metadata.creationTimestamp 61 | description: |- 62 | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 63 | 64 | Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata 65 | name: Age 66 | type: date 67 | group: certmanager.k8s.io 68 | versions: 69 | - name: v1alpha1 70 | served: true 71 | storage: true 72 | names: 73 | kind: Challenge 74 | plural: challenges 75 | scope: Namespaced 76 | --- 77 | -------------------------------------------------------------------------------- /base/files/crd-mixer.yaml: -------------------------------------------------------------------------------- 1 | kind: CustomResourceDefinition 2 | apiVersion: apiextensions.k8s.io/v1beta1 3 | metadata: 4 | name: adapters.config.istio.io 5 | labels: 6 | app: mixer 7 | package: adapter 8 | istio: mixer-adapter 9 | chart: istio 10 | heritage: Tiller 11 | release: istio 12 | annotations: 13 | "helm.sh/resource-policy": keep 14 | spec: 15 | group: config.istio.io 16 | names: 17 | kind: adapter 18 | plural: adapters 19 | singular: adapter 20 | categories: 21 | - istio-io 22 | - policy-istio-io 23 | scope: Namespaced 24 | subresources: 25 | status: {} 26 | versions: 27 | - name: v1alpha2 28 | served: true 29 | storage: true 30 | --- 31 | kind: CustomResourceDefinition 32 | apiVersion: apiextensions.k8s.io/v1beta1 33 | metadata: 34 | name: instances.config.istio.io 35 | labels: 36 | app: mixer 37 | package: instance 38 | istio: mixer-instance 39 | chart: istio 40 | heritage: Tiller 41 | release: istio 42 | annotations: 43 | "helm.sh/resource-policy": keep 44 | spec: 45 | group: config.istio.io 46 | names: 47 | kind: instance 48 | plural: instances 49 | singular: instance 50 | categories: 51 | - istio-io 52 | - policy-istio-io 53 | scope: Namespaced 54 | subresources: 55 | status: {} 56 | versions: 57 | - name: v1alpha2 58 | served: true 59 | storage: true 60 | --- 61 | kind: CustomResourceDefinition 62 | apiVersion: apiextensions.k8s.io/v1beta1 63 | metadata: 64 | name: templates.config.istio.io 65 | labels: 66 | app: mixer 67 | package: template 68 | istio: mixer-template 69 | chart: istio 70 | heritage: Tiller 71 | release: istio 72 | annotations: 73 | "helm.sh/resource-policy": keep 74 | spec: 75 | group: config.istio.io 76 | names: 77 | kind: template 78 | plural: templates 79 | singular: template 80 | categories: 81 | - istio-io 82 | - policy-istio-io 83 | scope: Namespaced 84 | subresources: 85 | status: {} 86 | versions: 87 | - name: v1alpha2 88 | served: true 89 | storage: true 90 | --- 91 | kind: CustomResourceDefinition 92 | apiVersion: apiextensions.k8s.io/v1beta1 93 | metadata: 94 | name: handlers.config.istio.io 95 | labels: 96 | app: mixer 97 | package: handler 98 | istio: mixer-handler 99 | chart: istio 100 | heritage: Tiller 101 | release: istio 102 | annotations: 103 | "helm.sh/resource-policy": keep 104 | spec: 105 | group: config.istio.io 106 | names: 107 | kind: handler 108 | plural: handlers 109 | singular: handler 110 | categories: 111 | - istio-io 112 | - policy-istio-io 113 | scope: Namespaced 114 | subresources: 115 | status: {} 116 | versions: 117 | - name: v1alpha2 118 | served: true 119 | storage: true 120 | --- 121 | -------------------------------------------------------------------------------- /base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - files/crd-all.gen.yaml 6 | - files/crd-mixer.yaml 7 | - files/crd-certmanager-10.yaml 8 | - files/crd-certmanager-11.yaml 9 | -------------------------------------------------------------------------------- /base/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.clusterResources }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istio-reader-{{ .Release.Namespace }} 6 | labels: 7 | app: istio-reader 8 | release: {{ .Release.Name }} 9 | rules: 10 | - apiGroups: 11 | - "config.istio.io" 12 | - "rbac.istio.io" 13 | - "security.istio.io" 14 | - "networking.istio.io" 15 | - "authentication.istio.io" 16 | resources: ["*"] 17 | verbs: ["get", "list", "watch"] 18 | - apiGroups: [""] 19 | resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers"] 20 | verbs: ["get", "list", "watch"] 21 | - apiGroups: ["apps"] 22 | resources: ["replicasets"] 23 | verbs: ["get", "list", "watch"] 24 | --- 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /base/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.clusterResources }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: istio-reader-{{ .Release.Namespace }} 6 | labels: 7 | app: istio-reader 8 | release: {{ .Release.Name }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: istio-reader-{{ .Release.Namespace }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: istio-reader-service-account 16 | namespace: {{ .Release.Namespace }} 17 | --- 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /base/templates/crds.yaml: -------------------------------------------------------------------------------- 1 | {{ .Files.Get "files/crd-all.gen.yaml" }} 2 | {{ .Files.Get "files/crd-mixer.yaml" }} 3 | {{- if .Values.certmanager }} 4 | {{- if .Values.certmanager.enabled }} 5 | {{ .Files.Get "files/crd-certmanager-10.yaml" }} 6 | {{ .Files.Get "files/crd-certmanager-11.yaml" }} 7 | {{- end }} 8 | {{- end }} 9 | -------------------------------------------------------------------------------- /base/templates/endpoints.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} 2 | apiVersion: v1 3 | kind: Endpoints 4 | metadata: 5 | name: istio-pilot 6 | namespace: {{ .Release.Namespace }} 7 | subsets: 8 | - addresses: 9 | - ip: {{ .Values.global.remotePilotAddress }} 10 | ports: 11 | - port: 15003 12 | name: http-old-discovery # mTLS or non-mTLS depending on auth setting 13 | - port: 15005 14 | name: https-discovery # always mTLS 15 | - port: 15007 16 | name: http-discovery # always plain-text 17 | - port: 15010 18 | name: grpc-xds # direct 19 | - port: 15011 20 | name: https-xds # mTLS or non-mTLS depending on auth setting 21 | - port: 8080 22 | name: http-legacy-discovery # direct 23 | - port: 15014 24 | name: http-monitoring 25 | {{- end }} 26 | {{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} 27 | --- 28 | apiVersion: v1 29 | kind: Endpoints 30 | metadata: 31 | name: istio-policy 32 | namespace: {{ .Release.Namespace }} 33 | subsets: 34 | - addresses: 35 | - ip: {{ .Values.global.remotePolicyAddress }} 36 | ports: 37 | - name: grpc-mixer 38 | port: 9091 39 | - name: grpc-mixer-mtls 40 | port: 15004 41 | - name: http-monitoring 42 | port: 15014 43 | {{- end }} 44 | {{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} 45 | --- 46 | apiVersion: v1 47 | kind: Endpoints 48 | metadata: 49 | name: istio-telemetry 50 | namespace: {{ .Release.Namespace }} 51 | subsets: 52 | - addresses: 53 | - ip: {{ .Values.global.remoteTelemetryAddress }} 54 | ports: 55 | - name: grpc-mixer 56 | port: 9091 57 | - name: grpc-mixer-mtls 58 | port: 15004 59 | - name: http-monitoring 60 | port: 15014 61 | - name: prometheus 62 | port: 42422 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /base/templates/namespaces.yaml: -------------------------------------------------------------------------------- 1 | # To prevent accidental injection into istio control plane namespaces. 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: {{ .Release.Namespace }} 6 | labels: 7 | istio-operator-managed: Reconcile 8 | istio-injection: disabled 9 | --- 10 | 11 | {{- if ne .Values.global.istioNamespace .Release.Namespace }} 12 | apiVersion: v1 13 | kind: Namespace 14 | metadata: 15 | name: {{ .Values.global.istioNamespace }} 16 | labels: 17 | istio-operator-managed: Reconcile 18 | istio-injection: disabled 19 | --- 20 | {{- end }} 21 | 22 | {{- if and (ne .Values.global.configNamespace .Release.Namespace) (ne .Values.global.configNamespace .Values.global.istioNamespace) }} 23 | apiVersion: v1 24 | kind: Namespace 25 | metadata: 26 | name: {{ .Values.global.configNamespace }} 27 | labels: 28 | istio-operator-managed: Reconcile 29 | istio-injection: disabled 30 | --- 31 | {{- end }} 32 | 33 | {{- if ne .Values.global.telemetryNamespace .Release.Namespace }} 34 | apiVersion: v1 35 | kind: Namespace 36 | metadata: 37 | name: {{ .Values.global.telemetryNamespace }} 38 | labels: 39 | istio-operator-managed: Reconcile 40 | istio-injection: disabled 41 | --- 42 | {{- end }} 43 | 44 | {{- if and (ne .Values.global.prometheusNamespace .Release.Namespace) (ne .Values.global.prometheusNamespace .Values.global.telemetryNamespace) }} 45 | apiVersion: v1 46 | kind: Namespace 47 | metadata: 48 | name: {{ .Values.global.prometheusNamespace }} 49 | labels: 50 | istio-operator-managed: Reconcile 51 | istio-injection: disabled 52 | --- 53 | {{- end }} 54 | 55 | {{- if ne .Values.global.policyNamespace .Release.Namespace }} 56 | apiVersion: v1 57 | kind: Namespace 58 | metadata: 59 | name: {{ .Values.global.policyNamespace }} 60 | labels: 61 | istio-operator-managed: Reconcile 62 | istio-injection: disabled 63 | --- 64 | {{- end }} 65 | -------------------------------------------------------------------------------- /base/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.clusterResources }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{- end }} 10 | metadata: 11 | name: istio-reader-service-account 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | app: istio-reader 15 | release: {{ .Release.Name }} 16 | --- 17 | {{ end }} 18 | -------------------------------------------------------------------------------- /base/templates/services.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: istio-pilot 6 | namespace: {{ .Release.Namespace }} 7 | spec: 8 | ports: 9 | - port: 15003 10 | name: http-old-discovery # mTLS or non-mTLS depending on auth setting 11 | - port: 15005 12 | name: https-discovery # always mTLS 13 | - port: 15007 14 | name: http-discovery # always plain-text 15 | - port: 15010 16 | name: grpc-xds # direct 17 | - port: 15011 18 | name: https-xds # mTLS or non-mTLS depending on auth setting 19 | - port: 8080 20 | name: http-legacy-discovery # direct 21 | - port: 15014 22 | name: http-monitoring 23 | clusterIP: None 24 | --- 25 | {{- end }} 26 | {{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} 27 | apiVersion: v1 28 | kind: Service 29 | metadata: 30 | name: istio-policy 31 | namespace: {{ .Release.Namespace }} 32 | spec: 33 | ports: 34 | - name: grpc-mixer 35 | port: 9091 36 | - name: grpc-mixer-mtls 37 | port: 15004 38 | - name: http-monitoring 39 | port: 15014 40 | clusterIP: None 41 | --- 42 | {{- end }} 43 | {{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} 44 | apiVersion: v1 45 | kind: Service 46 | metadata: 47 | name: istio-telemetry 48 | namespace: {{ .Release.Namespace }} 49 | spec: 50 | ports: 51 | - name: grpc-mixer 52 | port: 9091 53 | - name: grpc-mixer-mtls 54 | port: 15004 55 | - name: http-monitoring 56 | port: 15014 57 | - name: prometheus 58 | port: 42422 59 | clusterIP: None 60 | --- 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /base/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/installer/16d1d1bf192f447bba752d2e6df725177183cbbf/base/values.yaml -------------------------------------------------------------------------------- /bin/cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -xe 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | # Cleanup all namespaces 18 | 19 | for namespace in istio-system istio-control istio-control-master istio-ingress istio-telemetry istio-cni; do 20 | kubectl delete namespace $namespace --wait --ignore-not-found 21 | done 22 | 23 | ACTIVE_NAMESPACES=$(kubectl get namespaces --no-headers -l istio-env -o=custom-columns=NAME:.metadata.name) 24 | for ns in $ACTIVE_NAMESPACES; do 25 | kubectl label namespaces ${ns} istio-env- 26 | done -------------------------------------------------------------------------------- /bin/report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | # Generate junit reports 18 | 19 | JUNIT_REPORT=${JUNIT_REPORT:-/usr/local/bin/go-junit-report} 20 | 21 | # Running in machine - nothing pre-installed 22 | if [ -nf ${JUNIT_REPORT} ] ; then 23 | make ${GOPATH}/bin/go-junit-report 24 | JUNIT_REPORT=${GOPATH}/bin/go-junit-report 25 | fi 26 | 27 | 28 | for $i in ${GOPATH}/out/logs/*.log ; do \ 29 | cat $i | $(JUNIT_REPORT) > ${GOPATH}/out/report/$(i).xml 30 | done 31 | 32 | -------------------------------------------------------------------------------- /bin/with-kind.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2019 Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -eux 18 | 19 | export ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}" 20 | 21 | # Temporary hack 22 | export PATH=${GOPATH}/bin:${PATH} 23 | 24 | function cleanup_kind_cluster() { 25 | if [[ -z "${SKIP_KIND_CLEANUP:-}" ]]; then 26 | kind export logs --name istio-testing "${ARTIFACTS}/kind" || true 27 | kind delete cluster --name=istio-testing 28 | fi 29 | } 30 | 31 | function setup_kind_cluster() { 32 | # Delete any previous e2e KinD cluster 33 | echo "Deleting previous KinD cluster with name=istio-testing" 34 | if ! (kind delete cluster --name=istio-testing) > /dev/null; then 35 | echo "No existing kind cluster with name istio-testing. Continue..." 36 | fi 37 | 38 | trap cleanup_kind_cluster EXIT 39 | 40 | # Create KinD cluster 41 | if ! (kind create cluster --name=istio-testing --config test/kind/kind-prow.yaml --loglevel debug --retain --wait 30s); then 42 | echo "Could not setup KinD environment. Something wrong with KinD setup. Exporting logs." 43 | exit 1 44 | fi 45 | 46 | KUBECONFIG="$(kind get kubeconfig-path --name="istio-testing")" 47 | export KUBECONFIG 48 | } 49 | 50 | setup_kind_cluster 51 | 52 | "$@" 53 | -------------------------------------------------------------------------------- /common/.commonfiles.sha: -------------------------------------------------------------------------------- 1 | 70a676918f114f4d48e7784795c05d1b4ced7884 2 | -------------------------------------------------------------------------------- /common/config/.hadolint.yml: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | ignored: 9 | 10 | trustedRegistries: 11 | - gcr.io 12 | - docker.io 13 | -------------------------------------------------------------------------------- /common/config/.yamllint.yml: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | rules: 9 | braces: disable 10 | brackets: disable 11 | colons: enable 12 | commas: disable 13 | comments: disable 14 | comments-indentation: disable 15 | document-end: disable 16 | document-start: disable 17 | empty-lines: disable 18 | empty-values: enable 19 | hyphens: enable 20 | indentation: disable 21 | key-duplicates: enable 22 | key-ordering: disable 23 | line-length: disable 24 | new-line-at-end-of-file: disable 25 | new-lines: enable 26 | octal-values: enable 27 | quoted-strings: disable 28 | trailing-spaces: disable 29 | truthy: disable 30 | -------------------------------------------------------------------------------- /common/config/mdl.rb: -------------------------------------------------------------------------------- 1 | all 2 | rule 'MD002', :level => 1 3 | rule 'MD007', :indent => 4 4 | rule 'MD013', :line_length => 160, :code_blocks => false, :tables => false 5 | rule 'MD026', :punctuation => ".,;:!" 6 | exclude_rule 'MD013' 7 | exclude_rule 'MD014' 8 | exclude_rule 'MD030' 9 | exclude_rule 'MD032' 10 | exclude_rule 'MD033' 11 | exclude_rule 'MD041' 12 | exclude_rule 'MD046' 13 | -------------------------------------------------------------------------------- /common/config/sass-lint.yml: -------------------------------------------------------------------------------- 1 | ######################### 2 | ## Config for sass-lint 3 | ######################### 4 | # Linter Options 5 | options: 6 | # Don't merge default rules 7 | merge-default-rules: false 8 | # Raise an error if more than 50 warnings are generated 9 | max-warnings: 500 10 | # Rule Configuration 11 | rules: 12 | attribute-quotes: 13 | - 2 14 | - 15 | include: false 16 | bem-depth: 2 17 | border-zero: 2 18 | brace-style: 2 19 | class-name-format: 2 20 | clean-import-paths: 2 21 | declarations-before-nesting: 2 22 | empty-args: 2 23 | empty-line-between-blocks: 2 24 | extends-before-declarations: 2 25 | extends-before-mixins: 2 26 | final-newline: 2 27 | force-attribute-nesting: 0 28 | force-element-nesting: 0 29 | force-pseudo-nesting: 0 30 | function-name-format: 2 31 | hex-length: 0 32 | hex-notation: 2 33 | id-name-format: 2 34 | indentation: 35 | - 2 36 | - 37 | size: 4 38 | leading-zero: 39 | - 2 40 | - 41 | include: false 42 | max-file-line-count: 0 43 | max-file-length: 0 44 | mixins-before-declarations: 2 45 | no-attribute-selectors: 0 46 | no-color-hex: 0 47 | no-color-keywords: 0 48 | no-color-literals: 0 49 | no-combinators: 0 50 | no-css-comments: 2 51 | no-debug: 2 52 | no-disallowed-properties: 2 53 | no-duplicate-properties: 2 54 | no-empty-rulesets: 2 55 | no-extends: 2 56 | no-ids: 0 57 | no-invalid-hex: 2 58 | no-important: 0 59 | no-mergeable-selectors: 2 60 | no-misspelled-properties: 2 61 | no-qualifying-elements: 0 62 | no-trailing-whitespace: 2 63 | no-trailing-zero: 2 64 | no-transition-all: 0 65 | no-url-domains: 2 66 | no-url-protocols: 2 67 | no-warn: 2 68 | one-declaration-per-line: 2 69 | placeholder-in-extend: 2 70 | placeholder-name-format: 2 71 | property-sort-order: 0 72 | property-units: 2 73 | pseudo-element: 2 74 | quotes: 75 | - 2 76 | - 77 | style: double 78 | shorthand-values: 2 79 | single-line-per-selector: 0 80 | space-after-bang: 2 81 | space-after-colon: 2 82 | space-after-comma: 2 83 | space-around-operator: 2 84 | space-before-bang: 2 85 | space-before-brace: 2 86 | space-before-colon: 2 87 | space-between-parens: 2 88 | trailing-semicolon: 2 89 | url-quotes: 2 90 | variable-for-property: 91 | - 0 92 | - 93 | properties: 94 | - color 95 | - background-color 96 | - fill 97 | variable-name-format: 0 98 | zero-unit: 2 99 | -------------------------------------------------------------------------------- /common/config/tslint.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultSeverity": "error", 3 | "extends": [ 4 | "tslint:recommended" 5 | ], 6 | "rules": { 7 | "max-line-length": { 8 | "options": [160] 9 | }, 10 | "arrow-parens": false, 11 | "new-parens": true, 12 | "no-arg": true, 13 | "no-bitwise": true, 14 | "no-conditional-assignment": true, 15 | "no-consecutive-blank-lines": true, 16 | "no-console": { 17 | "severity": "warning", 18 | "options": ["debug", "info", "log", "time", "timeEnd", "trace"] 19 | }, 20 | "no-shadowed-variable": false, 21 | "eofline": false 22 | }, 23 | "jsRules": {}, 24 | "rulesDirectory": [] 25 | } -------------------------------------------------------------------------------- /common/scripts/check_clean_repo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2019 Istio Authors 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | if [[ -n $(git status --porcelain) ]]; then 18 | git status 19 | git diff 20 | echo "ERROR: Some files need to be updated, please run 'make gen' and include any changed files in your PR" 21 | exit 1 22 | fi 23 | -------------------------------------------------------------------------------- /common/scripts/lint_copyright_banner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | set -e 25 | 26 | ec=0 27 | for fn in "$@"; do 28 | if ! grep -L -q -e "Apache License, Version 2" "${fn}"; then 29 | echo "Missing license: ${fn}" 30 | ec=1 31 | fi 32 | 33 | if ! grep -L -q -e "Copyright" "${fn}"; then 34 | echo "Missing copyright: ${fn}" 35 | ec=1 36 | fi 37 | done 38 | 39 | exit $ec 40 | -------------------------------------------------------------------------------- /common/scripts/lint_go.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | golangci-lint run -c ./common/config/.golangci.yml 25 | -------------------------------------------------------------------------------- /common/scripts/report_build_info.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | if BUILD_GIT_REVISION=$(git rev-parse HEAD 2> /dev/null); then 25 | if [[ -n "$(git status --porcelain 2>/dev/null)" ]]; then 26 | BUILD_GIT_REVISION=${BUILD_GIT_REVISION}"-dirty" 27 | fi 28 | else 29 | BUILD_GIT_REVISION=unknown 30 | fi 31 | 32 | # Check for local changes 33 | if git diff-index --quiet HEAD --; then 34 | tree_status="Clean" 35 | else 36 | tree_status="Modified" 37 | fi 38 | 39 | # security wanted VERSION='unknown' 40 | VERSION="${BUILD_GIT_REVISION}" 41 | if [[ -n ${ISTIO_VERSION} ]]; then 42 | VERSION="${ISTIO_VERSION}" 43 | fi 44 | 45 | GIT_DESCRIBE_TAG=$(git describe --tags) 46 | HUB=${HUB:-""} 47 | 48 | # used by common/scripts/gobuild.sh 49 | echo "istio.io/pkg/version.buildVersion=${VERSION}" 50 | echo "istio.io/pkg/version.buildGitRevision=${BUILD_GIT_REVISION}" 51 | echo "istio.io/pkg/version.buildStatus=${tree_status}" 52 | echo "istio.io/pkg/version.buildTag=${GIT_DESCRIBE_TAG}" 53 | echo "istio.io/pkg/version.buildHub=${HUB}" 54 | -------------------------------------------------------------------------------- /docs/labels.md: -------------------------------------------------------------------------------- 1 | = Upgrade and deployment labels 2 | 3 | The most frequent problem in Istio with 'upgrade in place' is the label missmatch for deployments. 4 | 5 | This happens when the upgrade Deployment.template.metadata.labels object on the upgrade doesn't matches 6 | the previous version. 7 | 8 | Example error: 9 | 10 | ```text 11 | for: "test/demo": Deployment.apps "egressgateway" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"istio-egressgateway", "istio":"egressgateway"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable 12 | ``` 13 | 14 | For Istio 1.0, the label style was: 15 | 16 | ```yaml 17 | ... 18 | labels: 19 | app: pilot 20 | istio: pilot 21 | ``` 22 | 23 | 'matchLabels' is only used in prometheus, with 'app:prometheus'. 