├── topics └── helloriff.yaml ├── functions └── helloriff.yaml ├── helloriff ├── Dockerfile └── main.go ├── README.md ├── riff.yaml ├── LICENSE └── istio.yaml /topics/helloriff.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectriff.io/v1 2 | kind: Topic 3 | metadata: 4 | name: helloriff 5 | spec: 6 | partitions: 1 7 | -------------------------------------------------------------------------------- /functions/helloriff.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectriff.io/v1 2 | kind: Function 3 | metadata: 4 | name: helloriff 5 | spec: 6 | container: 7 | image: gcr.io/hightowerlabs/helloriff:0.0.1 8 | input: helloriff 9 | protocol: http 10 | idleTimeoutMs: 60000 11 | -------------------------------------------------------------------------------- /helloriff/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.9.1 2 | WORKDIR /go/src/github.com/kelseyhightower/riff-tutorial/helloriff 3 | COPY . . 4 | RUN CGO_ENABLED=0 GOOS=linux go build -a -o helloriff \ 5 | -tags netgo -installsuffix netgo . 6 | 7 | FROM busybox 8 | COPY --from=0 /go/src/github.com/kelseyhightower/riff-tutorial/helloriff . 9 | ENTRYPOINT ["/helloriff"] 10 | -------------------------------------------------------------------------------- /helloriff/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | // you may not use this file except in compliance with the License. 4 | 5 | package main 6 | 7 | import ( 8 | "fmt" 9 | "log" 10 | "net/http" 11 | ) 12 | 13 | func main() { 14 | http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { 15 | fmt.Fprintf(w, "Hello Riff!") 16 | }) 17 | log.Fatal(http.ListenAndServe(":8080", nil)) 18 | } 19 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Riff Tutorial 2 | 3 | The riff tutorial walks you through installing the [riff FaaS platform](https://projectriff.io) and [Istio](https://istio.io/about/intro.html) on [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine). The resulting environment is great for demos and exploring riff and Istio, but should not be considered production ready. 4 | 5 | Be sure to watch Mark Fisher's SpringOne [riff announcement keynote and live demo](https://projectriff.io/video/mark-fisher-at-springone-platform-2017/) to get up to speed on riff. 6 | 7 | > In addition to the environment Mark demo'd in his keynote, this tutorial integrates Istio and riff to provide traffic management for the riff http gateway and runs each function managed by riff in the Istio service mesh. 8 | 9 | ## Tutorial 10 | 11 | Create a Kubernetes cluster large enough to host the riff and istio components: 12 | 13 | ``` 14 | gcloud container clusters create riff \ 15 | --cluster-version 1.9.2-gke.1 \ 16 | --machine-type n1-standard-4 \ 17 | --num-nodes 5 18 | ``` 19 | 20 | > Smaller clusters should work, but only the configuration above has been tested. 21 | 22 | Grant cluster admin permissions to the current user. Admin permissions are required to create the necessary RBAC rules for riff and Istio. 23 | 24 | ``` 25 | kubectl create clusterrolebinding cluster-admin-binding \ 26 | --clusterrole=cluster-admin \ 27 | --user=$(gcloud config get-value core/account) 28 | ``` 29 | 30 | ### Install Istio 31 | 32 | Install Istio into the `istio-system` namespace: 33 | 34 | ``` 35 | kubectl apply -f https://raw.githubusercontent.com/kelseyhightower/riff-tutorial/master/istio.yaml 36 | ``` 37 | 38 | > The following addons are also installed: [Prometheus](https://istio.io/docs/tasks/telemetry/metrics-logs.html), [Grafana](https://istio.io/docs/tasks/telemetry/using-istio-dashboard.html), [Jaeger](https://istio.io/docs/tasks/telemetry/distributed-tracing.html), and [Istio Sidecar Injector](https://istio.io/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection). 