24 | 25 | In 1.1, we added 3 more labels: 26 | 27 | ```yaml 28 | template: 29 | metadata: 30 | labels: 31 | app: pilot 32 | istio: pilot 33 | 34 | chart: pilot 35 | heritage: Tiller 36 | release: istio 37 | ``` 38 | 39 | For 1.2, we want to stop adding 'chart'/'heritage'/release, to reduce the dependency on Helm/Tiller and avoid 40 | similar problems in the future. 41 | 42 | We also want to allow in-place update of istio-system, for demo or users who need this (as a backup 43 | plan). 44 | 45 | As such, the deployments have special code to generate the Tiller-related labels - but only if the install 46 | is done in istio-system, in 'legacy' mode. 47 | -------------------------------------------------------------------------------- /gateways/istio-egress/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-egress 3 | version: 1.1.0 4 | tillerVersion: ">=2.7.2" 5 | description: Helm chart for deploying Istio gateways 6 | keywords: 7 | - istio 8 | - egressgateway 9 | - gateways 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /gateways/istio-egress/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | Changes: 3 | - separate namespace allows: 4 | -- easier reconfig of just the gateway 5 | -- TLS secrets and domain name management is isolated, for better security 6 | -- simplified configuration 7 | -- multiple versions of the ingress can be used, to minize upgrade risks 8 | 9 | - the new chart uses the default namespace service account, and doesn't require 10 | additional RBAC permissions. 11 | 12 | - simplified label structure. Label change is not supported on upgrade. 13 | 14 | - for 'internal load balancer' you should deploy a separate gateway, in a different 15 | namespace. 16 | 17 | All ingress gateway have a "app:ingressgateway" label, used to identify it as an 18 | ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection. 19 | 20 | The Gateways use "istio: ingressgateway$SUFFIX" selectors. 21 | 22 | 23 | # Multiple gateway versions 24 | 25 | 26 | 27 | # Using different pilot versions 28 | 29 | 30 | 31 | # Migration from istio-system 32 | 33 | Istio 1.0 includes the gateways in istio-system. Since the external IP is associated 34 | with the Service and bound to the namespace, it is recommended to: 35 | 36 | 1. Install the new gateway in a new namespace. 37 | 2. Copy any TLS certificate to the new namespace, and configure the domains. 38 | 3. Checking the new gateway work - for example by overriding the IP in /etc/hosts 39 | 4. Modify the DNS server to add the A record of the new namespace 40 | 5. Check traffic 41 | 6. Delete the A record corresponding to the gateway in istio-system 42 | 7. Upgrade istio-system, disabling the ingressgateway 43 | 8. Delete the domain TLS certs from istio-system. 44 | 45 | If using certmanager, all Certificate and associated configs must be moved as well. 46 | -------------------------------------------------------------------------------- /gateways/istio-egress/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "gateway.name" -}} 6 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 7 | {{- default .Chart.Name $gateway.nameOverride | trunc 63 | trimSuffix "-" -}} 8 | {{- end -}} 9 | 10 | {{/* 11 | Create a default fully qualified app name. 12 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 13 | If release name contains chart name it will be used as a full name. 14 | */}} 15 | {{- define "gateway.fullname" -}} 16 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 17 | {{- if $gateway.fullnameOverride -}} 18 | {{- $gateway.fullnameOverride | trunc 63 | trimSuffix "-" -}} 19 | {{- else -}} 20 | {{- $name := default .Chart.Name $gateway.nameOverride -}} 21 | {{- if contains $name .Release.Name -}} 22 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 23 | {{- else -}} 24 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 25 | {{- end -}} 26 | {{- end -}} 27 | {{- end -}} 28 | 29 | {{/* 30 | Create chart name and version as used by the chart label. 31 | */}} 32 | {{- define "gateway.chart" -}} 33 | {{- .Chart.Name | trunc 63 | trimSuffix "-" -}} 34 | {{- end -}} 35 | -------------------------------------------------------------------------------- /gateways/istio-egress/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | {{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} 3 | apiVersion: autoscaling/v2beta1 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: istio-egressgateway 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | indent 4 }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | maxReplicas: {{ $gateway.autoscaleMax }} 13 | minReplicas: {{ $gateway.autoscaleMin }} 14 | scaleTargetRef: 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | name: istio-egressgateway 18 | metrics: 19 | - type: Resource 20 | resource: 21 | name: cpu 22 | targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} 23 | --- 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /gateways/istio-egress/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 3 | apiVersion: policy/v1beta1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: istio-egressgateway 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | indent 4 }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | minAvailable: 1 13 | selector: 14 | matchLabels: 15 | {{ $gateway.labels | toYaml | indent 6 }} 16 | release: {{ .Release.Name }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /gateways/istio-egress/templates/preconfigured.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | {{- if $gateway.zvpn.enabled }} 3 | apiVersion: networking.istio.io/v1alpha3 4 | kind: Gateway 5 | metadata: 6 | name: istio-multicluster-egressgateway 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | indent 4 }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | selector: 13 | istio: egressgateway 14 | servers: 15 | - hosts: 16 | - "*.{{ $gateway.zvpn.suffix }}" 17 | port: 18 | name: tls 19 | number: 15443 20 | protocol: TLS 21 | tls: {} 22 | --- 23 | apiVersion: networking.istio.io/v1alpha3 24 | kind: VirtualService 25 | metadata: 26 | name: istio-multicluster-egressgateway 27 | namespace: {{ .Release.Namespace }} 28 | labels: 29 | {{ $gateway.labels | toYaml | indent 4 }} 30 | release: {{ .Release.Name }} 31 | spec: 32 | gateways: 33 | - istio-multicluster-egressgateway 34 | hosts: 35 | - "*.{{ $gateway.zvpn.suffix }}" 36 | tls: 37 | - match: 38 | - port: 15443 39 | sniHosts: 40 | - "*.{{ $gateway.zvpn.suffix }}" 41 | route: 42 | - destination: 43 | host: non.existent.cluster 44 | port: 45 | number: 15443 46 | weight: 100 47 | --- 48 | apiVersion: networking.istio.io/v1alpha3 49 | kind: EnvoyFilter 50 | metadata: 51 | name: istio-multicluster-egressgateway 52 | namespace: {{ .Release.Namespace }} 53 | labels: 54 | {{ $gateway.labels | toYaml | indent 4 }} 55 | release: {{ .Release.Name }} 56 | spec: 57 | workloadLabels: 58 | istio: egressgateway 59 | filters: 60 | - listenerMatch: 61 | portNumber: 15443 62 | listenerType: GATEWAY 63 | filterName: envoy.filters.network.sni_cluster 64 | filterType: NETWORK 65 | filterConfig: {} 66 | --- 67 | ## To ensure all traffic to *.global is using mTLS 68 | apiVersion: networking.istio.io/v1alpha3 69 | kind: DestinationRule 70 | metadata: 71 | name: istio-multicluster-egressgateway 72 | namespace: {{ .Release.Namespace }} 73 | labels: 74 | {{ $gateway.labels | toYaml | indent 4 }} 75 | release: {{ .Release.Name }} 76 | spec: 77 | host: "*.{{ $gateway.zvpn.suffix }}" 78 | trafficPolicy: 79 | tls: 80 | mode: ISTIO_MUTUAL 81 | --- 82 | {{- end }} 83 | -------------------------------------------------------------------------------- /gateways/istio-egress/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: istio-egressgateway 6 | namespace: {{ .Release.Namespace }} 7 | annotations: 8 | {{- range $key, $val := $gateway.serviceAnnotations }} 9 | {{ $key }}: {{ $val | quote }} 10 | {{- end }} 11 | labels: 12 | {{ $gateway.labels | toYaml | indent 4 }} 13 | release: {{ .Release.Name }} 14 | spec: 15 | type: ClusterIP 16 | selector: 17 | {{ $gateway.labels | toYaml | indent 4 }} 18 | ports: 19 | {{- range $key, $val := $gateway.ports }} 20 | - 21 | {{- range $pkey, $pval := $val }} 22 | {{ $pkey}}: {{ $pval }} 23 | {{- end }} 24 | {{- end }} 25 | --- 26 | -------------------------------------------------------------------------------- /gateways/istio-egress/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{- end }} 10 | metadata: 11 | name: istio-egressgateway-service-account 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | {{ $gateway.labels | toYaml | indent 4 }} 15 | release: {{ .Release.Name }} 16 | -------------------------------------------------------------------------------- /gateways/istio-ingress/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-ingress 3 | version: 1.1.0 4 | tillerVersion: ">=2.7.2" 5 | description: Helm chart for deploying Istio gateways 6 | keywords: 7 | - istio 8 | - ingressgateway 9 | - gateways 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /gateways/istio-ingress/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | Changes: 3 | - separate namespace allows: 4 | -- easier reconfig of just the gateway 5 | -- TLS secrets and domain name management is isolated, for better security 6 | -- simplified configuration 7 | -- multiple versions of the ingress can be used, to minimize upgrade risks 8 | 9 | - the new chart uses the default namespace service account, and doesn't require 10 | additional RBAC permissions. 11 | 12 | - simplified label and chart structure. 13 | - ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades 14 | and allows a bit more flexibility. 15 | - the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. 16 | 17 | # Port and basic host configuration 18 | 19 | In order to configure the Service object, the install/upgrade needs to provide a list of all ports. 20 | In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured 21 | both in upgrade, Gateway and VirtualService. 22 | 23 | The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, 24 | Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual 25 | config for the rest. 26 | 27 | All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. 28 | 29 | # Migration from istio-system 30 | 31 | Istio 1.0 includes the gateways in istio-system. Since the external IP is associated 32 | with the Service and bound to the namespace, it is recommended to: 33 | 34 | 1. Install the new gateway in a new namespace. 35 | 2. Copy any TLS certificate to the new namespace, and configure the domains. 36 | 3. Checking the new gateway work - for example by overriding the IP in /etc/hosts 37 | 4. Modify the DNS server to add the A record of the new namespace 38 | 5. Check traffic 39 | 6. Delete the A record corresponding to the gateway in istio-system 40 | 7. Upgrade istio-system, disabling the ingressgateway 41 | 8. Delete the domain TLS certs from istio-system. 42 | 43 | If using certmanager, all Certificate and associated configs must be moved as well. 44 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/addongateway.yaml: -------------------------------------------------------------------------------- 1 | # Template for telemetry addon gateways 2 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 3 | {{ range $addon := $gateway.telemetry_addon_gateways }} 4 | {{ if $addon.enabled }} 5 | apiVersion: networking.istio.io/v1alpha3 6 | kind: Gateway 7 | metadata: 8 | name: istio-{{ $addon.name }}-gateway 9 | namespace: {{ $.Release.Namespace }} 10 | labels: 11 | app: {{ $addon.name }} 12 | release: {{ $.Release.Name }} 13 | spec: 14 | selector: 15 | istio: ingressgateway 16 | servers: 17 | - port: 18 | number: {{ $addon.port }} 19 | name: https-{{ $addon.name }} 20 | protocol: HTTPS 21 | tls: 22 | mode: SIMPLE 23 | serverCertificate: /etc/istio/ingressgateway-certs/tls.crt 24 | privateKey: /etc/istio/ingressgateway-certs/tls.key 25 | hosts: 26 | - "*" 27 | --- 28 | apiVersion: networking.istio.io/v1alpha3 29 | kind: VirtualService 30 | metadata: 31 | name: {{ $addon.name }}-virtual-service 32 | namespace: {{ $.Release.Namespace }} 33 | labels: 34 | app: {{ $addon.name }} 35 | release: {{ $.Release.Name }} 36 | spec: 37 | hosts: 38 | - "*" 39 | gateways: 40 | - istio-{{ $addon.name }}-gateway 41 | http: 42 | - match: 43 | - port: {{ $addon.port }} 44 | route: 45 | - destination: 46 | host: {{ $addon.name }}.{{ $.Release.Namespace }}.svc.{{ $.Values.global.proxy.clusterDomain }} 47 | port: 48 | number: {{ $addon.desPort }} 49 | --- 50 | apiVersion: networking.istio.io/v1alpha3 51 | kind: DestinationRule 52 | metadata: 53 | name: {{ $addon.name }} 54 | namespace: {{ $.Release.Namespace }} 55 | labels: 56 | app: {{ $addon.name }} 57 | release: {{ $.Release.Name }} 58 | spec: 59 | host: {{ $addon.name }}.{{ $.Release.Namespace }}.svc.{{ $.Values.global.proxy.clusterDomain }} 60 | trafficPolicy: 61 | tls: 62 | mode: DISABLE 63 | --- 64 | {{- end }} 65 | {{- end }} 66 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | {{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} 3 | apiVersion: autoscaling/v2beta1 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: istio-ingressgateway 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | indent 4 }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | maxReplicas: {{ $gateway.autoscaleMax }} 13 | minReplicas: {{ $gateway.autoscaleMin }} 14 | scaleTargetRef: 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | name: istio-ingressgateway 18 | metrics: 19 | - type: Resource 20 | resource: 21 | name: cpu 22 | targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} 23 | --- 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/certificate.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | {{ if $gateway.certificates }} 3 | --- 4 | # Auto-generate Certmanager Issuer and certificate requests. 5 | # Requires 'email' to be set, for Let's Encrypt use. 6 | 7 | apiVersion: certmanager.k8s.io/v1alpha1 8 | kind: Issuer 9 | metadata: 10 | name: letsencrypt 11 | namespace: {{ .Release.Namespace }} 12 | spec: 13 | acme: 14 | server: https://acme-v02.api.letsencrypt.org/directory 15 | email: {{ $gateway.email }} 16 | privateKeySecretRef: 17 | name: letsencrypt 18 | http01: {} 19 | --- 20 | 21 | apiVersion: certmanager.k8s.io/v1alpha1 22 | kind: Certificate 23 | metadata: 24 | name: istio-ingressgateway-certs 25 | namespace: {{ .Release.Namespace }} 26 | spec: 27 | secretName: istio-ingressgateway-certs 28 | issuerRef: 29 | name: letsencrypt 30 | kind: ClusterIssuer 31 | commonName: {{ $gateway.commonName }} 32 | dnsNames: 33 | {{- range $key := $gateway.certificates }} 34 | - {{ $key }} 35 | {{- end }} 36 | acme: 37 | config: 38 | - http01: 39 | ingressClass: istio 40 | domains: 41 | {{- range $key := $gateway.certificates }} 42 | - {{ $key }} 43 | {{- end }} 44 | {{- end }} 45 | 46 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/gateway.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | # Main Gateway. Apps must bind to NAMESPACE/ingressgateway 3 | apiVersion: networking.istio.io/v1alpha3 4 | kind: Gateway 5 | metadata: 6 | name: ingressgateway 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | release: {{ .Release.Name }} 10 | spec: 11 | selector: 12 | istio: ingressgateway 13 | servers: 14 | {{- if $gateway.tls }} 15 | - port: 16 | number: 443 17 | name: https-default 18 | protocol: HTTPS 19 | tls: 20 | mode: SIMPLE 21 | serverCertificate: /etc/istio/ingressgateway-certs/tls.crt 22 | privateKey: /etc/istio/ingressgateway-certs/tls.key 23 | hosts: 24 | - "*" 25 | {{- end }} 26 | - port: 27 | number: 80 28 | name: http 29 | protocol: HTTP 30 | hosts: 31 | - "*" 32 | # Additional ports in gateaway for the ingressPorts - apps using dedicated port instead of hostname 33 | {{ range $app := $gateway.ingressPorts }} 34 | - port: 35 | number: {{ $app.port }} 36 | name: {{ $app.name }} 37 | protocol: HTTP2 38 | hosts: 39 | - "*" 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/hosts.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | 3 | # TODO: range TCP ports, add ports 4 | # {{ $gateway.domain }} 5 | {{ range $app := $gateway.hosts }} 6 | --- 7 | apiVersion: networking.istio.io/v1alpha3 8 | kind: VirtualService 9 | metadata: 10 | name: {{ $app.name }} 11 | namespace: {{ $.Release.Namespace }} 12 | labels: 13 | release: {{ $.Release.Name }} 14 | spec: 15 | hosts: 16 | - "{{ $app.name }}.{{ $gateway.domain }}" 17 | gateways: 18 | - ingressgateway 19 | http: 20 | - route: 21 | - destination: 22 | host: {{ $app.dest }} 23 | port: 24 | number: {{ $app.destPort }} 25 | {{- end }} 26 | 27 | {{ range $app := $gateway.ingressPorts }} 28 | --- 29 | apiVersion: networking.istio.io/v1alpha3 30 | kind: VirtualService 31 | metadata: 32 | name: {{ $app.name }} 33 | namespace: {{ $.Release.Namespace }} 34 | labels: 35 | release: {{ $.Release.Name }} 36 | spec: 37 | hosts: 38 | - "*" 39 | gateways: 40 | - ingressgateway 41 | http: 42 | - 43 | match: 44 | - port: {{ $app.port }} 45 | route: 46 | - destination: 47 | host: {{ $app.dest }} 48 | port: 49 | number: {{ $app.destPort }} 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/meshexpansion.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.meshExpansion.enabled }} 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: Gateway 4 | metadata: 5 | name: meshexpansion-gateway 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | spec: 10 | selector: 11 | istio: ingressgateway 12 | servers: 13 | - port: 14 | number: 15011 15 | protocol: TCP 16 | name: tcp-pilot 17 | hosts: 18 | - "*" 19 | - port: 20 | number: 8060 21 | protocol: TCP 22 | name: tcp-citadel 23 | hosts: 24 | - "*" 25 | --- 26 | 27 | apiVersion: networking.istio.io/v1alpha3 28 | kind: VirtualService 29 | metadata: 30 | name: meshexpansion-vs-pilot 31 | namespace: {{ .Release.Namespace }} 32 | labels: 33 | release: {{ .Release.Name }} 34 | spec: 35 | hosts: 36 | - istio-pilot.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} 37 | gateways: 38 | - meshexpansion-gateway 39 | tcp: 40 | - match: 41 | - port: 15011 42 | route: 43 | - destination: 44 | host: istio-pilot.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} 45 | port: 46 | number: 15011 47 | --- 48 | 49 | apiVersion: networking.istio.io/v1alpha3 50 | kind: DestinationRule 51 | metadata: 52 | name: meshexpansion-dr-pilot 53 | namespace: {{ .Release.Namespace }} 54 | labels: 55 | release: {{ .Release.Name }} 56 | spec: 57 | host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} 58 | trafficPolicy: 59 | portLevelSettings: 60 | - port: 61 | number: 15011 62 | tls: 63 | mode: DISABLE 64 | --- 65 | 66 | 67 | apiVersion: networking.istio.io/v1alpha3 68 | kind: VirtualService 69 | metadata: 70 | name: meshexpansion-vs-citadel 71 | namespace: {{ .Release.Namespace }} 72 | labels: 73 | release: {{ .Release.Name }} 74 | spec: 75 | hosts: 76 | - istio-citadel.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} 77 | gateways: 78 | - meshexpansion-gateway 79 | tcp: 80 | - match: 81 | - port: 8060 82 | route: 83 | - destination: 84 | host: istio-citadel.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} 85 | port: 86 | number: 8060 87 | 88 | {{- end }} 89 | 90 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 3 | apiVersion: policy/v1beta1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: ingressgateway 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | indent 4 }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | minAvailable: 1 13 | selector: 14 | matchLabels: 15 | {{ $gateway.labels | toYaml | indent 6 }} 16 | release: {{ .Release.Name }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | {{- if or $gateway.sds.enabled .Values.global.istiod.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: istio-ingressgateway-sds 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | release: {{ .Release.Name }} 10 | rules: 11 | - apiGroups: [""] 12 | resources: ["secrets"] 13 | verbs: ["get", "watch", "list"] 14 | --- 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/rolebindings.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | {{- if or $gateway.sds.enabled .Values.global.istiod.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: istio-ingressgateway-sds 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | release: {{ .Release.Name }} 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: Role 13 | name: istio-ingressgateway-sds 14 | subjects: 15 | - kind: ServiceAccount 16 | name: istio-ingressgateway-service-account 17 | --- 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | {{- if not $gateway.customService }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: istio-ingressgateway 7 | namespace: {{ .Release.Namespace }} 8 | annotations: 9 | {{- range $key, $val := $gateway.serviceAnnotations }} 10 | {{ $key }}: {{ $val | quote }} 11 | {{- end }} 12 | labels: 13 | {{ $gateway.labels | toYaml | indent 4 }} 14 | release: {{ .Release.Name }} 15 | spec: 16 | {{- if $gateway.loadBalancerIP }} 17 | loadBalancerIP: "{{ $gateway.loadBalancerIP }}" 18 | {{- end }} 19 | {{- if $gateway.loadBalancerSourceRanges }} 20 | loadBalancerSourceRanges: 21 | {{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} 22 | {{- end }} 23 | {{- if $gateway.externalTrafficPolicy }} 24 | externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} 25 | {{- end }} 26 | type: {{ $gateway.type }} 27 | selector: 28 | {{ $gateway.labels | toYaml | indent 4 }} 29 | ports: 30 | 31 | {{- range $key, $val := $gateway.ports }} 32 | - 33 | {{- range $pkey, $pval := $val }} 34 | {{ $pkey}}: {{ $pval }} 35 | {{- end }} 36 | {{- end }} 37 | 38 | {{- if $.Values.global.meshExpansion.enabled }} 39 | {{- range $key, $val := $gateway.meshExpansionPorts }} 40 | - 41 | {{- range $pkey, $pval := $val }} 42 | {{ $pkey}}: {{ $pval }} 43 | {{- end }} 44 | {{- end }} 45 | {{- end }} 46 | {{ range $app := $gateway.ingressPorts }} 47 | - 48 | port: {{ $app.port }} 49 | name: {{ $app.name }} 50 | {{- end }} 51 | --- 52 | {{ end }} 53 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{- end }} 10 | metadata: 11 | name: istio-ingressgateway-service-account 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | {{ $gateway.labels | toYaml | indent 4 }} 15 | release: {{ .Release.Name }} 16 | -------------------------------------------------------------------------------- /gateways/istio-ingress/templates/sidecar.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Sidecar 3 | metadata: 4 | name: default 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | release: {{ .Release.Name }} 8 | spec: 9 | egress: 10 | - hosts: 11 | - "*/*" 12 | -------------------------------------------------------------------------------- /istio-cni/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-cni 3 | version: 1.1.0 4 | description: Helm chart for istio-cni components 5 | keywords: 6 | - istio-cni 7 | - istio 8 | sources: 9 | - http://github.com/istio/cni 10 | engine: gotpl 11 | icon: https://istio.io/favicons/android-192x192.png 12 | -------------------------------------------------------------------------------- /istio-cni/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: istio-cni 5 | labels: 6 | app: istio-cni 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: [""] 10 | resources: 11 | - pods 12 | - nodes 13 | verbs: 14 | - get 15 | -------------------------------------------------------------------------------- /istio-cni/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istio-cni 5 | labels: 6 | app: istio-cni 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istio-cni 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istio-cni 15 | namespace: {{ .Release.Namespace }} 16 | --- 17 | {{- if ne .Values.cni.psp_cluster_role "" }} 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | metadata: 21 | name: istio-cni-psp 22 | namespace: {{ .Release.Namespace }} 23 | roleRef: 24 | apiGroup: rbac.authorization.k8s.io 25 | kind: ClusterRole 26 | name: {{ .Values.cni.psp_cluster_role }} 27 | subjects: 28 | - kind: ServiceAccount 29 | name: istio-cni 30 | namespace: {{ .Release.Namespace }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /istio-cni/templates/configmap-cni.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: istio-cni-config 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: istio-cni 8 | release: {{ .Release.Name }} 9 | data: 10 | # The CNI network configuration to add to the plugin chain on each node. The special 11 | # values in this config will be automatically populated. 12 | cni_network_config: |- 13 | { 14 | "type": "istio-cni", 15 | "log_level": {{ quote .Values.cni.logLevel }}, 16 | "kubernetes": { 17 | "kubeconfig": "__KUBECONFIG_FILEPATH__", 18 | "cni_bin_dir": {{ quote .Values.cni.cniBinDir }}, 19 | "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /istio-cni/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: istio-cni 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: istio-cni 14 | release: {{ .Release.Name }} 15 | -------------------------------------------------------------------------------- /istio-cni/values.yaml: -------------------------------------------------------------------------------- 1 | cni: 2 | hub: "" 3 | tag: "" 4 | image: install-cni 5 | pullPolicy: Always 6 | 7 | logLevel: info 8 | 9 | # Configuration file to insert istio-cni plugin configuration 10 | # by default this will be the first file found in the cni-conf-dir 11 | # Example 12 | # cniConfFileName: 10-calico.conflist 13 | 14 | # CNI bin and conf dir override settings 15 | # defaults: 16 | cniBinDir: /opt/cni/bin 17 | cniConfDir: /etc/cni/net.d 18 | cniConfFileName: "" 19 | 20 | excludeNamespaces: 21 | - istio-system 22 | 23 | # Custom annotations on pod level, if you need them 24 | podAnnotations: {} 25 | 26 | # If this value is set a RoleBinding will be created 27 | # in the same namespace as the istio-cni DaemonSet is created. 28 | # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount 29 | # e.g. if you use PodSecurityPolicies 30 | psp_cluster_role: "" 31 | -------------------------------------------------------------------------------- /istio-control/istio-autoinject/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-autoinject 3 | version: 1.1.0 4 | appVersion: 1.1.0 5 | tillerVersion: ">=2.7.2" 6 | description: Helm chart for sidecar injector webhook deployment 7 | keywords: 8 | - istio 9 | - sidecarInjectorWebhook 10 | - autoinject 11 | sources: 12 | - http://github.com/istio/istio 13 | engine: gotpl 14 | icon: https://istio.io/favicons/android-192x192.png 15 | -------------------------------------------------------------------------------- /istio-control/istio-autoinject/NOTES.txt: -------------------------------------------------------------------------------- 1 | Sidecar injector (optional): if disabled, manual injection or other tools need to be used. 2 | 3 | Sidecar injection in each profile can be selected by labeling the namespace with the appropriate profile. 4 | 5 | The new label is 'istio-env' and the value is the namespace where the injector is installed. 6 | 7 | Note that it is possible to install a profile with only the injector app - using remote Pilot and MCP. 8 | 9 | ``` 10 | # New style, using the istio-pilot11 profile 11 | kubectl create ns fortio 12 | kubectl label ns fortio istio-env=istio-control 13 | 14 | # Second pilot profile 15 | kubectl create ns fortio-test 16 | kubectl label ns fortio istio-env=istio-master 17 | 18 | # Old-style, using istio-system and Istio 1.0 or 1.1 default installations. 19 | kubectl create ns fortio-istio-system 20 | kubectl label ns fortio istio-injection=enabled 21 | ``` 22 | 23 | # Uninstall 24 | 25 | After uninstalling, you should cleanup the global CRD using: 26 | 27 | ```bash 28 | 29 | kubectl delete MutatingWebhookConfiguration istio-sidecar-injector-istio-control 30 | 31 | ``` 32 | 33 | Any app using the uninstalled istio-env label will no longer be auto-injected once the config is deleted. 34 | -------------------------------------------------------------------------------- /istio-control/istio-autoinject/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "sidecar-injector.name" -}} 6 | {{- default .Chart.Name .Values.sidecarInjectorWebhook.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "sidecar-injector.fullname" -}} 15 | {{- if .Values.sidecarInjectorWebhook.fullnameOverride -}} 16 | {{- .Values.sidecarInjectorWebhook.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.sidecarInjectorWebhook.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "sidecar-injector.chart" -}} 31 | {{- .Chart.Name | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | -------------------------------------------------------------------------------- /istio-control/istio-autoinject/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.global.istiod.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istio-sidecar-injector-{{ .Release.Namespace }} 6 | labels: 7 | app: sidecar-injector 8 | release: {{ .Release.Name }} 9 | istio: sidecar-injector 10 | rules: 11 | - apiGroups: [""] 12 | resources: ["configmaps"] 13 | resourceNames: ["istio-sidecar-injector"] 14 | verbs: ["get", "list", "watch"] 15 | {{- if not .Values.global.operatorManageWebhooks }} 16 | - apiGroups: ["admissionregistration.k8s.io"] 17 | resources: ["mutatingwebhookconfigurations"] 18 | resourceNames: ["istio-sidecar-injector", "istio-sidecar-injector-{{.Release.Namespace}}"] 19 | verbs: ["get", "list", "watch", "patch"] 20 | {{- end }} 21 | {{- end }} -------------------------------------------------------------------------------- /istio-control/istio-autoinject/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.global.istiod.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} 6 | labels: 7 | app: sidecar-injector 8 | release: {{ .Release.Name }} 9 | istio: sidecar-injector 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: istio-sidecar-injector-{{ .Release.Namespace }} 14 | subjects: 15 | - kind: ServiceAccount 16 | name: istio-sidecar-injector-service-account 17 | namespace: {{ .Release.Namespace }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /istio-control/istio-autoinject/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.global.istiod.enabled }} 2 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 3 | apiVersion: policy/v1beta1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: istio-sidecar-injector 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: sidecar-injector 10 | release: {{ .Release.Name }} 11 | istio: sidecar-injector 12 | spec: 13 | minAvailable: 1 14 | selector: 15 | matchLabels: 16 | app: sidecar-injector 17 | release: {{ .Release.Name }} 18 | istio: sidecar-injector 19 | {{- end }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /istio-control/istio-autoinject/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.global.istiod.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: istio-sidecar-injector 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: sidecarInjectorWebhook 9 | release: {{ .Release.Name }} 10 | istio: sidecar-injector 11 | spec: 12 | ports: 13 | - port: 443 14 | targetPort: 9443 15 | selector: 16 | istio: sidecar-injector 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /istio-control/istio-autoinject/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.global.istiod.enabled }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{- end }} 10 | metadata: 11 | name: istio-sidecar-injector-service-account 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | app: sidecarInjectorWebhook 15 | release: {{ .Release.Name }} 16 | istio: sidecar-injector 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /istio-control/istio-autoinject/templates/sidecar-injector-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.global.istiod.enabled }} 2 | {{- if not .Values.global.omitSidecarInjectorConfigMap }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: istio-sidecar-injector 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | release: {{ .Release.Name }} 10 | app: sidecar-injector 11 | istio: sidecar-injector 12 | data: 13 | values: |- 14 | {{ .Values | toJson }} 15 | 16 | config: |- 17 | policy: {{ .Values.global.proxy.autoInject }} 18 | alwaysInjectSelector: 19 | {{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} 20 | neverInjectSelector: 21 | {{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} 22 | {{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }} 23 | injectedAnnotations: 24 | {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} 25 | "{{ $key }}": "{{ $val }}" 26 | {{- end }} 27 | 28 | {{- end }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /istio-control/istio-config/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-config 3 | version: 1.1.0 4 | appVersion: 1.1.0 5 | tillerVersion: ">=2.7.2" 6 | description: Helm chart for galley deployment 7 | keywords: 8 | - istio 9 | - galley 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /istio-control/istio-config/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - cmluciano 3 | - geeknoid 4 | - ozevren 5 | - ayj 6 | -------------------------------------------------------------------------------- /istio-control/istio-config/README.md: -------------------------------------------------------------------------------- 1 | # Istio Config 2 | 3 | This component handles the configuration, exposing an MCP server. 4 | 5 | The default implementation is Galley, using the K8S apiserver for storage - other MCP providers may be configured. 6 | 7 | It is recommended to run only one production config server - it registers a validation webhook which will apply 8 | to all Istio configs. It is possible to run a second staging/canary config server in a different namespace. 9 | 10 | ## Installation 11 | 12 | Galley relies on DNS certificates. Before installing it in a custom namespace you should update Citadel or 13 | create a custom certificate. 14 | 15 | ## Validation 16 | 17 | A cluster should have a single galley with validation enabled - usually the prod environment. 18 | It is possible to enable validation on other environments as well - but each Galley will do its own 19 | validation, and a staging version may impact production validation. 20 | 21 | ```yamml 22 | security: 23 | ... 24 | dnsCerts: 25 | ... 26 | istio-galley-service-account.MY_NAMESPACE: istio-galley.MY_NAMESPACE.svc 27 | ``` 28 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "pilot.name" -}} 6 | {{- default .Chart.Name .Values.galley.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "pilot.fullname" -}} 15 | {{- if .Values.galley.fullnameOverride -}} 16 | {{- .Values.galley.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.galley.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "pilot.chart" -}} 31 | {{- .Chart.Name | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{- define "istio.configmap.checksum" -}} 35 | {{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}} 36 | {{- end -}} 37 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: istio-galley-{{ .Release.Namespace }} 5 | labels: 6 | release: {{ .Release.Name }} 7 | rules: 8 | # For reading Istio resources 9 | - apiGroups: [ 10 | "authentication.istio.io", 11 | "config.istio.io", 12 | "networking.istio.io", 13 | "rbac.istio.io", 14 | "security.istio.io"] 15 | resources: ["*"] 16 | verbs: ["get", "list", "watch"] 17 | # For updating Istio resource statuses 18 | - apiGroups: [ 19 | "authentication.istio.io", 20 | "config.istio.io", 21 | "networking.istio.io", 22 | "rbac.istio.io", 23 | "security.istio.io"] 24 | resources: ["*/status"] 25 | verbs: ["update"] 26 | {{- if not .Values.global.operatorManageWebhooks }} 27 | - apiGroups: ["admissionregistration.k8s.io"] 28 | resources: ["validatingwebhookconfigurations"] 29 | verbs: ["*"] 30 | {{- end }} 31 | - apiGroups: ["extensions","apps"] 32 | resources: ["deployments"] 33 | resourceNames: ["istio-galley"] 34 | verbs: ["get"] 35 | - apiGroups: [""] 36 | resources: ["pods", "nodes", "services", "endpoints", "namespaces"] 37 | verbs: ["get", "list", "watch"] 38 | - apiGroups: ["extensions"] 39 | resources: ["ingresses"] 40 | verbs: ["get", "list", "watch"] 41 | - apiGroups: ["extensions"] 42 | resources: ["deployments/finalizers"] 43 | resourceNames: ["istio-galley"] 44 | verbs: ["update"] 45 | - apiGroups: ["apiextensions.k8s.io"] 46 | resources: ["customresourcedefinitions"] 47 | verbs: ["get", "list", "watch"] 48 | - apiGroups: ["rbac.authorization.k8s.io"] 49 | resources: ["clusterroles"] 50 | verbs: ["get", "list", "watch"] 51 | --- 52 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istio-galley-admin-role-binding-{{ .Release.Namespace }} 5 | labels: 6 | release: {{ .Release.Name }} 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: ClusterRole 10 | name: istio-galley-{{ .Release.Namespace }} 11 | subjects: 12 | - kind: ServiceAccount 13 | name: istio-galley-service-account 14 | namespace: {{ .Release.Namespace }} 15 | --- 16 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/configmap-envoy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.controlPlaneSecurityEnabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | namespace: {{ .Release.Namespace }} 6 | name: galley-envoy-config 7 | labels: 8 | app: galley 9 | istio: galley 10 | release: {{ .Release.Name }} 11 | data: 12 | envoy.yaml.tmpl: |- 13 | admin: 14 | access_log_path: /dev/null 15 | address: 16 | socket_address: 17 | address: 127.0.0.1 18 | port_value: 15000 19 | 20 | static_resources: 21 | 22 | clusters: 23 | - name: in.9901 24 | http2_protocol_options: {} 25 | connect_timeout: 1.000s 26 | 27 | hosts: 28 | - socket_address: 29 | address: 127.0.0.1 30 | port_value: 9901 31 | 32 | circuit_breakers: 33 | thresholds: 34 | - max_connections: 100000 35 | max_pending_requests: 100000 36 | max_requests: 100000 37 | max_retries: 3 38 | 39 | listeners: 40 | - name: "15019" 41 | address: 42 | socket_address: 43 | address: 0.0.0.0 44 | port_value: 15019 45 | filter_chains: 46 | - filters: 47 | - name: envoy.http_connection_manager 48 | config: 49 | codec_type: HTTP2 50 | stat_prefix: "15010" 51 | stream_idle_timeout: 0s 52 | http2_protocol_options: 53 | max_concurrent_streams: 1073741824 54 | 55 | access_log: 56 | - name: envoy.file_access_log 57 | config: 58 | path: /dev/stdout 59 | 60 | http_filters: 61 | - name: envoy.router 62 | 63 | route_config: 64 | name: "15019" 65 | 66 | virtual_hosts: 67 | - name: istio-galley 68 | 69 | domains: 70 | - '*' 71 | 72 | routes: 73 | - match: 74 | prefix: / 75 | route: 76 | cluster: in.9901 77 | timeout: 0.000s 78 | tls_context: 79 | common_tls_context: 80 | alpn_protocols: 81 | - h2 82 | tls_certificates: 83 | - certificate_chain: 84 | filename: /etc/certs/cert-chain.pem 85 | private_key: 86 | filename: /etc/certs/key.pem 87 | validation_context: 88 | trusted_ca: 89 | filename: /etc/certs/root-cert.pem 90 | require_client_certificate: true 91 | {{- end }} 92 | --- 93 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/configmap-mesh.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: istio-mesh-galley 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | release: {{ .Release.Name }} 8 | data: 9 | mesh: |- 10 | {{ toYaml .Values.galley.mesh | indent 4 }} 11 | --- 12 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: istio-galley-configuration 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | release: {{ .Release.Name }} 8 | data: 9 | {{- if .Values.global.configValidation }} 10 | validatingwebhookconfiguration.yaml: |- 11 | {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} 12 | {{- end}} 13 | --- 14 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: istio-galley 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: galley 9 | release: {{ .Release.Name }} 10 | istio: galley 11 | spec: 12 | minAvailable: 1 13 | selector: 14 | matchLabels: 15 | app: galley 16 | release: {{ .Release.Name }} 17 | istio: galley 18 | --- 19 | 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: istio-galley 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: galley 8 | istio: galley 9 | release: {{ .Release.Name }} 10 | spec: 11 | ports: 12 | - port: 443 13 | name: https-validation 14 | targetPort: 9443 15 | - port: 15014 16 | name: http-monitoring 17 | - port: 9901 18 | name: grpc-mcp 19 | - port: 15019 20 | name: grpc-tls-mcp 21 | selector: 22 | istio: galley 23 | --- 24 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: istio-galley-service-account 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: galley 14 | release: {{ .Release.Name }} 15 | --- 16 | -------------------------------------------------------------------------------- /istio-control/istio-config/templates/validatingwebhookconfiguration.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{ define "validatingwebhookconfiguration.yaml.tpl" }} 2 | apiVersion: admissionregistration.k8s.io/v1beta1 3 | kind: ValidatingWebhookConfiguration 4 | metadata: 5 | name: istio-galley-{{ .Release.Namespace }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: galley 9 | release: {{ .Release.Name }} 10 | istio: galley 11 | webhooks: 12 | - name: pilot.validation.istio.io 13 | clientConfig: 14 | service: 15 | name: istio-galley 16 | namespace: {{ .Release.Namespace }} 17 | path: "/admitpilot" 18 | caBundle: "" 19 | rules: 20 | - operations: 21 | - CREATE 22 | - UPDATE 23 | apiGroups: 24 | - config.istio.io 25 | apiVersions: 26 | - v1alpha2 27 | resources: 28 | - httpapispecs 29 | - httpapispecbindings 30 | - quotaspecs 31 | - quotaspecbindings 32 | - operations: 33 | - CREATE 34 | - UPDATE 35 | apiGroups: 36 | - rbac.istio.io 37 | - security.istio.io 38 | - authentication.istio.io 39 | - networking.istio.io 40 | apiVersions: 41 | - "*" 42 | resources: 43 | - "*" 44 | failurePolicy: Fail 45 | sideEffects: None 46 | - name: mixer.validation.istio.io 47 | clientConfig: 48 | service: 49 | name: istio-galley 50 | namespace: {{ .Release.Namespace }} 51 | path: "/admitmixer" 52 | caBundle: "" 53 | rules: 54 | - operations: 55 | - CREATE 56 | - UPDATE 57 | apiGroups: 58 | - config.istio.io 59 | apiVersions: 60 | - v1alpha2 61 | resources: 62 | - rules 63 | - attributemanifests 64 | - adapters 65 | - handlers 66 | - instances 67 | - templates 68 | failurePolicy: Fail 69 | sideEffects: None 70 | {{- end }} 71 | --- 72 | -------------------------------------------------------------------------------- /istio-control/istio-config/values.yaml: -------------------------------------------------------------------------------- 1 | galley: 2 | image: galley 3 | replicaCount: 1 4 | rollingMaxSurge: 100% 5 | rollingMaxUnavailable: 25% 6 | 7 | enableServiceDiscovery: false 8 | 9 | resources: 10 | requests: 11 | cpu: 100m 12 | # memory: 128Mi 13 | # limits: 14 | # cpu: 100m 15 | # memory: 128Mi 16 | 17 | # TODO: Galley appears to use the mesh config - need to find which fields are used and need to be configured. 18 | mesh: {} 19 | 20 | nodeSelector: {} 21 | tolerations: [] 22 | podAnnotations: {} 23 | 24 | # Specify the pod anti-affinity that allows you to constrain which nodes 25 | # your pod is eligible to be scheduled based on labels on pods that are 26 | # already running on the node rather than based on labels on nodes. 27 | # There are currently two types of anti-affinity: 28 | # "requiredDuringSchedulingIgnoredDuringExecution" 29 | # "preferredDuringSchedulingIgnoredDuringExecution" 30 | # which denote "hard" vs. "soft" requirements, you can define your values 31 | # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" 32 | # correspondingly. 