39 | 40 | Wait until each Istio component is running: 41 | 42 | ``` 43 | kubectl get pods -n istio-system 44 | ``` 45 | ``` 46 | NAME READY STATUS RESTARTS AGE 47 | grafana-6585bdf64c-8k45v 1/1 Running 0 39s 48 | istio-ca-7876b944bc-fx9r9 1/1 Running 0 40s 49 | istio-ingress-d8d5fdc86-4n6hr 1/1 Running 0 40s 50 | istio-mixer-65bb55df98-b9gwb 3/3 Running 0 46s 51 | istio-pilot-5cb545f47c-ppf6c 2/2 Running 0 40s 52 | istio-sidecar-injector-6bb584c47d-xd6x6 1/1 Running 0 38s 53 | jaeger-deployment-559c8b9b8-d4l9h 1/1 Running 0 39s 54 | prometheus-5db8cc75f8-hxdc5 1/1 Running 0 40s 55 | ``` 56 | 57 | ### Install riff 58 | 59 | Install riff into the `riff` namespace and enable [Istio automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection.html#deploying-an-app): 60 | 61 | ``` 62 | kubectl apply -f https://raw.githubusercontent.com/kelseyhightower/riff-tutorial/master/riff.yaml 63 | ``` 64 | 65 | Wait until each riff component is running: 66 | 67 | ``` 68 | kubectl get pods -n riff 69 | ``` 70 | ``` 71 | NAME READY STATUS RESTARTS AGE 72 | function-controller-54f964dc6c-qv9cf 2/2 Running 0 47s 73 | http-gateway-56d47d5dd-frgb4 2/2 Running 2 46s 74 | kafka-broker-697bbbcbf8-j5mz2 2/2 Running 1 47s 75 | topic-controller-54cbc965bc-nm7rr 2/2 Running 0 46s 76 | zookeeper-77dbfc6cf8-zrlwp 2/2 Running 0 47s 77 | ``` 78 | 79 | > Restarts of the `http-gateway` and `kafka-broker` are expected as kafka depends on zookeeper, and the http-gateway depends on kafka. 80 | 81 | ### Creating and Executing Fuctions 82 | 83 | Ensure the istio sidecar is injected into every riff function created in the default namespace. 84 | 85 | ``` 86 | kubectl label namespace default istio-injection=enabled 87 | ``` 88 | 89 | > riff functions are packaged and deployed as pods which is why the istio injection works. 90 | 91 | Create a topic that will trigger the `helloriff` function container: 92 | 93 | ``` 94 | kubectl apply -f https://raw.githubusercontent.com/kelseyhightower/riff-tutorial/master/topics/helloriff.yaml 95 | ``` 96 | 97 | Create the `helloriff` function: 98 | 99 | ``` 100 | kubectl apply -f https://raw.githubusercontent.com/kelseyhightower/riff-tutorial/master/functions/helloriff.yaml 101 | ``` 102 | 103 | > You'll notice we are creating a function without writing any code. riff support using containers as "functions". In this case the `gcr.io/hightowerlabs/helloriff:0.0.1` container will be mapped to events on the `helloriff` topic. 104 | 105 | Once the function has been defined the riff `function-controller` will create a deployment with an initial replica count set to zero. 106 | 107 | ``` 108 | kubectl get deployment 109 | ``` 110 | ``` 111 | NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE 112 | helloriff 0 0 0 0 12s 113 | ``` 114 | 115 | riff will scale up the number of pods based on the flow of incoming requests to the riff `http-gateway`. 