33 | # For example: 34 | # podAntiAffinityLabelSelector: 35 | # - key: security 36 | # operator: In 37 | # values: S1,S2 38 | # topologyKey: "kubernetes.io/hostname" 39 | # This pod anti-affinity rule says that the pod requires not to be scheduled 40 | # onto a node if that node is already running a pod with label having key 41 | # "security" and value "S1". 42 | podAntiAffinityLabelSelector: [] 43 | podAntiAffinityTermLabelSelector: [] 44 | 45 | # Enable analysis and status update in Galley 46 | enableAnalysis: false 47 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-discovery 3 | version: 1.1.0 4 | appVersion: 1.1.0 5 | tillerVersion: ">=2.7.2" 6 | description: Helm chart for istio control plane 7 | keywords: 8 | - istio 9 | sources: 10 | - http://github.com/istio/istio 11 | engine: gotpl 12 | icon: https://istio.io/favicons/android-192x192.png 13 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/NOTES.txt: -------------------------------------------------------------------------------- 1 | Minimal control plane for Istio. Pilot and mesh config are included. 2 | 3 | MCP and injector should optionally be installed in the same namespace. Alternatively remote 4 | address of an MCP server can be set. 5 | 6 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/installer/16d1d1bf192f447bba752d2e6df725177183cbbf/istio-control/istio-discovery/templates/_helpers.tpl -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: istio-pilot{{ .Values.version }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: pilot 9 | release: {{ .Release.Name }} 10 | spec: 11 | maxReplicas: {{ .Values.pilot.autoscaleMax }} 12 | minReplicas: {{ .Values.pilot.autoscaleMin }} 13 | scaleTargetRef: 14 | apiVersion: apps/v1 15 | kind: Deployment 16 | name: istio-pilot{{ .Values.version }} 17 | metrics: 18 | - type: Resource 19 | resource: 20 | name: cpu 21 | targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} 22 | --- 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.clusterResources }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: istio-pilot-{{ .Release.Namespace }} 6 | labels: 7 | app: pilot 8 | release: {{ .Release.Name }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: istio-pilot-{{ .Release.Namespace }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: istio-pilot-service-account 16 | namespace: {{ .Release.Namespace }} 17 | --- 18 | {{ if .Values.global.istiod.enabled }} 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: istiod-pilot-{{ .Release.Namespace }} 23 | labels: 24 | app: pilot 25 | release: {{ .Release.Name }} 26 | roleRef: 27 | apiGroup: rbac.authorization.k8s.io 28 | kind: ClusterRole 29 | name: istiod-{{ .Release.Namespace }} 30 | subjects: 31 | - kind: ServiceAccount 32 | name: istio-pilot-service-account 33 | namespace: {{ .Release.Namespace }} 34 | 35 | --- 36 | {{ end }} 37 | {{ end }} 38 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/configmap-jwks.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pilot.jwksResolverExtraRootCA }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: pilot-jwks-extra-cacerts{{ .Values.version }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | data: 10 | extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/enable-mesh-mtls.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | 3 | TODO(https://github.com/istio/istio/issues/18199) remove this configuration from charts once the operator starts managing it 4 | 5 | */ -}} 6 | 7 | {{ if .Values.clusterResources }} 8 | {{- if .Values.global.mtls.enabled }} 9 | 10 | # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. 11 | apiVersion: "authentication.istio.io/v1alpha1" 12 | kind: "MeshPolicy" 13 | metadata: 14 | name: "default" 15 | labels: 16 | release: {{ .Release.Name }} 17 | spec: 18 | peers: 19 | - mtls: {} 20 | --- 21 | {{- if not .Values.global.mtls.auto }} 22 | # We only need explicit destination rule with ISITO_MUTUAL when auto mTLS is not enabled. 23 | apiVersion: networking.istio.io/v1alpha3 24 | kind: DestinationRule 25 | metadata: 26 | name: "default" 27 | namespace: {{ .Release.Namespace }} 28 | labels: 29 | release: {{ .Release.Name }} 30 | spec: 31 | host: "*.local" 32 | trafficPolicy: 33 | tls: 34 | mode: ISTIO_MUTUAL 35 | --- 36 | {{ end }} 37 | apiVersion: networking.istio.io/v1alpha3 38 | kind: DestinationRule 39 | metadata: 40 | name: "api-server" 41 | namespace: {{ .Release.Namespace }} 42 | labels: 43 | release: {{ .Release.Name }} 44 | spec: 45 | host: "kubernetes.default.svc.{{ .Values.global.proxy.clusterDomain }}" 46 | trafficPolicy: 47 | tls: 48 | mode: DISABLE 49 | --- 50 | {{- else }} 51 | # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. 52 | apiVersion: "authentication.istio.io/v1alpha1" 53 | kind: "MeshPolicy" 54 | metadata: 55 | name: "default" 56 | labels: 57 | release: {{ .Release.Name }} 58 | spec: 59 | peers: 60 | - mtls: 61 | mode: PERMISSIVE 62 | --- 63 | {{ end }} 64 | {{ end }} 65 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/istiod-injector-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.global.omitSidecarInjectorConfigMap }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: istio-sidecar-injector 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | data: 10 | values: |- 11 | {{ .Values | toJson }} 12 | 13 | # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching 14 | # and istiod webhook functionality. 15 | # 16 | # New fields should not use Values - it is a 'primary' config object, users should be able 17 | # to fine tune it or use it with kube-inject. 18 | config: |- 19 | policy: {{ .Values.global.proxy.autoInject }} 20 | alwaysInjectSelector: 21 | {{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} 22 | neverInjectSelector: 23 | {{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} 24 | injectedAnnotations: 25 | {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} 26 | "{{ $key }}": "{{ $val }}" 27 | {{- end }} 28 | 29 | {{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }} 30 | 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: istio-pilot{{ .Values.version }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: pilot 9 | release: {{ .Release.Name }} 10 | istio: pilot 11 | spec: 12 | minAvailable: 1 13 | selector: 14 | matchLabels: 15 | app: pilot 16 | {{- if ne .Values.version ""}} 17 | version: {{ .Values.version }} 18 | {{- end }} 19 | release: {{ .Release.Name }} 20 | istio: pilot 21 | --- 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: istio-pilot{{ .Values.version }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: pilot 8 | release: {{ .Release.Name }} 9 | istio: pilot 10 | spec: 11 | ports: 12 | - port: 15010 13 | name: grpc-xds # direct 14 | - port: 15011 15 | name: https-xds # mTLS 16 | - port: 15012 17 | name: https-dns # mTLS with k8s-signed cert 18 | - port: 8080 19 | name: http-legacy-discovery # direct 20 | - port: 15014 21 | name: http-monitoring 22 | - port: 443 23 | name: https-inject 24 | targetPort: 15017 25 | selector: 26 | {{- if ne .Values.version ""}} 27 | app: pilot 28 | version: {{ .Values.version }} 29 | {{ else }} 30 | istio: pilot 31 | {{- end }} 32 | --- 33 | -------------------------------------------------------------------------------- /istio-control/istio-discovery/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.clusterResources }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{- end }} 10 | metadata: 11 | name: istio-pilot-service-account 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | app: pilot 15 | release: {{ .Release.Name }} 16 | --- 17 | {{ end }} 18 | -------------------------------------------------------------------------------- /istio-policy/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-policy 3 | version: 1.1.0 4 | appVersion: 1.1.0 5 | tillerVersion: ">=2.7.2" 6 | description: Helm chart for mixer policy deployment 7 | keywords: 8 | - istio 9 | - mixer 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /istio-policy/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "mixer.name" -}} 6 | {{- default .Chart.Name .Values.mixer.policy.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "mixer.fullname" -}} 15 | {{- if .Values.mixer.policy.fullnameOverride -}} 16 | {{- .Values.mixer.policy.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.mixer.policy.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "mixer.chart" -}} 31 | {{- .Chart.Name | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | -------------------------------------------------------------------------------- /istio-policy/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.mixer.policy.autoscaleEnabled .Values.mixer.policy.autoscaleMin .Values.mixer.policy.autoscaleMax }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: istio-policy 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: mixer 9 | release: {{ .Release.Name }} 10 | spec: 11 | maxReplicas: {{ .Values.mixer.policy.autoscaleMax }} 12 | minReplicas: {{ .Values.mixer.policy.autoscaleMin }} 13 | scaleTargetRef: 14 | apiVersion: apps/v1 15 | kind: Deployment 16 | name: istio-policy 17 | metrics: 18 | - type: Resource 19 | resource: 20 | name: cpu 21 | targetAverageUtilization: {{ .Values.mixer.policy.cpu.targetAverageUtilization }} 22 | --- 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /istio-policy/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: istio-policy 5 | labels: 6 | release: {{ .Release.Name }} 7 | app: istio-policy 8 | rules: 9 | - apiGroups: ["config.istio.io"] # istio CRD watcher 10 | resources: ["*"] 11 | verbs: ["create", "get", "list", "watch", "patch"] 12 | - apiGroups: ["apiextensions.k8s.io"] 13 | resources: ["customresourcedefinitions"] 14 | verbs: ["get", "list", "watch"] 15 | - apiGroups: [""] 16 | resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] 17 | verbs: ["get", "list", "watch"] 18 | - apiGroups: ["extensions", "apps"] 19 | resources: ["replicasets"] 20 | verbs: ["get", "list", "watch"] 21 | --- 22 | -------------------------------------------------------------------------------- /istio-policy/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istio-policy-admin-role-binding-{{ .Release.Namespace }} 5 | labels: 6 | app: istio-policy 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istio-policy 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istio-policy-service-account 15 | namespace: {{ .Release.Namespace }} 16 | --- 17 | -------------------------------------------------------------------------------- /istio-policy/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: istio-policy 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: policy 9 | release: {{ .Release.Name }} 10 | istio: mixer 11 | istio-mixer-type: policy 12 | spec: 13 | minAvailable: 1 14 | selector: 15 | matchLabels: 16 | app: policy 17 | istio: mixer 18 | istio-mixer-type: policy 19 | --- 20 | 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /istio-policy/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: istio-policy 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: mixer 8 | istio: mixer 9 | release: {{ .Release.Name }} 10 | spec: 11 | ports: 12 | - name: grpc-mixer 13 | port: 9091 14 | - name: grpc-mixer-mtls 15 | port: 15004 16 | - name: http-policy-monitoring 17 | port: 15014 18 | selector: 19 | istio: mixer 20 | istio-mixer-type: policy 21 | {{- if .Values.mixer.policy.sessionAffinityEnabled }} 22 | sessionAffinity: ClientIP 23 | {{- end }} 24 | --- 25 | 26 | -------------------------------------------------------------------------------- /istio-policy/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: istio-policy-service-account 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: istio-policy 14 | release: {{ .Release.Name }} 15 | --- 16 | -------------------------------------------------------------------------------- /istio-policy/values.yaml: -------------------------------------------------------------------------------- 1 | mixer: 2 | policy: 3 | image: mixer 4 | 5 | replicaCount: 1 6 | rollingMaxSurge: 100% 7 | rollingMaxUnavailable: 25% 8 | autoscaleEnabled: true 9 | autoscaleMin: 1 10 | autoscaleMax: 5 11 | cpu: 12 | targetAverageUtilization: 80 13 | sessionAffinityEnabled: false 14 | podAnnotations: {} 15 | 16 | env: {} 17 | 18 | adapters: 19 | useAdapterCRDs: false 20 | kubernetesenv: 21 | enabled: true 22 | resources: {} 23 | nodeSelector: {} 24 | tolerations: [] 25 | 26 | # Specify the pod anti-affinity that allows you to constrain which nodes 27 | # your pod is eligible to be scheduled based on labels on pods that are 28 | # already running on the node rather than based on labels on nodes. 29 | # There are currently two types of anti-affinity: 30 | # "requiredDuringSchedulingIgnoredDuringExecution" 31 | # "preferredDuringSchedulingIgnoredDuringExecution" 32 | # which denote "hard" vs. "soft" requirements, you can define your values 33 | # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" 34 | # correspondingly. 35 | # For example: 36 | # podAntiAffinityLabelSelector: 37 | # - key: security 38 | # operator: In 39 | # values: S1,S2 40 | # topologyKey: "kubernetes.io/hostname" 41 | # This pod anti-affinity rule says that the pod requires not to be scheduled 42 | # onto a node if that node is already running a pod with label having key 43 | # "security" and value "S1". 44 | podAntiAffinityLabelSelector: [] 45 | podAntiAffinityTermLabelSelector: [] 46 | -------------------------------------------------------------------------------- /istio-telemetry/grafana/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A Helm chart for Kubernetes 3 | name: grafana 4 | version: 1.1.0 5 | appVersion: 1.1.0 6 | tillerVersion: ">=2.7.2" 7 | -------------------------------------------------------------------------------- /istio-telemetry/grafana/fix_datasources.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -e 18 | 19 | THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 20 | UX=$(uname) 21 | 22 | for db in "${THIS_DIR}"/dashboards/*.json; do 23 | if [[ ${UX} == "Darwin" ]]; then 24 | # shellcheck disable=SC2016 25 | sed -i '' 's/${DS_PROMETHEUS}/Prometheus/g' "$db" 26 | else 27 | # shellcheck disable=SC2016 28 | sed -i 's/${DS_PROMETHEUS}/Prometheus/g' "$db" 29 | fi 30 | done 31 | -------------------------------------------------------------------------------- /istio-telemetry/grafana/templates/configmap-dashboards.yaml: -------------------------------------------------------------------------------- 1 | {{- $files := .Files }} 2 | {{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} 3 | {{- $filename := trimSuffix (ext $path) (base $path) }} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: istio-grafana-configuration-dashboards-{{ $filename }} 8 | namespace: {{ $.Release.Namespace }} 9 | labels: 10 | app: grafana 11 | release: {{ $.Release.Name }} 12 | istio: grafana 13 | data: 14 | {{ base $path }}: '{{ $files.Get $path }}' 15 | --- 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /istio-telemetry/grafana/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: istio-grafana 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: grafana 8 | release: {{ .Release.Name }} 9 | istio: grafana 10 | data: 11 | {{- if .Values.grafana.datasources }} 12 | {{- range $key, $value := .Values.grafana.datasources }} 13 | {{ $key }}: | 14 | {{ toYaml $value | indent 4 }} 15 | {{- end -}} 16 | {{- end -}} 17 | 18 | {{- if .Values.grafana.dashboardProviders }} 19 | {{- range $key, $value := .Values.grafana.dashboardProviders }} 20 | {{ $key }}: | 21 | {{ toYaml $value | indent 4 }} 22 | {{- end -}} 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /istio-telemetry/grafana/templates/grafana-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: authentication.istio.io/v1alpha1 2 | kind: Policy 3 | metadata: 4 | name: grafana-ports-mtls-disabled 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: grafana 8 | release: {{ .Release.Name }} 9 | spec: 10 | targets: 11 | - name: grafana 12 | ports: 13 | - number: {{ .Values.grafana.service.externalPort }} 14 | -------------------------------------------------------------------------------- /istio-telemetry/grafana/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.grafana.persist }} 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: istio-grafana-pvc 6 | labels: 7 | app: grafana 8 | release: {{ .Release.Name }} 9 | spec: 10 | storageClassName: {{ .Values.grafana.storageClassName }} 11 | accessModes: 12 | - {{ .Values.grafana.accessMode }} 13 | resources: 14 | requests: 15 | storage: 5Gi 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /istio-telemetry/grafana/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: grafana 5 | namespace: {{ .Release.Namespace }} 6 | annotations: 7 | {{- range $key, $val := .Values.grafana.service.annotations }} 8 | {{ $key }}: {{ $val | quote }} 9 | {{- end }} 10 | labels: 11 | app: grafana 12 | release: {{ .Release.Name }} 13 | spec: 14 | type: {{ .Values.grafana.service.type }} 15 | ports: 16 | - port: {{ .Values.grafana.service.externalPort }} 17 | targetPort: 3000 18 | protocol: TCP 19 | name: {{ .Values.grafana.service.name }} 20 | selector: 21 | app: grafana 22 | {{- if .Values.grafana.service.loadBalancerIP }} 23 | loadBalancerIP: "{{ .Values.grafana.service.loadBalancerIP }}" 24 | {{- end }} 25 | {{if .Values.grafana.service.loadBalancerSourceRanges}} 26 | loadBalancerSourceRanges: 27 | {{range $rangeList := .Values.grafana.service.loadBalancerSourceRanges}} 28 | - {{ $rangeList }} 29 | {{end}} 30 | {{end}} 31 | -------------------------------------------------------------------------------- /istio-telemetry/grafana/templates/tests/test-grafana-connection.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.enableHelmTest }} 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: grafana-test 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: grafana-test 9 | release: {{ .Release.Name }} 10 | istio: grafana 11 | annotations: 12 | sidecar.istio.io/inject: "false" 13 | helm.sh/hook: test-success 14 | spec: 15 | {{- if .Values.global.priorityClassName }} 16 | priorityClassName: "{{ .Values.global.priorityClassName }}" 17 | {{- end }} 18 | containers: 19 | - name: "grafana-test" 20 | image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} 21 | imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" 22 | command: ['curl'] 23 | args: ['http://grafana:{{ .Values.grafana.service.externalPort }}'] 24 | restartPolicy: Never 25 | affinity: 26 | {{- include "nodeaffinity" . | indent 4 }} 27 | {{- include "podAntiAffinity" . | indent 4 }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /istio-telemetry/kiali/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details. 3 | name: kiali 4 | version: 1.9.0 5 | appVersion: 1.9.0 6 | tillerVersion: ">=2.7.2" 7 | -------------------------------------------------------------------------------- /istio-telemetry/kiali/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.kiali.dashboard.viewOnlyMode }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: kiali 6 | labels: 7 | app: kiali 8 | release: {{ .Release.Name }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: kiali 13 | subjects: 14 | - kind: ServiceAccount 15 | name: kiali-service-account 16 | namespace: {{ .Release.Namespace }} 17 | {{- else }} 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: ClusterRoleBinding 20 | metadata: 21 | name: istio-kiali-viewer-role-binding-{{ .Release.Namespace }} 22 | labels: 23 | app: kiali 24 | release: {{ .Release.Name }} 25 | roleRef: 26 | apiGroup: rbac.authorization.k8s.io 27 | kind: ClusterRole 28 | name: kiali-viewer 29 | subjects: 30 | - kind: ServiceAccount 31 | name: kiali-service-account 32 | namespace: {{ .Release.Namespace }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /istio-telemetry/kiali/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: kiali 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: kiali 8 | release: {{ .Release.Name }} 9 | data: 10 | config.yaml: | 11 | istio_component_namespaces: 12 | grafana: {{ .Values.global.telemetryNamespace }} 13 | tracing: {{ .Values.global.telemetryNamespace }} 14 | pilot: {{ .Values.global.configNamespace }} 15 | prometheus: {{ .Values.global.prometheusNamespace }} 16 | istio_namespace: {{ .Values.global.istioNamespace }} 17 | auth: 18 | strategy: {{ .Values.kiali.dashboard.auth.strategy }} 19 | {{- if eq .Values.kiali.dashboard.auth.strategy "ldap" }} 20 | ldap: 21 | {{- with .Values.kiali.dashboard.auth.strategy.ldap }} 22 | {{ toYaml . | indent 8 }} 23 | {{- end }} 24 | {{- end }} 25 | deployment: 26 | accessible_namespaces: ['**'] 27 | server: 28 | port: 20001 29 | {{- if .Values.kiali.contextPath }} 30 | web_root: {{ .Values.kiali.contextPath }} 31 | {{- end }} 32 | external_services: 33 | istio: 34 | url_service_version: http://istio-pilot.{{ .Values.global.configNamespace }}:8080/version 35 | tracing: 36 | url: {{ .Values.kiali.dashboard.jaegerURL }} 37 | grafana: 38 | url: {{ .Values.kiali.dashboard.grafanaURL }} 39 | prometheus: 40 | {{- if .Values.global.prometheusNamespace }} 41 | url: http://prometheus.