116 | 117 | ### Invoking the Function 118 | 119 | Retrieve the IP address of the riff `http-gateway` ingress: 120 | 121 | 122 | ``` 123 | HTTP_GATEWAY_IP=$(kubectl get ingress http-gateway -n riff \ 124 | -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 125 | ``` 126 | 127 | Execute an HTTP request to the riff `http-gateway` to invoke the `helloriff` function: 128 | 129 | 130 | ``` 131 | curl http://${HTTP_GATEWAY_IP}/requests/helloriff 132 | ``` 133 | 134 | The `curl` command will take a few moments to complete while the `function-controller` scales up the `helloriff` deployment in the background: 135 | 136 | ``` 137 | kubectl get deployments helloriff 138 | ``` 139 | ``` 140 | NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE 141 | helloriff 1 1 1 1 1m 142 | ``` 143 | 144 | Notice the `helloriff` function pod contains three containers: istio-sidecar, riff-sidecar, and the helloriff container defined in the [function definition](https://github.com/kelseyhightower/riff-tutorial/blob/master/functions/helloriff.yaml). 145 | 146 | ``` 147 | kubectl get pods 148 | ``` 149 | ``` 150 | NAME READY STATUS RESTARTS AGE 151 | helloriff-747b8b5685-fhjf4 3/3 Running 1 11s 152 | ``` 153 | 154 | > The `helloriff` pod restart is expected and maybe related to the interaction between the riff sidecar and kafka. 155 | 156 | ## Cleanup 157 | 158 | Delete all riff resources: 159 | 160 | ``` 161 | kubectl delete ns riff 162 | ``` 163 | 164 | Delete all istio resources: 165 | 166 | ``` 167 | kubectl delete ns istio-system 168 | ``` 169 | 170 | Delete the Kubernetes cluster: 171 | 172 | ``` 173 | gcloud container clusters delete riff 174 | ``` 175 | -------------------------------------------------------------------------------- /riff.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: riff 5 | labels: 6 | istio-injection: enabled 7 | --- 8 | apiVersion: v1 9 | kind: ServiceAccount 10 | metadata: 11 | name: riff 12 | namespace: riff 13 | --- 14 | apiVersion: rbac.authorization.k8s.io/v1 15 | kind: Role 16 | metadata: 17 | name: riff 18 | namespace: riff 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["services", "pods"] 22 | verbs: ["get", "list", "watch"] 23 | - apiGroups: ["extensions"] 24 | resources: ["deployments", "replicasets"] 25 | verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] 26 | - apiGroups: ["apps"] 27 | resources: ["deployments", "replicasets"] 28 | verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] 29 | - apiGroups: ["projectriff.io"] 30 | resources: ["functions", "topics"] 31 | verbs: ["get", "list", "watch"] 32 | --- 33 | apiVersion: rbac.authorization.k8s.io/v1 34 | kind: RoleBinding 35 | metadata: 36 | name: riff 37 | namespace: riff 38 | subjects: 39 | - kind: ServiceAccount 40 | name: riff 41 | roleRef: 42 | kind: Role 43 | name: riff 44 | apiGroup: rbac.authorization.k8s.io 45 | --- 46 | apiVersion: rbac.authorization.k8s.io/v1 47 | kind: ClusterRole 48 | metadata: 49 | name: riff 50 | rules: 51 | - apiGroups: ["apiextensions.k8s.io"] 52 | resources: ["customresourcedefinitions"] 53 | verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] 54 | - apiGroups: ["apps"] 55 | resources: ["deployments", "replicasets"] 56 | verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] 57 | - apiGroups: ["extensions"] 58 | resources: ["deployments", "replicasets"] 59 | verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] 60 | - apiGroups: ["projectriff.io"] 61 | resources: ["functions", "topics"] 62 | verbs: ["get", "list", "watch"] 63 | --- 64 | apiVersion: rbac.authorization.k8s.io/v1 65 | kind: ClusterRoleBinding 66 | metadata: 67 | name: riff 68 | subjects: 69 | - kind: ServiceAccount 70 | name: riff 71 | namespace: riff 72 | roleRef: 73 | kind: ClusterRole 74 | name: riff 75 | apiGroup: rbac.authorization.k8s.io 76 | --- 