{{ .Values.global.prometheusNamespace }}:9090 42 | {{ else }} 43 | url: http://prometheus:9090 44 | {{- end }} 45 | {{- if .Values.kiali.security.enabled }} 46 | identity: 47 | cert_file: {{ .Values.kiali.security.cert_file }} 48 | private_key_file: {{ .Values.kiali.security.private_key_file }} 49 | {{- end}} 50 | -------------------------------------------------------------------------------- /istio-telemetry/kiali/templates/demosecret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.kiali.createDemoSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.kiali.dashboard.secretName }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: kiali 9 | release: {{ .Release.Name }} 10 | type: Opaque 11 | data: 12 | username: YWRtaW4= # admin 13 | passphrase: YWRtaW4= # admin 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /istio-telemetry/kiali/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: kiali 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: kiali 8 | release: {{ .Release.Name }} 9 | spec: 10 | ports: 11 | - name: http-kiali 12 | protocol: TCP 13 | port: 20001 14 | selector: 15 | app: kiali 16 | -------------------------------------------------------------------------------- /istio-telemetry/kiali/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: kiali-service-account 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: kiali 14 | release: {{ .Release.Name }} 15 | -------------------------------------------------------------------------------- /istio-telemetry/mixer-telemetry/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: mixer-telemetry 3 | version: 1.1.0 4 | appVersion: 1.1.0 5 | tillerVersion: ">=2.7.2" 6 | description: Helm chart for mixer deployment 7 | keywords: 8 | - istio 9 | - mixer 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /istio-telemetry/mixer-telemetry/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.mixer.telemetry.autoscaleMin }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: istio-telemetry 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: mixer 9 | release: {{ .Release.Name }} 10 | spec: 11 | maxReplicas: {{ .Values.mixer.telemetry.autoscaleMax }} 12 | minReplicas: {{ .Values.mixer.telemetry.autoscaleMin }} 13 | scaleTargetRef: 14 | apiVersion: apps/v1 15 | kind: Deployment 16 | name: istio-telemetry 17 | metrics: 18 | - type: Resource 19 | resource: 20 | name: cpu 21 | targetAverageUtilization: {{ .Values.mixer.telemetry.cpu.targetAverageUtilization }} 22 | --- 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /istio-telemetry/mixer-telemetry/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: istio-mixer-{{ .Release.Namespace }} 5 | labels: 6 | app: istio-telemetry 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: ["config.istio.io"] # istio CRD watcher 10 | resources: ["*"] 11 | verbs: ["create", "get", "list", "watch", "patch"] 12 | - apiGroups: ["apiextensions.k8s.io"] 13 | resources: ["customresourcedefinitions"] 14 | verbs: ["get", "list", "watch"] 15 | - apiGroups: [""] 16 | resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] 17 | verbs: ["get", "list", "watch"] 18 | - apiGroups: ["extensions", "apps"] 19 | resources: ["replicasets"] 20 | verbs: ["get", "list", "watch"] 21 | --- 22 | -------------------------------------------------------------------------------- /istio-telemetry/mixer-telemetry/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istio-mixer-admin-role-binding-{{ .Release.Namespace }} 5 | labels: 6 | app: istio-telemetry 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istio-mixer-{{ .Release.Namespace }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istio-mixer-service-account 15 | namespace: {{ .Release.Namespace }} 16 | --- 17 | -------------------------------------------------------------------------------- /istio-telemetry/mixer-telemetry/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: istio-telemetry 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: telemetry 9 | release: {{ .Release.Name }} 10 | istio: mixer 11 | istio-mixer-type: telemetry 12 | spec: 13 | minAvailable: 1 14 | selector: 15 | matchLabels: 16 | app: telemetry 17 | istio: mixer 18 | istio-mixer-type: telemetry 19 | --- 20 | 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /istio-telemetry/mixer-telemetry/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: istio-telemetry 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: mixer 8 | istio: mixer 9 | release: {{ .Release.Name }} 10 | spec: 11 | ports: 12 | - name: grpc-mixer 13 | port: 9091 14 | - name: grpc-mixer-mtls 15 | port: 15004 16 | - name: http-monitoring 17 | port: 15014 18 | - name: prometheus 19 | port: 42422 20 | selector: 21 | istio: mixer 22 | istio-mixer-type: telemetry 23 | {{- if .Values.mixer.telemetry.sessionAffinityEnabled }} 24 | sessionAffinity: ClientIP 25 | {{- end }} 26 | --- 27 | -------------------------------------------------------------------------------- /istio-telemetry/mixer-telemetry/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: istio-mixer-service-account 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: istio-telemetry 14 | release: {{ .Release.Name }} 15 | --- 16 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A Helm chart for Kubernetes 3 | name: prometheus-operator 4 | version: 1.1.0 5 | appVersion: 2.3.1 6 | tillerVersion: ">=2.7.2" 7 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus-operator/values.yaml: -------------------------------------------------------------------------------- 1 | prometheusOperator: 2 | # Controls the default scrape interval used in the ServiceMonitors 3 | scrapeInterval: 15s 4 | 5 | # Enabling this option will generate a Prometheus resource, causing the operator 6 | # to create a prometheus deployment according to the generated spec. It will also 7 | # create a service definition, destination rules, cluster roles and bindings, and 8 | # a service account. Only use this option if you have not already created and configured 9 | # a prometheus resource and/or you desire a distinct prometheus resource for Istio. 10 | createPrometheusResource: false 11 | hub: docker.io/prom 12 | tag: v2.15.1 13 | retention: 6h 14 | 15 | service: 16 | annotations: {} 17 | nodePort: 18 | enabled: false 19 | port: 32090 20 | 21 | nodeSelector: {} 22 | tolerations: [] 23 | 24 | # Specify the pod anti-affinity that allows you to constrain which nodes 25 | # your pod is eligible to be scheduled based on labels on pods that are 26 | # already running on the node rather than based on labels on nodes. 27 | # There are currently two types of anti-affinity: 28 | # "requiredDuringSchedulingIgnoredDuringExecution" 29 | # "preferredDuringSchedulingIgnoredDuringExecution" 30 | # which denote "hard" vs. "soft" requirements, you can define your values 31 | # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" 32 | # correspondingly. 33 | # For example: 34 | # podAntiAffinityLabelSelector: 35 | # - key: security 36 | # operator: In 37 | # values: S1,S2 38 | # topologyKey: "kubernetes.io/hostname" 39 | # This pod anti-affinity rule says that the pod requires not to be scheduled 40 | # onto a node if that node is already running a pod with label having key 41 | # "security" and value "S1". 42 | podAntiAffinityLabelSelector: [] 43 | podAntiAffinityTermLabelSelector: [] 44 | 45 | # Indicate if Citadel is enabled, i.e., whether its generated certificates are available 46 | security: 47 | enabled: true -------------------------------------------------------------------------------- /istio-telemetry/prometheus/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A Helm chart for Kubernetes 3 | name: prometheus 4 | version: 1.1.0 5 | appVersion: 2.8.0 6 | tillerVersion: ">=2.7.2" 7 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: prometheus-{{ .Release.Namespace }} 5 | labels: 6 | app: prometheus 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: [""] 10 | resources: 11 | - nodes 12 | - services 13 | - endpoints 14 | - pods 15 | - nodes/proxy 16 | verbs: ["get", "list", "watch"] 17 | - apiGroups: [""] 18 | resources: 19 | - configmaps 20 | verbs: ["get"] 21 | - nonResourceURLs: ["/metrics"] 22 | verbs: ["get"] 23 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus/templates/clusterrolebindings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: prometheus-{{ .Release.Namespace }} 5 | labels: 6 | app: prometheus 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: prometheus-{{ .Release.Namespace }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: prometheus 15 | namespace: {{ .Release.Namespace }} 16 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | # TODO: the original template has service account, roles, etc 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: prometheus 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: prometheus 9 | release: {{ .Release.Name }} 10 | spec: 11 | replicas: {{ .Values.prometheus.replicaCount }} 12 | selector: 13 | matchLabels: 14 | app: prometheus 15 | template: 16 | metadata: 17 | labels: 18 | app: prometheus 19 | release: {{ .Release.Name }} 20 | annotations: 21 | sidecar.istio.io/inject: "false" 22 | {{- if .Values.prometheus.podAnnotations }} 23 | {{ toYaml .Values.prometheus.podAnnotations | indent 8 }} 24 | {{- end }} 25 | spec: 26 | serviceAccountName: prometheus 27 | {{- if .Values.global.priorityClassName }} 28 | priorityClassName: "{{ .Values.global.priorityClassName }}" 29 | {{- end }} 30 | containers: 31 | - name: prometheus 32 | image: "{{ .Values.prometheus.hub }}/{{ .Values.prometheus.image }}:{{ .Values.prometheus.tag }}" 33 | imagePullPolicy: {{ .Values.global.imagePullPolicy | default "Always" }} 34 | args: 35 | - '--storage.tsdb.retention={{ .Values.prometheus.retention }}' 36 | - '--config.file=/etc/prometheus/prometheus.yml' 37 | ports: 38 | - containerPort: 9090 39 | name: http 40 | livenessProbe: 41 | httpGet: 42 | path: /-/healthy 43 | port: 9090 44 | readinessProbe: 45 | httpGet: 46 | path: /-/ready 47 | port: 9090 48 | resources: 49 | {{- if .Values.prometheus.resources }} 50 | {{ toYaml .Values.prometheus.resources | indent 12 }} 51 | {{- else }} 52 | {{ toYaml .Values.global.defaultResources | indent 12 }} 53 | {{- end }} 54 | volumeMounts: 55 | - name: config-volume 56 | mountPath: /etc/prometheus 57 | - mountPath: /etc/istio-certs 58 | name: istio-certs 59 | volumes: 60 | - name: config-volume 61 | configMap: 62 | name: prometheus 63 | - name: istio-certs 64 | secret: 65 | defaultMode: 420 66 | {{- if not .Values.security.enabled }} 67 | optional: true 68 | {{- end }} 69 | secretName: istio.default 70 | affinity: 71 | {{- include "nodeaffinity" . | indent 6 }} 72 | {{- include "podAntiAffinity" . | indent 6 }} 73 | {{- if .Values.prometheus.tolerations }} 74 | tolerations: 75 | {{ toYaml .Values.prometheus.tolerations | indent 6 }} 76 | {{- else if .Values.global.defaultTolerations }} 77 | tolerations: 78 | {{ toYaml .Values.global.defaultTolerations | indent 6 }} 79 | {{- end }} 80 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.prometheus.ingress.enabled -}} 2 | apiVersion: extensions/v1beta1 3 | kind: Ingress 4 | metadata: 5 | name: prometheus 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: prometheus 9 | release: {{ .Release.Name }} 10 | annotations: 11 | {{- range $key, $value := .Values.prometheus.ingress.annotations }} 12 | {{ $key }}: {{ $value | quote }} 13 | {{- end }} 14 | spec: 15 | rules: 16 | {{- if .Values.prometheus.ingress.hosts }} 17 | {{- range $host := .Values.prometheus.ingress.hosts }} 18 | - host: {{ $host }} 19 | http: 20 | paths: 21 | - path: {{ if $.Values.prometheus.contextPath }} {{ $.Values.prometheus.contextPath }} {{ else }} / {{ end }} 22 | backend: 23 | serviceName: prometheus 24 | servicePort: 9090 25 | {{- end -}} 26 | {{- else }} 27 | - http: 28 | paths: 29 | - path: {{ if .Values.prometheus.contextPath }} {{ .Values.prometheus.contextPath }} {{ else }} / {{ end }} 30 | backend: 31 | serviceName: prometheus 32 | servicePort: 9090 33 | {{- end }} 34 | {{- if .Values.prometheus.ingress.tls }} 35 | tls: 36 | {{ toYaml .Values.prometheus.ingress.tls | indent 4 }} 37 | {{- end -}} 38 | {{- end -}} 39 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: prometheus 5 | namespace: {{ .Release.Namespace }} 6 | annotations: 7 | prometheus.io/scrape: 'true' 8 | {{- if .Values.prometheus.service }} 9 | {{- range $key, $val := .Values.prometheus.service.annotations }} 10 | {{ $key }}: {{ $val | quote }} 11 | {{- end }} 12 | {{- end }} 13 | labels: 14 | app: prometheus 15 | release: {{ .Release.Name }} 16 | spec: 17 | selector: 18 | app: prometheus 19 | ports: 20 | - name: http-prometheus 21 | protocol: TCP 22 | port: 9090 23 | 24 | {{- if .Values.prometheus.service }} 25 | # Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs. 26 | --- 27 | apiVersion: v1 28 | kind: Service 29 | metadata: 30 | name: prometheus-nodeport 31 | namespace: {{ .Release.Namespace }} 32 | labels: 33 | app: prometheus 34 | release: {{ .Release.Name }} 35 | spec: 36 | type: NodePort 37 | ports: 38 | - port: 9090 39 | nodePort: {{ .Values.prometheus.service.nodePort.port }} 40 | name: http-prometheus 41 | selector: 42 | app: prometheus 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: prometheus 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: prometheus 14 | release: {{ .Release.Name }} 15 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus/templates/tests/test-prometheus-connection.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.enableHelmTest }} 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: prometheus-test 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: prometheus-test 9 | release: {{ .Release.Name }} 10 | istio: prometheus 11 | annotations: 12 | sidecar.istio.io/inject: "false" 13 | helm.sh/hook: test-success 14 | spec: 15 | {{- if .Values.global.priorityClassName }} 16 | priorityClassName: "{{ .Values.global.priorityClassName }}" 17 | {{- end }} 18 | containers: 19 | - name: "prometheus-test" 20 | image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} 21 | imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" 22 | command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1'] 23 | restartPolicy: Never 24 | affinity: 25 | {{- include "nodeaffinity" . | indent 4 }} 26 | {{- include "podAntiAffinity" . | indent 4 }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /istio-telemetry/prometheus/values.yaml: -------------------------------------------------------------------------------- 1 | prometheus: 2 | enabled: true 3 | replicaCount: 1 4 | hub: docker.io/prom 5 | image: prometheus 6 | tag: v2.15.1 7 | retention: 6h 8 | 9 | # Controls the frequency of prometheus scraping 10 | scrapeInterval: 15s 11 | 12 | contextPath: /prometheus 13 | 14 | ingress: 15 | enabled: false 16 | ## Used to create an Ingress record. 17 | hosts: 18 | - prometheus.local 19 | annotations: 20 | # kubernetes.io/ingress.class: nginx 21 | # kubernetes.io/tls-acme: "true" 22 | tls: 23 | # Secrets must be manually created in the namespace. 24 | # - secretName: prometheus-tls 25 | # hosts: 26 | # - prometheus.local 27 | 28 | # 1.2 it is disabled by default - it can be enabled for special cases, but would create port 29 | # conflicts. In general it is not recommended to use node ports for services, but use gateways instead. 30 | # service: 31 | # annotations: {} 32 | # nodePort: 33 | # enabled: false 34 | # port: 32090 35 | 36 | nodeSelector: {} 37 | tolerations: [] 38 | podAnnotations: {} 39 | service: {} 40 | resources: {} 41 | datasources: [] 42 | # Specify the pod anti-affinity that allows you to constrain which nodes 43 | # your pod is eligible to be scheduled based on labels on pods that are 44 | # already running on the node rather than based on labels on nodes. 45 | # There are currently two types of anti-affinity: 46 | # "requiredDuringSchedulingIgnoredDuringExecution" 47 | # "preferredDuringSchedulingIgnoredDuringExecution" 48 | # which denote "hard" vs. "soft" requirements, you can define your values 49 | # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" 50 | # correspondingly. 51 | # For example: 52 | # podAntiAffinityLabelSelector: 53 | # - key: security 54 | # operator: In 55 | # values: S1,S2 56 | # topologyKey: "kubernetes.io/hostname" 57 | # This pod anti-affinity rule says that the pod requires not to be scheduled 58 | # onto a node if that node is already running a pod with label having key 59 | # "security" and value "S1". 60 | podAntiAffinityLabelSelector: [] 61 | podAntiAffinityTermLabelSelector: [] 62 | 63 | # Indicate if Citadel is enabled, i.e., whether its generated certificates are available 64 | security: 65 | enabled: true -------------------------------------------------------------------------------- /istio-telemetry/tracing/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A Helm chart for tracing 3 | name: tracing 4 | version: 1.1.0 5 | appVersion: 1.5.1 6 | tillerVersion: ">=2.7.2" 7 | -------------------------------------------------------------------------------- /istio-telemetry/tracing/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.tracing.provider "jaeger" }} 2 | {{- if .Values.tracing.jaeger.persist }} 3 | kind: PersistentVolumeClaim 4 | apiVersion: v1 5 | metadata: 6 | name: istio-jaeger-pvc 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ .Values.tracing.provider }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | storageClassName: {{ .Values.tracing.jaeger.storageClassName }} 13 | accessModes: 14 | - {{ .Values.tracing.jaeger.accessMode }} 15 | resources: 16 | requests: 17 | storage: 5Gi 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /istio-telemetry/tracing/templates/service-jaeger.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq .Values.tracing.provider "jaeger" }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: jaeger-query 6 | namespace: {{ .Release.Namespace }} 7 | annotations: 8 | {{- range $key, $val := .Values.tracing.service.annotations }} 9 | {{ $key }}: {{ $val | quote }} 10 | {{- end }} 11 | labels: 12 | app: jaeger 13 | jaeger-infra: jaeger-service 14 | release: {{ .Release.Name }} 15 | spec: 16 | ports: 17 | - name: query-http 18 | port: 16686 19 | protocol: TCP 20 | targetPort: 16686 21 | selector: 22 | app: jaeger 23 | --- 24 | apiVersion: v1 25 | kind: Service 26 | metadata: 27 | name: jaeger-collector 28 | namespace: {{ .Release.Namespace }} 29 | labels: 30 | app: jaeger 31 | jaeger-infra: collector-service 32 | release: {{ .Release.Name }} 33 | spec: 34 | ports: 35 | - name: jaeger-collector-tchannel 36 | port: 14267 37 | protocol: TCP 38 | targetPort: 14267 39 | - name: jaeger-collector-http 40 | port: 14268 41 | targetPort: 14268 42 | protocol: TCP 43 | - name: jaeger-collector-grpc 44 | port: 14250 45 | targetPort: 14250 46 | protocol: TCP 47 | selector: 48 | app: jaeger 49 | type: ClusterIP 50 | --- 51 | apiVersion: v1 52 | kind: Service 53 | metadata: 54 | name: jaeger-collector-headless 55 | namespace: {{ .Release.Namespace }} 56 | labels: 57 | app: jaeger 58 | jaeger-infra: collector-service 59 | release: {{ .Release.Name }} 60 | spec: 61 | ports: 62 | - name: jaeger-collector-grpc 63 | port: 14250 64 | targetPort: 14250 65 | protocol: TCP 66 | selector: 67 | app: jaeger 68 | clusterIP: None 69 | --- 70 | apiVersion: v1 71 | kind: Service 72 | metadata: 73 | name: jaeger-agent 74 | namespace: {{ .Release.Namespace }} 75 | labels: 76 | app: jaeger 77 | jaeger-infra: agent-service 78 | release: {{ .Release.Name }} 79 | spec: 80 | ports: 81 | - name: agent-zipkin-thrift 82 | port: 5775 83 | protocol: UDP 84 | targetPort: 5775 85 | - name: agent-compact 86 | port: 6831 87 | protocol: UDP 88 | targetPort: 6831 89 | - name: agent-binary 90 | port: 6832 91 | protocol: UDP 92 | targetPort: 6832 93 | clusterIP: None 94 | selector: 95 | app: jaeger 96 | {{ end }} 97 | -------------------------------------------------------------------------------- /istio-telemetry/tracing/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: zipkin 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ .Values.tracing.provider }} 8 | release: {{ .Release.Name }} 9 | spec: 10 | ports: 11 | - port: {{ .Values.tracing.zipkin.queryPort }} 12 | targetPort: {{ .Values.tracing.zipkin.queryPort }} 13 | protocol: TCP 14 | name: {{ .Values.tracing.service.name }} 15 | selector: 16 | app: {{ .Values.tracing.provider }} 17 | --- 18 | {{- if ne .Values.tracing.provider "opencensus"}} 19 | apiVersion: v1 20 | kind: Service 21 | metadata: 22 | name: tracing 23 | namespace: {{ .Release.Namespace }} 24 | annotations: 25 | {{- range $key, $val := .Values.tracing.service.annotations }} 26 | {{ $key }}: {{ $val | quote }} 27 | {{- end }} 28 | labels: 29 | app: {{ .Values.tracing.provider }} 30 | release: {{ .Release.Name }} 31 | spec: 32 | type: {{ .Values.tracing.service.type }} 33 | ports: 34 | - name: {{ .Values.tracing.service.name }} 35 | port: 80 36 | protocol: TCP 37 | {{ if eq .Values.tracing.provider "jaeger" }} 38 | targetPort: 16686 39 | {{ else }} 40 | targetPort: {{ .Values.tracing.zipkin.queryPort }} 41 | {{ end}} 42 | selector: 43 | app: {{ .Values.tracing.provider }} 44 | {{- end }} 45 | -------------------------------------------------------------------------------- /istiocoredns/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: Istio CoreDNS provides DNS resolution for services in multicluster setups. 3 | name: istiocoredns 4 | version: 1.1.0 5 | appVersion: 0.1 6 | tillerVersion: ">=2.7.2" 7 | -------------------------------------------------------------------------------- /istiocoredns/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: istiocoredns 5 | labels: 6 | app: istiocoredns 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: ["networking.istio.io"] 10 | resources: ["*"] 11 | verbs: ["get", "watch", "list"] 12 | -------------------------------------------------------------------------------- /istiocoredns/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istio-istiocoredns-role-binding-{{ .Release.Namespace }} 5 | labels: 6 | app: istiocoredns 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istiocoredns 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istiocoredns-service-account 15 | namespace: {{ .Release.Namespace }} 16 | -------------------------------------------------------------------------------- /istiocoredns/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: coredns 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: istiocoredns 8 | release: {{ .Release.Name }} 9 | data: 10 | Corefile: | 11 | .:53 { 12 | errors 13 | health 14 | {{ if eq -1 (semver .Values.istiocoredns.coreDNSTag | (semver "1.4.0").Compare) }} 15 | # Removed support for the proxy plugin: https://coredns.io/2019/03/03/coredns-1.4.0-release/ 16 | grpc global 127.0.0.1:8053 17 | forward . /etc/resolv.conf { 18 | except global 19 | } 20 | {{ else }} 21 | proxy global 127.0.0.1:8053 { 22 | protocol grpc insecure 23 | } 24 | proxy . /etc/resolv.conf 25 | {{ end }} 26 | prometheus :9153 27 | cache 30 28 | reload 29 | } 30 | --- 31 | -------------------------------------------------------------------------------- /istiocoredns/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: istiocoredns 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: istiocoredns 8 | release: {{ .Release.Name }} 9 | spec: 10 | selector: 11 | app: istiocoredns 12 | ports: 13 | - name: dns 14 | port: 53 15 | protocol: UDP 16 | - name: dns-tcp 17 | port: 53 18 | protocol: TCP 19 | -------------------------------------------------------------------------------- /istiocoredns/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: istiocoredns-service-account 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: istiocoredns 14 | release: {{ .Release.Name }} 15 | -------------------------------------------------------------------------------- /istiocoredns/values.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # addon istiocoredns tracing configuration 3 | # 4 | istiocoredns: 5 | enabled: false 6 | replicaCount: 1 7 | rollingMaxSurge: 100% 8 | rollingMaxUnavailable: 25% 9 | coreDNSImage: coredns/coredns 10 | coreDNSTag: 1.6.2 11 | # Source code for the plugin can be found at 12 | # https://github.com/istio-ecosystem/istio-coredns-plugin 13 | # The plugin listens for DNS requests from coredns server at 127.0.0.1:8053 14 | coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 15 | nodeSelector: {} 16 | tolerations: [] 17 | podAnnotations: {} 18 | resources: {} 19 | # Specify the pod anti-affinity that allows you to constrain which nodes 20 | # your pod is eligible to be scheduled based on labels on pods that are 21 | # already running on the node rather than based on labels on nodes. 22 | # There are currently two types of anti-affinity: 23 | # "requiredDuringSchedulingIgnoredDuringExecution" 24 | # "preferredDuringSchedulingIgnoredDuringExecution" 25 | # which denote "hard" vs. "soft" requirements, you can define your values 26 | # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" 27 | # correspondingly. 28 | # For example: 29 | # podAntiAffinityLabelSelector: 30 | # - key: security 31 | # operator: In 32 | # values: S1,S2 33 | # topologyKey: "kubernetes.io/hostname" 34 | # This pod anti-affinity rule says that the pod requires not to be scheduled 35 | # onto a node if that node is already running a pod with label having key 36 | # "security" and value "S1". 37 | podAntiAffinityLabelSelector: [] 38 | podAntiAffinityTermLabelSelector: [] 39 | -------------------------------------------------------------------------------- /kustomize/README.md: -------------------------------------------------------------------------------- 1 | # Experimental Kustomize support 2 | 3 | Organization: each directory corresponds to a namespace ( 'environment' ). 4 | 5 | Inside each component will have a directory, named to match the name of the directory where the helm template is defined. 6 | 7 | A 'kustomization.yaml' file inside the directory can apply the normal kustomize rules. It should expect a 'k8s.yaml' 8 | resource. 9 | 10 | ## Usage 11 | 12 | "helm template" will be used with the normal values/global/user settings, and generate a k8s.yaml file under 13 | $OUT/$NAMESPACE/$COMPONENT 14 | 15 | If the kustomize file exists, it will be applied before running "kubectl apply --prune". 16 | -------------------------------------------------------------------------------- /kustomize/citadel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - citadel.gen.yaml 6 | 7 | # Must be installed in istio-system to preserve secrets, it is a singleton. 8 | namespace: istio-system 9 | 10 | # Default values for the citadel and injector. 11 | # Similar with values.yaml - unfortunately we can't merge. 12 | 13 | # This ugly list will need to include pairs of istio-galley-service-account.NAMESPACE:istio-galley-service-account.NAMESPACE 14 | # and istio-sidecar-injector-service-account.NAMESPACE:istio-sidecar-injector-service-account.NAMESPACE for each 15 | # namespace running an injector or validator. 16 | # 17 | # TODO: use kustomize to generate the needed certificates. 18 | configMapGenerator: 19 | - name: citadeldns 20 | literals: 21 | - CITADEL_DNS=istio-galley-service-account.istio-control:istio-galley.istio-control.svc,istio-sidecar-injector-service-account.istio-control:istio-sidecar-injector.istio-control.svc,istio-galley-service-account.istio-system:istio-galley.istio-system.svc,istio-sidecar-injector-service-account.istio-system:istio-sidecar-injector.istio-system.svc 22 | 23 | vars: 24 | - name: CITADEL_DNS 25 | objref: 26 | kind: ConfigMap 27 | name: citadeldns 28 | apiVersion: v1 29 | fieldref: 30 | fieldpath: data.CITADEL_DNS 31 | -------------------------------------------------------------------------------- /kustomize/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Cluster-wide resources using istio-system. 2 | # This is needed for installing a-la-carte or demo as first step, to create the cluster-wide resources 3 | # and bindings. 4 | 5 | # The other steps can be run without cluster-wide permissions, by a service account with permissions only inventory: 6 | # the istio-system namespace. 7 | 8 | apiVersion: kustomize.config.k8s.io/v1beta1 9 | kind: Kustomization 10 | 11 | resources: 12 | - clusterrole-12.yaml 13 | - clusterrolebinding-12.yaml 14 | - crds-namespace.gen.yaml 15 | - serviceaccounts-12.yaml 16 | - istiod.yaml 17 | 18 | commonLabels: 19 | istio: cluster 20 | -------------------------------------------------------------------------------- /kustomize/cluster/serviceaccounts-12.yaml: -------------------------------------------------------------------------------- 1 | # Source: istio/charts/galley/templates/serviceaccount.yaml 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: istio-galley-service-account 6 | namespace: istio-system 7 | labels: 8 | app: galley 9 | chart: galley 10 | heritage: Tiller 11 | release: istio 12 | 13 | --- 14 | # Source: istio/charts/mixer/templates/serviceaccount.yaml 15 | 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: istio-mixer-service-account 20 | namespace: istio-system 21 | labels: 22 | app: mixer 23 | chart: mixer 24 | heritage: Tiller 25 | release: istio 26 | 27 | --- 28 | # Source: istio/charts/pilot/templates/serviceaccount.yaml 29 | apiVersion: v1 30 | kind: ServiceAccount 31 | metadata: 32 | name: istio-pilot-service-account 33 | namespace: istio-system 34 | labels: 35 | app: pilot 36 | chart: pilot 37 | heritage: Tiller 38 | release: istio 39 | 40 | --- 41 | # Source: istio/charts/prometheus/templates/serviceaccount.yaml 42 | apiVersion: v1 43 | kind: ServiceAccount 44 | metadata: 45 | name: prometheus 46 | namespace: istio-system 47 | labels: 48 | app: prometheus 49 | chart: prometheus 50 | heritage: Tiller 51 | release: istio 52 | 53 | --- 54 | -------------------------------------------------------------------------------- /kustomize/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Equivalent with istio1.2.x default config, using new installer. 2 | # All components in istio-system, upgrade/downgrade possible. 3 | 4 | # Requires kustomize/cluster to be installed first. 5 | 6 | apiVersion: kustomize.config.k8s.io/v1beta1 7 | kind: Kustomization 8 | 9 | resources: 10 | - istio-citadel.gen.yaml 11 | - istio-config.gen.yaml 12 | - istio-discovery.gen.yaml 13 | - istio-autoinject.gen.yaml 14 | - istio-ingress.gen.yaml 15 | - istio-prometheus.gen.yaml 16 | - istio-grafana.gen.yaml 17 | 18 | -------------------------------------------------------------------------------- /kustomize/istio-canary/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - discovery.gen.yaml 6 | 7 | commonLabels: 8 | release: istio-canary 9 | -------------------------------------------------------------------------------- /kustomize/istio-ingress/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - istio-ingress.gen.yaml 6 | -------------------------------------------------------------------------------- /kustomize/minimal/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Config for minimal istio, similar with the minimal profile in 1.2 2 | 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | resources: 7 | - discovery.gen.yaml 8 | -------------------------------------------------------------------------------- /security/certmanager/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A Helm chart for Kubernetes 3 | name: certmanager 4 | version: 1.1.0 5 | appVersion: 0.6.2 6 | tillerVersion: ">=2.7.2" 7 | -------------------------------------------------------------------------------- /security/certmanager/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | certmanager has been deployed successfully! 2 | 3 | More information on the different types of issuers and how to configure them 4 | can be found in our documentation: 5 | 6 | https://cert-manager.readthedocs.io/en/latest/reference/issuers.html -------------------------------------------------------------------------------- /security/certmanager/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: certmanager 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: certmanager 8 | release: {{ .Release.Name }} 9 | spec: 10 | replicas: {{ .Values.certmanager.replicaCount }} 11 | selector: 12 | matchLabels: 13 | app: certmanager 14 | template: 15 | metadata: 16 | labels: 17 | app: certmanager 18 | release: {{ .Release.Name }} 19 | {{- if .Values.certmanager.podLabels }} 20 | {{ toYaml .Values.certmanager.podLabels | indent 8 }} 21 | {{- end }} 22 | annotations: 23 | sidecar.istio.io/inject: "false" 24 | {{- if .Values.certmanager.podAnnotations }} 25 | {{ toYaml .Values.certmanager.podAnnotations | indent 8 }} 26 | {{- end }} 27 | spec: 28 | serviceAccountName: certmanager 29 | {{- if .Values.global.priorityClassName }} 30 | priorityClassName: "{{ .Values.global.priorityClassName }}" 31 | {{- end }} 32 | containers: 33 | - name: certmanager 34 | image: "{{ .Values.certmanager.hub }}/{{ .Values.certmanager.image }}:{{ .Values.certmanager.tag }}" 35 | imagePullPolicy: {{ .Values.global.imagePullPolicy | default "Always" }} 36 | args: 37 | - --cluster-resource-namespace=$(POD_NAMESPACE) 38 | - --leader-election-namespace=$(POD_NAMESPACE) 39 | {{- if .Values.certmanager.extraArgs }} 40 | {{ toYaml .Values.certmanager.extraArgs | indent 8 }} 41 | {{- end }} 42 | env: 43 | - name: POD_NAMESPACE 44 | valueFrom: 45 | fieldRef: 46 | fieldPath: metadata.namespace 47 | resources: 48 | {{ toYaml .Values.certmanager.resources | indent 10 }} 49 | {{- if .Values.certmanager.podDnsPolicy }} 50 | dnsPolicy: {{ .Values.certmanager.podDnsPolicy }} 51 | {{- end }} 52 | {{- if .Values.certmanager.podDnsConfig }} 53 | dnsConfig: 54 | {{ toYaml .Values.certmanager.podDnsConfig | indent 8 }} 55 | {{- end }} 56 | affinity: 57 | {{- include "nodeaffinity" . | indent 6 }} 58 | {{- include "podAntiAffinity" . | indent 6 }} 59 | {{- if .Values.certmanager.tolerations }} 60 | tolerations: 61 | {{ toYaml .Values.certmanager.tolerations | indent 6 }} 62 | {{- else if .Values.global.defaultTolerations }} 63 | tolerations: 64 | {{ toYaml .Values.global.defaultTolerations | indent 6 }} 65 | {{- end }} 66 | -------------------------------------------------------------------------------- /security/certmanager/templates/issuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: certmanager.k8s.io/v1alpha1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-staging 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: certmanager 9 | release: {{ .Release.Name }} 10 | spec: 11 | acme: 12 | server: https://acme-staging-v02.api.letsencrypt.org/directory 13 | email: {{ .Values.certmanager.email }} 14 | # Name of a secret used to store the ACME account private key 15 | privateKeySecretRef: 16 | name: letsencrypt-staging 17 | http01: {} 18 | --- 19 | apiVersion: certmanager.k8s.io/v1alpha1 20 | kind: ClusterIssuer 21 | metadata: 22 | name: letsencrypt 23 | namespace: {{ .Release.Namespace }} 24 | labels: 25 | app: certmanager 26 | release: {{ .Release.Name }} 27 | spec: 28 | acme: 29 | server: https://acme-v02.api.letsencrypt.org/directory 30 | email: {{ .Values.certmanager.email }} 31 | privateKeySecretRef: 32 | name: letsencrypt 33 | http01: {} 34 | -------------------------------------------------------------------------------- /security/certmanager/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: certmanager 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: certmanager 9 | release: {{ .Release.Name }} 10 | {{- if .Values.certmanager.podLabels }} 11 | {{ toYaml .Values.certmanager.podLabels | indent 4 }} 12 | {{- end }} 13 | spec: 14 | minAvailable: 1 15 | selector: 16 | matchLabels: 17 | app: certmanager 18 | release: {{ .Release.Name }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /security/certmanager/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: certmanager 5 | labels: 6 | app: certmanager 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: ["certmanager.k8s.io"] 10 | resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"] 11 | verbs: ["*"] 12 | - apiGroups: [""] 13 | resources: ["configmaps", "secrets", "events", "services", "pods"] 14 | verbs: ["*"] 15 | - apiGroups: ["extensions"] 16 | resources: ["ingresses"] 17 | verbs: ["*"] 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: certmanager 23 | labels: 24 | app: certmanager 25 | release: {{ .Release.Name }} 26 | roleRef: 27 | apiGroup: rbac.authorization.k8s.io 28 | kind: ClusterRole 29 | name: certmanager 30 | subjects: 31 | - name: certmanager 32 | namespace: {{ .Release.Namespace }} 33 | kind: ServiceAccount 34 | -------------------------------------------------------------------------------- /security/certmanager/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: certmanager 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: certmanager 14 | release: {{ .Release.Name }} 15 | -------------------------------------------------------------------------------- /security/certmanager/values.yaml: -------------------------------------------------------------------------------- 1 | certmanager: 2 | # Certmanager uses ACME to sign certificates. Since Istio gateways are 3 | # mounting the TLS secrets the Certificate CRDs must be created in the 4 | # istio-system namespace. Once the certificate has been created, the 5 | # gateway must be updated by adding 'secretVolumes'. After the gateway 6 | # restart, DestinationRules can be created using the ACME-signed certificates. 7 | enabled: false 8 | replicaCount: 1 9 | hub: quay.io/jetstack 10 | image: cert-manager-controller 11 | tag: v0.8.1 12 | resources: {} 13 | nodeSelector: {} 14 | tolerations: [] 15 | podAnnotations: {} 16 | podLabels: {} 17 | extraArgs: [] 18 | podDnsPolicy: "" 19 | podDnsConfig: {} 20 | # Specify the pod anti-affinity that allows you to constrain which nodes 21 | # your pod is eligible to be scheduled based on labels on pods that are 22 | # already running on the node rather than based on labels on nodes. 23 | # There are currently two types of anti-affinity: 24 | # "requiredDuringSchedulingIgnoredDuringExecution" 25 | # "preferredDuringSchedulingIgnoredDuringExecution" 26 | # which denote "hard" vs. "soft" requirements, you can define your values 27 | # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" 28 | # correspondingly. 29 | # For example: 30 | # podAntiAffinityLabelSelector: 31 | # - key: security 32 | # operator: In 33 | # values: S1,S2 34 | # topologyKey: "kubernetes.io/hostname" 35 | # This pod anti-affinity rule says that the pod requires not to be scheduled 36 | # onto a node if that node is already running a pod with label having key 37 | # "security" and value "S1". 38 | podAntiAffinityLabelSelector: [] 39 | podAntiAffinityTermLabelSelector: [] 40 | email: "" -------------------------------------------------------------------------------- /security/citadel/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: citadel 3 | version: 1.1.0 4 | appVersion: 1.1.0 5 | tillerVersion: ">=2.7.2" 6 | description: Helm chart for istio authentication 7 | keywords: 8 | - istio 9 | - security 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /security/citadel/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | This template contains the 'singleton' part of Istio. 2 | 3 | All other components support multiple instances (profiles) running in parallel. 4 | 5 | For upgrade purpose, this component should run in istio-system - where the existing mesh certificates are stored. 6 | Will install a new deployment of Citadel, using 1.1 - it can run in parallel with the old-style install of either 1.0 7 | or 1.1. 8 | -------------------------------------------------------------------------------- /security/citadel/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.clusterResources }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: istio-citadel-{{ .Release.Namespace }} 6 | labels: 7 | app: citadel 8 | release: {{ .Release.Name }} 9 | rules: 10 | - apiGroups: [""] 11 | resources: ["configmaps"] 12 | verbs: ["create", "get", "update"] 13 | - apiGroups: [""] 14 | resources: ["secrets"] 15 | verbs: ["create", "get", "watch", "list", "update", "delete"] 16 | - apiGroups: [""] 17 | resources: ["serviceaccounts", "services", "namespaces"] 18 | verbs: ["get", "watch", "list"] 19 | - apiGroups: ["authentication.k8s.io"] 20 | resources: ["tokenreviews"] 21 | verbs: ["create"] 22 | 23 | --- 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /security/citadel/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.clusterResources }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: istio-citadel-{{ .Release.Namespace }} 6 | labels: 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istio-citadel-{{ .Release.Namespace }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istio-citadel-service-account 15 | namespace: {{ .Release.Namespace }} 16 | --- 17 | {{- end}} 18 | -------------------------------------------------------------------------------- /security/citadel/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: istio-citadel 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: security 9 | istio: citadel 10 | release: {{ .Release.Name }} 11 | spec: 12 | minAvailable: 1 13 | selector: 14 | matchLabels: 15 | app: citadel 16 | istio: citadel 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /security/citadel/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | # Must match the certificate, this is used in the node agent in same namespace. 5 | name: istio-citadel 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: security 9 | istio: citadel 10 | release: {{ .Release.Name }} 11 | spec: 12 | ports: 13 | - name: grpc-citadel 14 | port: 8060 15 | targetPort: 8060 16 | protocol: TCP 17 | - name: http-monitoring 18 | port: 15014 19 | selector: 20 | app: citadel 21 | -------------------------------------------------------------------------------- /security/citadel/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: istio-citadel-service-account 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: security 8 | release: {{ .Release.Name }} 9 | {{- if .Values.global.imagePullSecrets }} 10 | spec: 11 | imagePullSecrets: 12 | {{- range .Values.global.imagePullSecrets }} 13 | - name: {{ . }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /security/nodeagent/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: nodeagent 3 | version: 1.1.0 4 | appVersion: 1.1.0 5 | tillerVersion: ">=2.7.2" 6 | description: Helm chart for nodeagent deployment 7 | keywords: 8 | - istio 9 | - nodeagent 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /security/nodeagent/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: istio-nodeagent-{{ .Release.Namespace }} 5 | labels: 6 | app: istio-nodeagent 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: [""] 10 | resources: ["configmaps"] 11 | verbs: ["get"] 12 | -------------------------------------------------------------------------------- /security/nodeagent/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istio-nodeagent-{{ .Release.Namespace }} 5 | labels: 6 | app: istio-nodeagent 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istio-nodeagent-{{ .Release.Namespace }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istio-nodeagent-service-account 15 | namespace: {{ .Release.Namespace }} 16 | -------------------------------------------------------------------------------- /security/nodeagent/templates/daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: istio-nodeagent 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: istio-nodeagent 8 | istio: nodeagent 9 | release: {{ .Release.Name }} 10 | spec: 11 | selector: 12 | matchLabels: 13 | istio: nodeagent 14 | template: 15 | metadata: 16 | labels: 17 | app: istio-nodeagent 18 | istio: nodeagent 19 | release: {{ .Release.Name }} 20 | annotations: 21 | sidecar.istio.io/inject: "false" 22 | {{- if .Values.nodeagent.podAnnotations }} 23 | {{ toYaml .Values.nodeagent.podAnnotations | indent 8 }} 24 | {{- end }} 25 | spec: 26 | serviceAccountName: istio-nodeagent-service-account 27 | {{- if .Values.global.priorityClassName }} 28 | priorityClassName: "{{ .Values.global.priorityClassName }}" 29 | {{- end }} 30 | containers: 31 | - name: nodeagent 32 | {{- if contains "/" .Values.nodeagent.image }} 33 | image: "{{ .Values.nodeagent.image }}" 34 | {{- else }} 35 | image: "{{ .Values.global.hub }}/{{ .Values.nodeagent.image }}:{{ .Values.global.tag }}" 36 | {{- end }} 37 | imagePullPolicy: {{ .Values.global.imagePullPolicy | default "Always" }} 38 | args: 39 | {{- if .Values.global.logAsJson }} 40 | - --log_as_json 41 | {{- end }} 42 | volumeMounts: 43 | - mountPath: /var/run/sds 44 | name: sdsudspath 45 | env: 46 | {{- if .Values.nodeagent.env }} 47 | {{- range $key, $val := .Values.nodeagent.env }} 48 | - name: {{ $key }} 49 | value: "{{ $val }}" 50 | {{- end }} 51 | {{- end }} 52 | - name: "TRUST_DOMAIN" 53 | value: "{{ .Values.global.trustDomain }}" 54 | - name: NAMESPACE 55 | valueFrom: 56 | fieldRef: 57 | fieldPath: metadata.namespace 58 | volumes: 59 | - name: sdsudspath 60 | hostPath: 61 | path: /var/run/sds 62 | affinity: 63 | {{- include "nodeaffinity" . | indent 6 }} 64 | {{- include "podAntiAffinity" . | indent 6 }} 65 | {{- if .Values.nodeagent.tolerations }} 66 | tolerations: 67 | {{ toYaml .Values.nodeagent.tolerations | indent 6 }} 68 | {{- else if .Values.global.defaultTolerations }} 69 | tolerations: 70 | {{ toYaml .Values.global.defaultTolerations | indent 6 }} 71 | {{- end }} 72 | updateStrategy: 73 | type: RollingUpdate 74 | -------------------------------------------------------------------------------- /security/nodeagent/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: istio-nodeagent-service-account 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: istio-nodeagent 14 | release: {{ .Release.Name }} 15 | -------------------------------------------------------------------------------- /security/nodeagent/values.