77 | apiVersion: apiextensions.k8s.io/v1beta1 78 | kind: CustomResourceDefinition 79 | metadata: 80 | name: functions.projectriff.io 81 | versions: 82 | - name: v1 83 | spec: 84 | scope: Namespaced 85 | group: projectriff.io 86 | version: v1 87 | names: 88 | kind: Function 89 | plural: functions 90 | singular: function 91 | --- 92 | apiVersion: apiextensions.k8s.io/v1beta1 93 | kind: CustomResourceDefinition 94 | metadata: 95 | name: topics.projectriff.io 96 | versions: 97 | - name: v1 98 | spec: 99 | scope: Namespaced 100 | group: projectriff.io 101 | version: v1 102 | names: 103 | kind: Topic 104 | plural: topics 105 | singular: topic 106 | --- 107 | apiVersion: v1 108 | kind: Service 109 | metadata: 110 | name: http-gateway 111 | namespace: riff 112 | labels: 113 | app: http-gateway 114 | spec: 115 | ports: 116 | - port: 80 117 | name: http 118 | targetPort: 8080 119 | - port: 443 120 | name: https 121 | targetPort: 8443 122 | selector: 123 | app: http-gateway 124 | --- 125 | apiVersion: v1 126 | kind: Service 127 | metadata: 128 | name: kafka 129 | namespace: riff 130 | labels: 131 | app: kafka 132 | spec: 133 | ports: 134 | - port: 9092 135 | name: kafka-port 136 | targetPort: 9092 137 | protocol: TCP 138 | selector: 139 | app: kafka 140 | --- 141 | apiVersion: v1 142 | kind: Service 143 | metadata: 144 | name: zookeeper 145 | namespace: riff 146 | labels: 147 | app: zookeeper 148 | spec: 149 | ports: 150 | - port: 2181 151 | name: zookeeper-port 152 | targetPort: 2181 153 | protocol: TCP 154 | selector: 155 | app: zookeeper 156 | --- 157 | apiVersion: apps/v1 158 | kind: Deployment 159 | metadata: 160 | labels: 161 | app: zookeeper 162 | name: zookeeper 163 | namespace: riff 164 | spec: 165 | replicas: 1 166 | selector: 167 | matchLabels: 168 | app: zookeeper 169 | template: 170 | metadata: 171 | labels: 172 | app: zookeeper 173 | spec: 174 | containers: 175 | - name: zookeeper 176 | image: wurstmeister/zookeeper:3.4.6 177 | ports: 178 | - containerPort: 2181 179 | env: 180 | - name: ZOOKEEPER_ID 181 | value: "1" 182 | - name: ZOOKEEPER_SERVER_1 183 | value: zookeeper 184 | --- 185 | apiVersion: apps/v1 186 | kind: Deployment 187 | metadata: 188 | labels: 189 | app: kafka 190 | name: kafka-broker 191 | namespace: riff 192 | spec: 193 | replicas: 1 194 | selector: 195 | matchLabels: 196 | app: kafka 197 | template: 198 | metadata: 199 | labels: 200 | app: kafka 201 | spec: 202 | containers: 203 | - name: kafka 204 | image: wurstmeister/kafka:0.11.0.1 205 | ports: 206 | - containerPort: 9092 207 | env: 208 | - name: KAFKA_PORT 209 | value: "9092" 210 | - name: KAFKA_ADVERTISED_PORT 211 | value: "9092" 212 | - name: KAFKA_ADVERTISED_HOST_NAME 213 | value: "kafka.riff.svc.cluster.local" 214 | - name: KAFKA_ZOOKEEPER_CONNECT 215 | value: zookeeper:2181 216 | --- 217 | apiVersion: apps/v1 218 | kind: Deployment 219 | metadata: 220 | name: function-controller 221 | namespace: riff 222 | labels: 223 | app: function-controller 224 | spec: 225 | replicas: 1 226 | selector: 227 | matchLabels: 228 | app: function-controller 229 | template: 230 | metadata: 231 | name: function-controller 232 | labels: 233 | app: function-controller 234 | spec: 235 | serviceAccountName: riff 236 | containers: 237 | - image: projectriff/function-controller:0.0.3 238 | name: function-controller 239 | imagePullPolicy: IfNotPresent 240 | livenessProbe: 241 | httpGet: 242 | path: /health 243 | port: 8080 244 | initialDelaySeconds: 60 245 | periodSeconds: 