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # nodeagent configuration 3 | # 4 | nodeagent: 5 | enabled: false 6 | image: node-agent-k8s 7 | env: 8 | # name of authentication provider. 9 | CA_PROVIDER: "" 10 | # CA endpoint. 11 | CA_ADDR: "" 12 | # names of authentication provider's plugins. 13 | PLUGINS: "" 14 | 15 | nodeSelector: {} 16 | tolerations: [] 17 | podAnnotations: {} 18 | 19 | # Specify the pod anti-affinity that allows you to constrain which nodes 20 | # your pod is eligible to be scheduled based on labels on pods that are 21 | # already running on the node rather than based on labels on nodes. 22 | # There are currently two types of anti-affinity: 23 | # "requiredDuringSchedulingIgnoredDuringExecution" 24 | # "preferredDuringSchedulingIgnoredDuringExecution" 25 | # which denote "hard" vs. "soft" requirements, you can define your values 26 | # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" 27 | # correspondingly. 28 | # For example: 29 | # podAntiAffinityLabelSelector: 30 | # - key: security 31 | # operator: In 32 | # values: S1,S2 33 | # topologyKey: "kubernetes.io/hostname" 34 | # This pod anti-affinity rule says that the pod requires not to be scheduled 35 | # onto a node if that node is already running a pod with label having key 36 | # "security" and value "S1". 37 | podAntiAffinityLabelSelector: [] 38 | podAntiAffinityTermLabelSelector: [] 39 | -------------------------------------------------------------------------------- /test/buildkite/Dockerfile: -------------------------------------------------------------------------------- 1 | # Image based on buildkite docker agent, with the tools used for Istio installer and tests. 2 | # This will run in a dockerfile or k8s - 'make test' should work. 3 | # Image to create go binaries 4 | FROM golang:1.12.5 as golang 5 | RUN GO111MODULE="on" go get -u sigs.k8s.io/kind@master 6 | 7 | #get helm binary - do here to limit to only binary in final image 8 | RUN mkdir tmp 9 | RUN curl -Lo - https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz | (cd tmp; tar -zxvf -) 10 | 11 | # do repo for consistency - doesn't pull extra.. 12 | RUN curl https://storage.googleapis.com/git-repo-downloads/repo > /usr/local/bin/repo 13 | RUN chmod +x /usr/local/bin/repo 14 | 15 | FROM buildkite/agent:3-ubuntu 16 | 17 | # Environment variables used in the build. 18 | ENV GOROOT=/usr/local/go 19 | ENV PATH=/usr/local/go/bin:/bin:/usr/bin:${PATH} 20 | 21 | RUN apt-get update && apt-get -qqy install make git 22 | 23 | RUN curl -Lo - https://dl.google.com/go/go1.12.5.linux-amd64.tar.gz | tar -C /usr/local -xzf - 24 | 25 | # It appears go test in istio/istio requires gcc 26 | RUN apt-get -qqy install build-essential autoconf libtool autotools-dev 27 | 28 | COPY --from=golang /go/bin/kind /usr/local/bin/kind 29 | COPY --from=golang /go/tmp/linux-amd64/helm /usr/local/bin/helm 30 | COPY --from=golang /usr/local/bin/repo /usr/local/bin/repo -------------------------------------------------------------------------------- /test/buildkite/README.md: -------------------------------------------------------------------------------- 1 | # Experimental buildkite support for install-based tests 2 | 3 | ## Machine 4 | 5 | install-machine.sh script has a basic install, i.e. agent plus tools used to run Istio tests (cached so we don't 6 | download again). 7 | 8 | ## Kubernetes 9 | 10 | Runs privileged, the container has access to the 'node' docker. Can run KIND, or could run tests 11 | in a regular k8s container if we grant permissions to create pods. 12 | 13 | ## K8s - not privileged 14 | 15 | A variant would be to run a non-priv agent, with namespace permissions. 16 | The installer can add an option to not require cluster permissions, or only minimal cluster permissions granted 17 | to the agent service account. 18 | 19 | ## Docker 20 | 21 | Not clear if this is needed - but we can run the agent/builder inside a docker container. Since it has priv, no 22 | major benefit compared with machine. 23 | -------------------------------------------------------------------------------- /test/buildkite/install-gcp.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | # Run as root. 18 | 19 | sh -c 'echo deb https://apt.buildkite.com/buildkite-agent stable main > /etc/apt/sources.list.d/buildkite-agent.list' 20 | apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 32A37959C2FA5C3C99EFBC32A79206696452D198 21 | apt-get update && sudo apt-get install -y buildkite-agent 22 | sed -i "s/xxx/${BUILDKITE_TOKEN}/g" /etc/buildkite-agent/buildkite-agent.cfg 23 | 24 | systemctl enable buildkite-agent && sudo systemctl start buildkite-agent 25 | 26 | usermod -a -G docker buildkite-agent 27 | 28 | # Install docker 29 | 30 | apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common 31 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - 32 | add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" 33 | 34 | 35 | apt-get update 36 | apt-get install docker-ce docker-ce-cli containerd.io 37 | 38 | # Istio-related tools 39 | apt-get -qqy install make git tmux 40 | curl -Lo - https://dl.google.com/go/go1.11.5.linux-amd64.tar.gz | tar -C /usr/local -xzf - 41 | 42 | -------------------------------------------------------------------------------- /test/buildkite/run-local.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | docker run -it \ 18 | -v /var/run/docker.sock:/var/run/docker.sock \ 19 | buildkite/agent:3 20 | -------------------------------------------------------------------------------- /test/canary/canary.mk: -------------------------------------------------------------------------------- 1 | # Test canary, assume istio-system is already installed. 2 | test-canary: run-build-canary 3 | # Install Pilot canary 4 | kubectl apply -k kustomize/istio-canary --prune -l release=istio-canary 5 | 6 | # Wait for it to startup 7 | kubectl wait deployments istio-pilotcanary -n ${ISTIO_SYSTEM_NS} --for=condition=available --timeout=${WAIT_TIMEOUT} 8 | 9 | $(MAKE) test-canary-tests 10 | 11 | test-canary-tests: 12 | # Manual injection test for canary. Settings in values.yaml and mesh.yaml 13 | # values and mesh are set to use TLS to pilot 14 | kubectl create ns fortio-canary || true 15 | kubectl label ns fortio-canary istio-injection=disabled --overwrite 16 | 17 | kubectl apply -n fortio-canary -f test/canary/sidecar.yaml 18 | istioctl kube-inject -f test/canary/fortio.yaml \ 19 | -n fortio-canary \ 20 | --meshConfigFile test/canary/mesh.yaml \ 21 | --valuesFile test/canary/values.yaml \ 22 | --injectConfigFile istio-control/istio-autoinject/files/injection-template.yaml \ 23 | | kubectl apply -n fortio-canary -f - 24 | 25 | kubectl wait deployments fortio -n fortio-canary --for=condition=available --timeout=${WAIT_TIMEOUT} 26 | 27 | # Namespace with auto-injection 28 | kubectl apply -k test/canary 29 | kubectl wait deployments cli-fortio -n fortio-canary-inject --for=condition=available --timeout=${WAIT_TIMEOUT} 30 | 31 | -------------------------------------------------------------------------------- /test/canary/fortio-cli.yaml: -------------------------------------------------------------------------------- 1 | ## Fortio clients generating traffic on different components. 2 | # Generally use the ingress gateway - to capture non-istio service as well. 3 | --- 4 | apiVersion: apps/v1beta1 5 | kind: Deployment 6 | metadata: 7 | name: cli-fortio 8 | spec: 9 | replicas: 1 10 | template: 11 | metadata: 12 | labels: 13 | app: cli-fortio 14 | version: v1 15 | annotations: 16 | sidecar.istio.io/discoveryAddress: istio-pilotcanary.istio-system:15010 17 | spec: 18 | containers: 19 | - name: echosrv 20 | image: istio/fortio:latest 21 | imagePullPolicy: Always 22 | args: 23 | - load 24 | - -t 25 | - "0" 26 | - -c 27 | - "30" 28 | - -qps 29 | - "2" 30 | - http://fortio.fortio-canary:8080/echo?size=5000 31 | resources: 32 | requests: 33 | cpu: 200m 34 | memory: "100M" 35 | limits: 36 | cpu: 800m 37 | memory: "100M" 38 | -------------------------------------------------------------------------------- /test/canary/fortio.yaml: -------------------------------------------------------------------------------- 1 | # Plain fortio service, to be manually injected by the test. 2 | # No annotation - the address is from the inject options. 3 | --- 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | name: fortio 8 | spec: 9 | ports: 10 | - port: 8080 11 | name: http-echo 12 | - port: 8079 13 | name: grpc-ping 14 | selector: 15 | app: fortio 16 | 17 | --- 18 | apiVersion: apps/v1beta1 19 | kind: Deployment 20 | metadata: 21 | name: fortio 22 | spec: 23 | replicas: 1 24 | template: 25 | metadata: 26 | labels: 27 | app: fortio 28 | version: v1 29 | spec: 30 | containers: 31 | - name: fortio 32 | image: "istio/fortio:latest" 33 | ports: 34 | - containerPort: 8080 35 | - containerPort: 8081 36 | - containerPort: 8079 37 | args: 38 | - server 39 | resources: 40 | requests: 41 | cpu: 800m 42 | memory: "1G" 43 | limits: 44 | cpu: 1000m 45 | memory: "1G" 46 | 47 | --- 48 | # Fortio should use MTLS 49 | apiVersion: networking.istio.io/v1alpha3 50 | kind: DestinationRule 51 | metadata: 52 | name: fortio 53 | spec: 54 | host: fortio 55 | trafficPolicy: 56 | tls: 57 | mode: ISTIO_MUTUAL 58 | -------------------------------------------------------------------------------- /test/canary/kustomization.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - namespace.yaml 7 | - sidecar.yaml 8 | - fortio-cli.yaml 9 | 10 | namespace: fortio-canary-inject 11 | -------------------------------------------------------------------------------- /test/canary/mesh.yaml: -------------------------------------------------------------------------------- 1 | # Currently used by the injector, as ProxyConfig 2 | # Used to test manual injector with the new template 3 | # This includes values used in inject template - not everything 4 | 5 | ## Default value - not defined in values.yaml or in the override used in pilot. 6 | ## TODO: remove from template, use values with default value. 7 | # See .MeshConfig.ProxyListenPort 8 | proxyListenPort: 15001 9 | 10 | # .ProxyConfig.* 11 | defaultConfig: 12 | interceptionMode: REDIRECT 13 | 14 | # TODO: annotation override. "--drainDuration" 15 | drainDuration: 45s 16 | 17 | parentShutdownDuration: 1m0s 18 | 19 | discoveryAddress: istio-pilotcanary.istio-system:15011 20 | 21 | connectTimeout: 1s 22 | #statsdUdpAddress: "1111" 23 | 24 | proxyAdminPort: 15000 25 | concurrency: 0 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /test/canary/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: fortio-canary-inject 5 | 6 | labels: 7 | istio-injected: "true" 8 | -------------------------------------------------------------------------------- /test/canary/sidecar.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Sidecar 3 | metadata: 4 | name: default 5 | spec: 6 | egress: 7 | - hosts: 8 | - ./* 9 | - fortio-canary/* 10 | - fortio-canary-inject/* 11 | -------------------------------------------------------------------------------- /test/canary/values.yaml: -------------------------------------------------------------------------------- 1 | # Subset of 'values.yaml' used in injection 2 | # For canary we use control plane security 3 | 4 | istio_cni: 5 | enabled: false 6 | 7 | debug: INFO 8 | 9 | version: "" 10 | 11 | global: 12 | hub: gcr.io/istio-testing 13 | tag: latest 14 | 15 | imagePullPolicy: Always 16 | 17 | controlPlaneSecurityEnabled: true 18 | 19 | istioNamespace: istio-system-micro 20 | trustDomain: "" 21 | 22 | #network: default 23 | # podDNSSearchNamespaces: 24 | 25 | sds: 26 | enabled: false 27 | # customTokenDirectory 28 | #useTrustworthyJwt: true 29 | 30 | 31 | proxy: 32 | privileged: true 33 | enableCoreDump: false 34 | image: proxyv2 35 | clusterDomain: "cluster.local" 36 | 37 | excludeInboundPorts: "" 38 | includeIPRanges: "*" 39 | excludeIPRanges: "" 40 | statusPort: 15020 41 | logLevel: "" 42 | readinessInitialDelaySeconds: 1 43 | readinessPeriodSeconds: 2 44 | readinessFailureThreshold: 10 45 | 46 | # resources 47 | componentLogLevel: "misc:error" 48 | 49 | 50 | tracer: "none" 51 | 52 | envoyStatsd: 53 | enabled: false 54 | 55 | 56 | 57 | proxy_init: 58 | image: proxyv2 59 | 60 | -------------------------------------------------------------------------------- /test/cloudbuild/cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | steps: 2 | - name: 'istionightly/kind:latest' 3 | args: ["-c", 'make test'] 4 | env: 5 | - 'GOPATH=/workspace' 6 | timeout: 600s 7 | entrypoint: /bin/bash 8 | 9 | 10 | 11 | options: 12 | machineType: 'N1_HIGHCPU_8' 13 | -------------------------------------------------------------------------------- /test/demo.mk: -------------------------------------------------------------------------------- 1 | # Test the demo install - in istio-system and the 'side by side'/upgrade mode. 2 | # This requires a fresh kind cluster. 3 | 4 | INSTALL_OPTS="--set global.istioNamespace=${ISTIO_CONTROL_NS} --set global.configNamespace=${ISTIO_CONTROL_NS} --set global.telemetryNamespace=${ISTIO_TELEMETRY_NS} --set global.policyNamespace=${ISTIO_POLICY_NS}" 5 | 6 | 7 | # Run the 'install demo' test. Should run with a valid kube config and cluster - KIND or real. 8 | # The demo environment should be compatible and we should be able to upgrade from 1.2 9 | # 10 | # If you repeat the test without deleting the cluster the config will be fast, and will just run the curl calls. 11 | run-test-demo: ${GOBIN}/istioctl run-build-cluster run-build-demo ${TMPDIR} 12 | kubectl apply -k kustomize/cluster 13 | 14 | kubectl apply -k test/demo --prune -l release=istio-system-istio 15 | $(MAKE) wait-all-system 16 | 17 | # Verify that we can kube-inject using files 18 | kubectl create ns demo || true 19 | istioctl kube-inject -f test/simple/servicesToBeInjected.yaml \ 20 | -n demo \ 21 | --meshConfigFile test/demo/mesh.yaml \ 22 | --valuesFile test/simple/values.yaml \ 23 | --injectConfigFile istio-control/istio-autoinject/files/injection-template.yaml \ 24 | | kubectl apply -n demo -f - 25 | 26 | kubectl wait deployments echosrv-deployment-1 -n demo --for=condition=available --timeout=${WAIT_TIMEOUT} 27 | 28 | # Do a simple test for bookinfo 29 | $(MAKE) run-bookinfo 30 | 31 | 32 | -------------------------------------------------------------------------------- /test/demo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - citadel.gen.yaml 6 | - galley.gen.yaml 7 | - pilot.gen.yaml 8 | - inject-allns.gen.yaml 9 | - ingress.gen.yaml 10 | - telemetry.gen.yaml 11 | - egress.gen.yaml 12 | - prometheus.gen.yaml 13 | - grafana.gen.yaml 14 | - policy.gen.yaml 15 | - tracing.gen.yaml 16 | - kiali.gen.yaml 17 | 18 | patchesStrategicMerge: 19 | - allocation.yaml 20 | -------------------------------------------------------------------------------- /test/demo/mesh.yaml: -------------------------------------------------------------------------------- 1 | # Currently used by the injector, as ProxyConfig 2 | # Used to test manual injector with the new template 3 | # This includes values used in inject template - not everything 4 | 5 | ## Default value - not defined in values.yaml or in the override used in pilot. 6 | ## TODO: remove from template, use values with default value. 7 | # See .MeshConfig.ProxyListenPort 8 | proxyListenPort: 15001 9 | 10 | # .ProxyConfig.* 11 | defaultConfig: 12 | interceptionMode: REDIRECT 13 | 14 | # TODO: annotation override. "--drainDuration" 15 | drainDuration: 45s 16 | 17 | parentShutdownDuration: 1m0s 18 | 19 | discoveryAddress: istio-pilot.istio-system:15010 20 | 21 | 22 | connectTimeout: 1s 23 | #statsdUdpAddress: "1111" 24 | 25 | proxyAdminPort: 15000 26 | concurrency: 0 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /test/demo/values.yaml: -------------------------------------------------------------------------------- 1 | # This is used to generate minimal demo mode. It is included from demo and demo-auth values. 2 | # It is shipped with the release, used for bookinfo or quick installation of istio. 3 | # Includes components used in the demo, defaults to alpha3 rules. 4 | # Note: please only put common configuration for the demo profiles here. 5 | global: 6 | controlPlaneSecurityEnabled: false 7 | defaultPodDisruptionBudget: 8 | enabled: 9 | false 10 | 11 | proxy: 12 | accessLogFile: "/dev/stdout" 13 | resources: 14 | requests: 15 | cpu: 10m 16 | memory: 40Mi 17 | 18 | # Reflects in pilot config - should move to proper API and istio-config 19 | disablePolicyChecks: false 20 | 21 | sidecarInjectorWebhook: 22 | enabled: true 23 | # If true, webhook or istioctl injector will rewrite PodSpec for liveness 24 | # health check to redirect request to sidecar. This makes liveness check work 25 | # even when mTLS is enabled. 26 | rewriteAppHTTPProbe: false 27 | 28 | pilot: 29 | autoscaleEnabled: false 30 | traceSampling: 100.0 31 | resources: 32 | requests: 33 | cpu: 10m 34 | memory: 100Mi 35 | 36 | mixer: 37 | policy: 38 | autoscaleEnabled: false 39 | enabled: true 40 | resources: 41 | requests: 42 | cpu: 10m 43 | memory: 100Mi 44 | 45 | telemetry: 46 | enabled: true 47 | autoscaleEnabled: false 48 | resources: 49 | requests: 50 | cpu: 50m 51 | memory: 100Mi 52 | 53 | adapters: 54 | stdio: 55 | enabled: true 56 | 57 | grafana: 58 | enabled: true 59 | 60 | tracing: 61 | enabled: true 62 | 63 | kiali: 64 | enabled: true 65 | createDemoSecret: true 66 | 67 | gateways: 68 | istio-ingressgateway: 69 | autoscaleEnabled: false 70 | resources: 71 | requests: 72 | cpu: 10m 73 | memory: 40Mi 74 | 75 | istio-egressgateway: 76 | enabled: true 77 | autoscaleEnabled: false 78 | resources: 79 | requests: 80 | cpu: 10m 81 | memory: 40Mi 82 | -------------------------------------------------------------------------------- /test/docker/Dockerfile: -------------------------------------------------------------------------------- 1 | # Image for building and running Kind 2 | # 3 | # Kind will be used in a CI/CD system or for local testing. 4 | # 5 | # Already present: kubectl, kubeadm, ubuntu 6 | # 7 | # make docker.istio-builder 8 | 9 | ############################################ 10 | # Image to pull docker binary 11 | FROM docker:latest as docker 12 | 13 | ############################################ 14 | # Image to create go binaries 15 | FROM golang:1.12.5 as golang 16 | ENV GO111MODULE=on 17 | ENV GOPROXY=https://proxy.golang.org 18 | 19 | # IMPORTANT: kind releases may or may not work with other kindest/node images. 20 | # When updating, make sure you update the kindest/node version as well 21 | # The KinD release notes will include the safe images to use 22 | RUN go get -u sigs.k8s.io/kind@v0.4.0 23 | 24 | # Used to upload test results to test grid 25 | RUN go get -u github.com/jstemmer/go-junit-report 26 | 27 | # get helm binary - do here to limit to only binary in final image 28 | RUN mkdir tmp 29 | RUN curl -Lo - https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz | (cd tmp; tar -zxvf -) 30 | 31 | # do repo for consistency - doesn't pull extra.. 32 | RUN curl https://storage.googleapis.com/git-repo-downloads/repo > /usr/local/bin/repo 33 | RUN chmod +x /usr/local/bin/repo 34 | 35 | # create istioctl from `master`, assuming that's what the builder had locally 36 | # ignores `The command '/bin/sh -c go get -d istio.io/istio' returned a non-zero code: 1` 37 | RUN git clone https://github.com/istio/istio /go/src/istio.io/istio 38 | RUN cd /go/src/istio.io/istio && make istioctl 39 | 40 | ############################################ 41 | # Main image 42 | FROM kindest/node:v1.15.0 43 | 44 | # Environment variables used in the build. 