15 246 | timeoutSeconds: 5 247 | readinessProbe: 248 | httpGet: 249 | path: /health 250 | port: 8080 251 | initialDelaySeconds: 30 252 | periodSeconds: 10 253 | timeoutSeconds: 5 254 | env: 255 | - name: KAFKA_BROKERS 256 | value: kafka.riff.svc.cluster.local:9092 257 | - name: RIFF_FUNCTION_SIDECAR_TAG 258 | value: 0.0.3 259 | --- 260 | apiVersion: apps/v1 261 | kind: Deployment 262 | metadata: 263 | name: topic-controller 264 | namespace: riff 265 | labels: 266 | app: topic-controller 267 | spec: 268 | replicas: 1 269 | selector: 270 | matchLabels: 271 | app: topic-controller 272 | template: 273 | metadata: 274 | name: topic-controller 275 | labels: 276 | app: topic-controller 277 | spec: 278 | serviceAccountName: riff 279 | containers: 280 | - image: projectriff/topic-controller:0.0.3 281 | name: topic-controller 282 | imagePullPolicy: IfNotPresent 283 | livenessProbe: 284 | httpGet: 285 | path: /health 286 | port: 8080 287 | initialDelaySeconds: 60 288 | periodSeconds: 15 289 | timeoutSeconds: 5 290 | readinessProbe: 291 | httpGet: 292 | path: /health 293 | port: 8080 294 | initialDelaySeconds: 30 295 | periodSeconds: 10 296 | timeoutSeconds: 5 297 | env: 298 | - name: KAFKA_ZK_NODES 299 | value: zookeeper:2181 300 | --- 301 | apiVersion: apps/v1 302 | kind: Deployment 303 | metadata: 304 | name: http-gateway 305 | namespace: riff 306 | labels: 307 | app: http-gateway 308 | spec: 309 | replicas: 1 310 | selector: 311 | matchLabels: 312 | app: http-gateway 313 | template: 314 | metadata: 315 | name: http-gateway 316 | labels: 317 | app: http-gateway 318 | spec: 319 | serviceAccountName: riff 320 | containers: 321 | - image: projectriff/http-gateway:0.0.3 322 | name: http-gateway 323 | imagePullPolicy: IfNotPresent 324 | livenessProbe: 325 | httpGet: 326 | path: /application/status 327 | port: 8080 328 | periodSeconds: 5 329 | readinessProbe: 330 | httpGet: 331 | path: /application/status 332 | port: 8080 333 | periodSeconds: 5 334 | env: 335 | - name: KAFKA_BROKERS 336 | value: kafka.riff.svc.cluster.local:9092 337 | --- 338 | apiVersion: extensions/v1beta1 339 | kind: Ingress 340 | metadata: 341 | name: http-gateway 342 | namespace: riff 343 | annotations: 344 | kubernetes.io/ingress.class: istio 345 | spec: 346 | rules: 347 | - http: 348 | paths: 349 | - path: /requests/.* 350 | backend: 351 | serviceName: http-gateway 352 | servicePort: 80 353 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /istio.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE. Use with Kubernetes 1.7+ 2 | # TO UPDATE, modify files in install/kubernetes/templates and run install/updateVersion.sh 3 | ################################ 4 | # Istio system namespace 5 | ################################ 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: istio-system 10 | --- 11 | ################################ 12 | # Istio RBAC 13 | ################################ 14 | # Permissions and roles for istio 15 | # To debug: start the cluster with -vmodule=rbac,3 to enable verbose logging on RBAC DENY 16 | # Also helps to enable logging on apiserver 'wrap' to see the URLs. 17 | # Each RBAC deny needs to be mapped into a rule for the role. 18 | # If using minikube, start with '--extra-config=apiserver.Authorization.Mode=RBAC' 19 | kind: ClusterRole 20 | apiVersion: rbac.authorization.k8s.io/v1beta1 21 | metadata: 22 | name: istio-pilot-istio-system 23 | rules: 24 | - apiGroups: ["config.istio.io"] 25 | resources: ["*"] 26 | verbs: ["*"] 27 | - apiGroups: ["apiextensions.k8s.io"] 28 | resources: ["customresourcedefinitions"] 29 | verbs: ["*"] 30 | - apiGroups: ["extensions"] 31 | resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"] 32 | verbs: ["*"] 33 | - apiGroups: [""] 34 | resources: ["configmaps"] 35 | verbs: ["create", "get", "list", "watch", "update"] 36 | - apiGroups: [""] 37 | resources: ["endpoints", "pods", "services"] 38 | verbs: ["get", "list", "watch"] 39 | - apiGroups: [""] 40 | resources: ["namespaces", "nodes", "secrets"] 41 | verbs: ["get", "list", "watch"] 42 | - apiGroups: ["admissionregistration.k8s.io"] 43 | resources: ["externaladmissionhookconfigurations"] 44 | verbs: ["create", "update", "delete"] 45 | --- 46 | kind: ClusterRole 47 | apiVersion: rbac.authorization.k8s.io/v1beta1 48 | metadata: 49 | name: istio-sidecar-injector-istio-system 50 | rules: 51 | - apiGroups: ["*"] 52 | resources: ["configmaps"] 53 | verbs: ["get", "list", "watch"] 54 | --- 55 | # Mixer CRD needs to watch and list CRDs 56 | # It also uses discovery API to discover Kinds of config.istio.io 57 | # K8s adapter needs to list pods, services etc. 58 | kind: ClusterRole 59 | apiVersion: rbac.authorization.k8s.io/v1beta1 60 | metadata: 61 | name: istio-mixer-istio-system 62 | rules: 63 | - apiGroups: ["config.istio.io"] # Istio CRD watcher 64 | resources: ["*"] 65 | verbs: ["get", "list", "watch"] 66 | - apiGroups: ["apiextensions.k8s.io"] 67 | resources: ["customresourcedefinitions"] 68 | verbs: ["get", "list", "watch"] 69 | - apiGroups: [""] 70 | resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] 71 | verbs: ["get", "list", "watch"] 72 | --- 73 | kind: ClusterRole 74 | apiVersion: rbac.authorization.k8s.io/v1beta1 75 | metadata: 76 | name: istio-ca-istio-system 77 | rules: 78 | - apiGroups: [""] 79 | resources: ["secrets"] 80 | verbs: ["create", "get", "watch", "list", "update"] 81 | - apiGroups: [""] 82 | resources: ["serviceaccounts"] 83 | verbs: ["get", "watch", "list"] 84 | - apiGroups: [""] 85 | resources: ["services"] 86 | verbs: ["get", "watch", "list"] 87 | --- 88 | # Permissions for the sidecar proxy. 89 | kind: ClusterRole 90 | apiVersion: rbac.authorization.k8s.io/v1beta1 91 | metadata: 92 | name: istio-sidecar-istio-system 93 | rules: 94 | - apiGroups: ["extensions"] 95 | resources: ["thirdpartyresources", "ingresses"] 96 | verbs: ["get", "watch", "list", "update"] 97 | - apiGroups: [""] 98 | resources: ["configmaps", "pods", "endpoints", "services"] 99 | verbs: ["get", "watch", "list"] 100 | --- 101 | # Grant permissions to the Pilot/discovery. 102 | kind: ClusterRoleBinding 103 | apiVersion: rbac.authorization.k8s.io/v1beta1 104 | metadata: 105 | name: istio-pilot-admin-role-binding-istio-system 106 | subjects: 107 | - kind: ServiceAccount 108 | name: istio-pilot-service-account 109 | namespace: istio-system 110 | roleRef: 111 | kind: ClusterRole 112 | name: istio-pilot-istio-system 113 | apiGroup: rbac.authorization.k8s.io 114 | --- 115 | # Grant permissions to the Sidecar sidecar-injector 116 | kind: ClusterRoleBinding 117 | apiVersion: rbac.authorization.k8s.io/v1beta1 118 | metadata: 119 | name: istio-sidecar-injector-admin-role-binding-istio-system 120 | subjects: 121 | - kind: ServiceAccount 122 | name: istio-sidecar-injector-service-account 123 | namespace: istio-system 124 | roleRef: 125 | kind: ClusterRole 126 | name: istio-sidecar-injector-istio-system 127 | apiGroup: rbac.authorization.k8s.io 128 | --- 129 | # Grant permissions to the CA. 130 | kind: ClusterRoleBinding 131 | apiVersion: rbac.authorization.k8s.io/v1beta1 132 | metadata: 133 | name: istio-ca-role-binding-istio-system 134 | subjects: 135 | - kind: ServiceAccount 136 | name: istio-ca-service-account 137 | namespace: istio-system 138 | roleRef: 139 | kind: ClusterRole 140 | name: istio-ca-istio-system 141 | apiGroup: rbac.authorization.k8s.io 142 | --- 143 | # Grant permissions to the Ingress controller. 