45 | ENV GOROOT=/usr/local/go 46 | ENV PATH=/usr/local/go/bin:/bin:/usr/bin:${PATH} 47 | 48 | RUN apt-get update && apt-get -qqy install make git 49 | 50 | RUN curl -Lo - https://dl.google.com/go/go1.12.5.linux-amd64.tar.gz | tar -C /usr/local -xzf - 51 | 52 | # It appears go test in istio/istio requires gcc 53 | RUN apt-get -qqy install build-essential autoconf libtool autotools-dev 54 | 55 | # Copy from prior stages 56 | COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker 57 | 58 | COPY --from=golang /go/bin/kind /usr/local/bin/kind 59 | COPY --from=golang /go/bin/go-junit-report /usr/local/bin/go-junit-report 60 | COPY --from=golang /go/tmp/linux-amd64/helm /usr/local/bin/helm 61 | COPY --from=golang /usr/local/bin/repo /usr/local/bin/repo 62 | COPY --from=golang /go/out/linux_amd64/release/istioctl /usr/local/bin/istioctl 63 | -------------------------------------------------------------------------------- /test/k8s/loadgen.yaml: -------------------------------------------------------------------------------- 1 | # Small general-purpose load generator. 2 | # 3 | # curl -J https://raw.githubusercontent.com/istio-ecosystem/istio-installer/master/test/k8s/loadgen.yaml | 4 | # sed s/DOMAIN/DOMAIN TO LOAD/ | kubectl apply -f - 5 | # 6 | # Will generate 10 QPS - replace with other value if needed. 7 | 8 | 9 | apiVersion: apps/v1 10 | kind: Deployment 11 | metadata: 12 | name: loader 13 | spec: 14 | selector: 15 | matchLabels: 16 | app: loader 17 | replicas: 1 18 | template: 19 | metadata: 20 | labels: 21 | app: loader 22 | annotations: 23 | sidecar.istio.io/inject: "false" 24 | spec: 25 | containers: 26 | - name: echosrv 27 | image: istio/fortio:latest 28 | imagePullPolicy: Always 29 | args: 30 | - load 31 | - -t 32 | - "0" 33 | - -c 34 | - "5" 35 | - -qps 36 | - "10" 37 | - http://DOMAIN/echo?size=5000 38 | -------------------------------------------------------------------------------- /test/k8s/mtls_permissive.yaml: -------------------------------------------------------------------------------- 1 | # Per namespace mtls permissive mode 2 | # Authentication policy to enable permissive mode 3 | apiVersion: authentication.istio.io/v1alpha1 4 | kind: Policy 5 | metadata: 6 | name: default 7 | spec: 8 | peers: 9 | - mtls: 10 | mode: PERMISSIVE 11 | -------------------------------------------------------------------------------- /test/k8s/mtls_strict.yaml: -------------------------------------------------------------------------------- 1 | # Per namespace mtls STRICT mode 2 | # Authentication policy to enable STRICT policy for incoming calls. 3 | apiVersion: authentication.istio.io/v1alpha1 4 | kind: Policy 5 | metadata: 6 | name: default 7 | spec: 8 | peers: 9 | - mtls: {} 10 | 11 | --- 12 | # Corresponding destination rule to configure client side to use mutual TLS when talking to 13 | # any service (host) in the mesh. 14 | apiVersion: networking.istio.io/v1alpha3 15 | kind: DestinationRule 16 | metadata: 17 | name: "default" 18 | spec: 19 | host: "*.local" 20 | trafficPolicy: 21 | tls: 22 | mode: ISTIO_MUTUAL 23 | -------------------------------------------------------------------------------- /test/k8s/sidecar-local.yaml: -------------------------------------------------------------------------------- 1 | # Generic sidecar config isolating a namespace 2 | # kubectl apply -n NAMESPACE_TO_ISOLATE -f sidecar-local.yaml 3 | apiVersion: networking.istio.io/v1alpha3 4 | kind: Sidecar 5 | metadata: 6 | name: default 7 | spec: 8 | egress: 9 | - hosts: 10 | - "*/*" 11 | -------------------------------------------------------------------------------- /test/kind/ingress-service-micro.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: istio-ingressgateway-nodeport 6 | namespace: istio-micro 7 | spec: 8 | selector: 9 | app: istio-ingressgateway 10 | type: NodePort 11 | ports: 12 | - port: 80 13 | targetPort: 80 14 | nodePort: 30090 15 | name: http2 16 | -------------------------------------------------------------------------------- /test/kind/ingress-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: istio-ingressgateway-nodeport 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | app: istio-ingressgateway 9 | type: NodePort 10 | ports: 11 | - port: 80 12 | targetPort: 80 13 | nodePort: 30080 14 | name: http2 15 | -------------------------------------------------------------------------------- /test/kind/kind-docker.yaml: -------------------------------------------------------------------------------- 1 | kind: Cluster 2 | apiVersion: kind.sigs.k8s.io/v1alpha3 3 | nodes: 4 | - role: control-plane 5 | 6 | - role: worker 7 | 8 | kubeadmConfigPatches: 9 | - | 10 | apiVersion: kubeadm.k8s.io/v1beta2 11 | kind: ClusterConfiguration 12 | metadata: 13 | name: config 14 | apiServer: 15 | extraArgs: 16 | "service-account-issuer": "kubernetes.default.svc" 17 | "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" 18 | 19 | 20 | #kubeadmConfigPatches: 21 | # - | 22 | # apiVersion: kubeadm.k8s.io/v1beta1 23 | # kind: ClusterConfiguration 24 | # metadata: 25 | # name: config 26 | # networking: 27 | # serviceSubnet: 10.0.0.0/16 28 | 29 | ## patch it further using a JSON 6902 patch 30 | #kubeadmConfigPatchesJson6902: 31 | # - group: kubeadm.k8s.io 32 | # version: v1beta1 33 | # kind: ClusterConfiguration 34 | # patch: | 35 | # - op: add 36 | # path: /apiServer/certSANs/- 37 | # value: my-hostname 38 | -------------------------------------------------------------------------------- /test/kind/kind-prow.yaml: -------------------------------------------------------------------------------- 1 | kind: Cluster 2 | apiVersion: kind.sigs.k8s.io/v1alpha3 3 | nodes: 4 | - role: control-plane 5 | extraPortMappings: 6 | - containerPort: 30080 7 | hostPort: 30080 8 | 9 | kubeadmConfigPatches: 10 | - | 11 | apiVersion: kubeadm.k8s.io/v1beta2 12 | kind: ClusterConfiguration 13 | metadata: 14 | name: config 15 | apiServer: 16 | extraArgs: 17 | "service-account-issuer": "kubernetes.default.svc" 18 | "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" 19 | -------------------------------------------------------------------------------- /test/kind/kind.yaml: -------------------------------------------------------------------------------- 1 | kind: Cluster 2 | apiVersion: kind.sigs.k8s.io/v1alpha3 3 | nodes: 4 | - role: control-plane 5 | extraMounts: 6 | - containerPath: TOP 7 | hostPath: TOP 8 | 9 | - role: worker 10 | extraPortMappings: 11 | # Setting this prevents running 2 kind containers at the same time. 12 | # Unless this is part of the sed substitution. 13 | # However it allows testing ingress gateway ! 14 | - containerPort: 30080 15 | hostPort: 30080 16 | 17 | kubeadmConfigPatches: 18 | - | 19 | apiVersion: kubeadm.k8s.io/v1beta2 20 | kind: ClusterConfiguration 21 | metadata: 22 | name: config 23 | apiServer: 24 | extraArgs: 25 | "service-account-issuer": "kubernetes.default.svc" 26 | "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" 27 | 28 | #kubeadmConfigPatches: 29 | # - | 30 | # apiVersion: kubeadm.k8s.io/v1beta1 31 | # kind: ClusterConfiguration 32 | # metadata: 33 | # name: config 34 | # networking: 35 | # serviceSubnet: 10.0.0.0/16 36 | 37 | ## patch it further using a JSON 6902 patch 38 | #kubeadmConfigPatchesJson6902: 39 | # - group: kubeadm.k8s.io 40 | # version: v1beta1 41 | # kind: ClusterConfiguration 42 | # patch: | 43 | # - op: add 44 | # path: /apiServer/certSANs/- 45 | # value: my-hostname 46 | -------------------------------------------------------------------------------- /test/kind/user-values.yaml: -------------------------------------------------------------------------------- 1 | # Override istio settings to fit in KIND 2 | 3 | global: 4 | defaultResources: 5 | requests: 6 | cpu: 0m 7 | memory: 1Mi 8 | 9 | proxy: 10 | resources: 11 | requests: 12 | cpu: 0m 13 | memory: 1Mi 14 | 15 | accessLogFile: "/dev/stdout" 16 | 17 | # This section is passed to all templates 18 | # TODO: should be moved to kustomize 19 | resources: 20 | requests: 21 | cpu: 0m 22 | memory: 1Mi 23 | 24 | 25 | # Pilot options 26 | configValidation: true 27 | 28 | pilot: 29 | resources: 30 | requests: 31 | cpu: 0m 32 | 33 | mixer: 34 | telemetry: 35 | resources: 36 | requests: 37 | cpu: 0m 38 | 39 | 40 | policy: 41 | resources: 42 | requests: 43 | cpu: 0m 44 | -------------------------------------------------------------------------------- /test/knative/allocation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: istio-ingressgateway 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: istio-proxy 10 | resources: 11 | limits: 12 | cpu: 500m 13 | memory: 100Mi 14 | requests: 15 | cpu: 100m 16 | memory: 100Mi 17 | 18 | --- 19 | 20 | apiVersion: apps/v1 21 | kind: Deployment 22 | metadata: 23 | name: istio-pilot 24 | spec: 25 | template: 26 | spec: 27 | containers: 28 | - name: discovery 29 | resources: 30 | limits: 31 | cpu: 500m 32 | memory: 100Mi 33 | requests: 34 | cpu: 100m 35 | memory: 100Mi 36 | env: 37 | - name: ISTIOD_ADDR 38 | value: istio-pilot.istio-micro.svc:15012 39 | -------------------------------------------------------------------------------- /test/knative/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Installs ingress and pilot in dedicated namespace 2 | 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | resources: 7 | - namespace.yaml 8 | - istio-ingress.gen.yaml 9 | 10 | bases: 11 | - ../../kustomize/minimal 12 | 13 | patchesStrategicMerge: 14 | - allocation.yaml 15 | 16 | namespace: istio-micro 17 | 18 | commonLabels: 19 | release: istio-micro 20 | -------------------------------------------------------------------------------- /test/knative/mesh.yaml: -------------------------------------------------------------------------------- 1 | defaultConfig: 2 | interceptionMode: REDIRECT 3 | drainDuration: 45s 4 | parentShutdownDuration: 1m0s 5 | discoveryAddress: istio-pilot.istio-micro:15010 6 | connectTimeout: 1s 7 | proxyAdminPort: 15000 8 | concurrency: 0 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /test/knative/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: istio-micro 5 | labels: 6 | istio-injection: disabled 7 | -------------------------------------------------------------------------------- /test/knative/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: serving.knative.dev/v1alpha1 # Current version of Knative 2 | kind: Service 3 | metadata: 4 | name: helloworld-go # The name of the app 5 | namespace: default # The namespace the app will use 6 | spec: 7 | runLatest: 8 | configuration: 9 | revisionTemplate: 10 | spec: 11 | container: 12 | image: gcr.io/knative-samples/helloworld-go # The URL to the image of the app 13 | env: 14 | - name: TARGET # The environment variable printed out by the sample app 15 | value: "Go Sample v1" 16 | -------------------------------------------------------------------------------- /test/knative/values.yaml: -------------------------------------------------------------------------------- 1 | istio_cni: 2 | enabled: false 3 | 4 | debug: INFO 5 | 6 | version: "" 7 | 8 | global: 9 | hub: gcr.io/istio-testing 10 | tag: latest 11 | 12 | imagePullPolicy: Always 13 | 14 | controlPlaneSecurityEnabled: false 15 | 16 | istioNamespace: istio-micro 17 | trustDomain: "" 18 | 19 | #network: default 20 | # podDNSSearchNamespaces: 21 | 22 | sds: 23 | enabled: false 24 | # customTokenDirectory 25 | #useTrustworthyJwt: true 26 | 27 | 28 | proxy: 29 | privileged: true 30 | enableCoreDump: false 31 | image: proxyv2 32 | clusterDomain: "cluster.local" 33 | 34 | excludeInboundPorts: "" 35 | includeIPRanges: "*" 36 | excludeIPRanges: "" 37 | statusPort: 15020 38 | logLevel: "" 39 | readinessInitialDelaySeconds: 1 40 | readinessPeriodSeconds: 2 41 | readinessFailureThreshold: 10 42 | 43 | # resources 44 | componentLogLevel: "misc:error" 45 | 46 | 47 | tracer: "none" 48 | 49 | envoyStatsd: 50 | enabled: false 51 | 52 | 53 | 54 | proxy_init: 55 | image: proxyv2 56 | 57 | -------------------------------------------------------------------------------- /test/minimal/allocation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: istio-ingressgateway 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: istio-proxy 10 | resources: 11 | requests: 12 | cpu: 100m 13 | memory: 100Mi 14 | 15 | --- 16 | 17 | apiVersion: apps/v1 18 | kind: Deployment 19 | metadata: 20 | name: istio-pilot 21 | spec: 22 | template: 23 | spec: 24 | containers: 25 | - name: discovery 26 | resources: 27 | requests: 28 | cpu: 200m 29 | memory: 500Mi 30 | -------------------------------------------------------------------------------- /test/minimal/disable-automtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: istio-ingressgateway 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: istio-proxy 10 | env: 11 | - name: ISTIO_AUTO_MTLS_ENABLED 12 | value: "false" 13 | -------------------------------------------------------------------------------- /test/minimal/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Installs ingress and pilot in istio-system, minimal profile with ingress 2 | 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | bases: 7 | - ../../kustomize/minimal 8 | - ../../kustomize/istio-ingress 9 | 10 | patchesStrategicMerge: 11 | - allocation.yaml 12 | - disable-automtls.yaml 13 | 14 | #commonLabels: 15 | # release: istio-minimal 16 | -------------------------------------------------------------------------------- /test/mysql/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: mysql 3 | version: 1.0 4 | description: Helm chart for testing MySQL with Istio. 5 | keywords: 6 | - istio 7 | - mysql 8 | sources: 9 | - http://github.com/istio/istio 10 | engine: gotpl 11 | -------------------------------------------------------------------------------- /test/mysql/templates/client.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: client-{{ .Values.Name }} 5 | labels: 6 | release: {{ .Release.Name }} 7 | spec: 8 | template: 9 | metadata: 10 | labels: 11 | app: client-{{ .Values.Name }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | containers: 15 | # We sleep first and will execute mysql cli later. This ensures the cli command will 16 | # send traffic to mysql server after iptable sidecar traffic injection finishes. 17 | - args: 18 | - bash 19 | - -c 20 | - |- 21 | sleep 10 22 | while : 23 | do 24 | echo "attempt to connect to server, $i" 25 | mysql -uroot -proot -h server-{{ .Values.Name}} -P3306 --connect-timeout 3 -e 'show databases;' 26 | sleep 3 27 | done 28 | image: mysql 29 | imagePullPolicy: IfNotPresent 30 | name: client 31 | -------------------------------------------------------------------------------- /test/mysql/templates/mtls.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.mtls }} 2 | apiVersion: "authentication.istio.io/v1alpha1" 3 | kind: "Policy" 4 | metadata: 5 | name: mysql-server-plaintext-authn 6 | labels: 7 | release: {{ .Release.Name }} 8 | spec: 9 | targets: 10 | - name: mysql-server-plaintext 11 | --- 12 | apiVersion: "authentication.istio.io/v1alpha1" 13 | kind: "Policy" 14 | metadata: 15 | name: mysql-server-mtls-authn 16 | labels: 17 | release: {{ .Release.Name }} 18 | spec: 19 | targets: 20 | - name: mysql-server-mtls 21 | peers: 22 | - mtls: 23 | mode: STRICT 24 | --- 25 | apiVersion: networking.istio.io/v1alpha3 26 | kind: DestinationRule 27 | metadata: 28 | name: mysql-mtls-dr 29 | labels: 30 | release: {{ .Release.Name }} 31 | spec: 32 | host: "mysql-server-mtls" 33 | trafficPolicy: 34 | tls: 35 | mode: ISTIO_MUTUAL 36 | 37 | {{ end }} 38 | -------------------------------------------------------------------------------- /test/mysql/templates/server.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | name: {{ .Values.Name }}-volumenclaim 5 | labels: 6 | release: {{ .Release.Name }} 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | --- 14 | apiVersion: apps/v1 15 | kind: Deployment 16 | metadata: 17 | name: server-{{ .Values.Name }} 18 | labels: 19 | app: server-{{ .Values.Name }} 20 | release: {{ .Release.Name }} 21 | spec: 22 | replicas: 1 23 | selector: 24 | matchLabels: 25 | app: server-{{ .Values.Name }} 26 | template: 27 | metadata: 28 | labels: 29 | app: server-{{ .Values.Name }} 30 | release: {{ .Release.Name }} 31 | spec: 32 | containers: 33 | - image: mysql:5.6 34 | name: mysql 35 | env: 36 | - name: MYSQL_ROOT_PASSWORD 37 | value: "root" 38 | ports: 39 | - containerPort: 3306 40 | name: mysql 41 | volumeMounts: 42 | - name: mysql-persistent-storage 43 | mountPath: /var/lib/mysql 44 | volumes: 45 | - name: mysql-persistent-storage 46 | persistentVolumeClaim: 47 | claimName: {{ .Values.Name }}-volumenclaim 48 | --- 49 | apiVersion: v1 50 | kind: Service 51 | metadata: 52 | name: server-{{ .Values.Name }} 53 | labels: 54 | app: server-{{ .Values.Name }} 55 | release: {{ .Release.Name }} 56 | spec: 57 | type: ClusterIP 58 | ports: 59 | - port: 3306 60 | selector: 61 | app: server-{{ .Values.Name }} 62 | -------------------------------------------------------------------------------- /test/mysql/values.yaml: -------------------------------------------------------------------------------- 1 | # The deployment name, can be "mtls" or "plaintext" to denote different security settings. 2 | Name: "mtls" 3 | 4 | mtls: false 5 | -------------------------------------------------------------------------------- /test/simple/README.md: -------------------------------------------------------------------------------- 1 | Files from the original 'simple' test, used as a minimla sanity test/example. 2 | 3 | The simple test uses 'istioctl kube-inject'. 4 | -------------------------------------------------------------------------------- /test/simple/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: fortio 5 | namespace: simple-micro 6 | annotations: 7 | kubernetes.io/ingress.class: istio 8 | spec: 9 | rules: 10 | - host: fortio-ingress.example.com 11 | http: 12 | paths: 13 | - path: /.* 14 | backend: 15 | serviceName: echosrv 16 | servicePort: 8080 17 | 18 | -------------------------------------------------------------------------------- /test/simple/mesh.yaml: -------------------------------------------------------------------------------- 1 | # Currently used by the injector, as ProxyConfig 2 | # Used to test manual injector with the new template 3 | # This includes values used in inject template - not everything 4 | 5 | defaultConfig: 6 | interceptionMode: REDIRECT 7 | 8 | # TODO: annotation override. "--drainDuration" 9 | drainDuration: 45s 10 | 11 | parentShutdownDuration: 1m0s 12 | 13 | discoveryAddress: istio-pilot.istio-system:15010 14 | 15 | connectTimeout: 1s 16 | 17 | proxyAdminPort: 15000 18 | concurrency: 0 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /test/simple/routingrule1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.istio.io/v1alpha2 2 | kind: VirtualService 3 | metadata: 4 | name: echosrv 5 | spec: 6 | hosts: 7 | - echosrv 8 | http: 9 | - route: 10 | - destination: 11 | host: echosrv 12 | subset: v1 13 | weight: 60 14 | - destination: 15 | host: echosrv 16 | subset: v2 17 | weight: 40 18 | -------------------------------------------------------------------------------- /test/simple/routingrule2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.istio.io/v1alpha2 2 | kind: VirtualService 3 | metadata: 4 | name: echosrv 5 | spec: 6 | hosts: 7 | - echosrv 8 | http: 9 | - route: 10 | - destination: 11 | host: echosrv 12 | subset: v1 13 | weight: 50 14 | - destination: 15 | host: echosrv 16 | subset: v2 17 | weight: 50 18 | -------------------------------------------------------------------------------- /test/simple/routingruleNoPods.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.istio.io/v1alpha2 2 | kind: VirtualService 3 | metadata: 4 | name: echosrv 5 | spec: 6 | hosts: 7 | - echosrv 8 | http: 9 | - route: 10 | - destination: 11 | host: echosrv 12 | subset: v1 13 | weight: 33 14 | - destination: 15 | host: echosrv 16 | subset: v2 17 | weight: 33 18 | - destination: 19 | host: echosrv 20 | subset: missing 21 | weight: 33 22 | -------------------------------------------------------------------------------- /test/simple/servicesNotInjected.yaml: -------------------------------------------------------------------------------- 1 | # Client inside the cluster, not istio injected 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: fortio-noistio 6 | spec: 7 | ports: 8 | - port: 8080 9 | name: http-echo 10 | - port: 8079 11 | name: grpc-ping 12 | selector: 13 | app: fortio-noistio 14 | --- 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: raw-cli-deployement 19 | spec: 20 | replicas: 1 21 | selector: 22 | matchLabels: 23 | app: fortio-noistio 24 | template: 25 | metadata: 26 | labels: 27 | app: fortio-noistio 28 | annotations: 29 | sidecar.istio.io/inject: "false" 30 | spec: 31 | containers: 32 | - name: fortio-noistio 33 | image: fortio/fortio 34 | imagePullPolicy: Always 35 | -------------------------------------------------------------------------------- /test/simple/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | #sidecarInjectorWebhook: 3 | # rewriteAppHTTPProbe: false 4 | 5 | istio_cni: 6 | enabled: false 7 | 8 | debug: INFO 9 | 10 | version: "" 11 | 12 | global: 13 | hub: gcr.io/istio-testing 14 | tag: latest 15 | 16 | imagePullPolicy: Always 17 | 18 | controlPlaneSecurityEnabled: false 19 | 20 | istioNamespace: istio-system 21 | trustDomain: "" 22 | 23 | #network: default 24 | # podDNSSearchNamespaces: 25 | 26 | sds: 27 | enabled: false 28 | # customTokenDirectory 29 | #useTrustworthyJwt: true 30 | 31 | 32 | proxy: 33 | privileged: true 34 | enableCoreDump: false 35 | image: proxyv2 36 | clusterDomain: "cluster.local" 37 | 38 | excludeInboundPorts: "" 39 | includeIPRanges: "*" 40 | excludeIPRanges: "" 41 | statusPort: 15020 42 | logLevel: "" 43 | readinessInitialDelaySeconds: 1 44 | readinessPeriodSeconds: 2 45 | readinessFailureThreshold: 10 46 | 47 | # resources 48 | componentLogLevel: "misc:error" 49 | 50 | 51 | tracer: "none" 52 | 53 | envoyStatsd: 54 | enabled: false 55 | 56 | 57 | 58 | proxy_init: 59 | image: proxyv2 60 | 61 | --------------------------------------------------------------------------------