144 | kind: ClusterRoleBinding 145 | apiVersion: rbac.authorization.k8s.io/v1beta1 146 | metadata: 147 | name: istio-ingress-admin-role-binding-istio-system 148 | subjects: 149 | - kind: ServiceAccount 150 | name: istio-ingress-service-account 151 | namespace: istio-system 152 | roleRef: 153 | kind: ClusterRole 154 | name: istio-pilot-istio-system 155 | apiGroup: rbac.authorization.k8s.io 156 | --- 157 | # Grant permissions to the sidecar. 158 | # TEMPORARY: the istioctl should generate a separate service account for the proxy, and permission 159 | # granted only to that account ! 160 | kind: ClusterRoleBinding 161 | apiVersion: rbac.authorization.k8s.io/v1beta1 162 | metadata: 163 | name: istio-sidecar-role-binding-istio-system 164 | subjects: 165 | - kind: ServiceAccount 166 | name: default 167 | namespace: istio-system 168 | roleRef: 169 | kind: ClusterRole 170 | name: istio-sidecar-istio-system 171 | apiGroup: rbac.authorization.k8s.io 172 | --- 173 | # Grant permissions to Mixer. 174 | kind: ClusterRoleBinding 175 | apiVersion: rbac.authorization.k8s.io/v1beta1 176 | metadata: 177 | name: istio-mixer-admin-role-binding-istio-system 178 | subjects: 179 | - kind: ServiceAccount 180 | name: istio-mixer-service-account 181 | namespace: istio-system 182 | roleRef: 183 | kind: ClusterRole 184 | name: istio-mixer-istio-system 185 | apiGroup: rbac.authorization.k8s.io 186 | --- 187 | # Mixer 188 | apiVersion: v1 189 | kind: ConfigMap 190 | metadata: 191 | name: istio-mixer 192 | namespace: istio-system 193 | data: 194 | mapping.conf: |- 195 | --- 196 | apiVersion: v1 197 | kind: Service 198 | metadata: 199 | name: istio-mixer 200 | namespace: istio-system 201 | labels: 202 | istio: mixer 203 | spec: 204 | ports: 205 | - name: tcp-plain 206 | port: 9091 207 | - name: tcp-mtls 208 | port: 15004 209 | - name: http-monitoring 210 | port: 9093 211 | - name: configapi 212 | port: 9094 213 | - name: statsd-prom 214 | port: 9102 215 | - name: statsd-udp 216 | port: 9125 217 | protocol: UDP 218 | - name: prometheus 219 | port: 42422 220 | selector: 221 | istio: mixer 222 | --- 223 | apiVersion: v1 224 | kind: ServiceAccount 225 | metadata: 226 | name: istio-mixer-service-account 227 | namespace: istio-system 228 | --- 229 | apiVersion: extensions/v1beta1 230 | kind: Deployment 231 | metadata: 232 | name: istio-mixer 233 | namespace: istio-system 234 | annotations: 235 | sidecar.istio.io/inject: "false" 236 | spec: 237 | replicas: 1 238 | template: 239 | metadata: 240 | labels: 241 | istio: mixer 242 | spec: 243 | serviceAccountName: istio-mixer-service-account 244 | containers: 245 | - name: statsd-to-prometheus 246 | image: prom/statsd-exporter:v0.5.0 247 | imagePullPolicy: IfNotPresent 248 | ports: 249 | - containerPort: 9102 250 | - containerPort: 9125 251 | protocol: UDP 252 | args: 253 | - '-statsd.mapping-config=/etc/statsd/mapping.conf' 254 | volumeMounts: 255 | - name: config-volume 256 | mountPath: /etc/statsd 257 | - name: mixer 258 | image: docker.io/istio/mixer:0.5.0 259 | imagePullPolicy: IfNotPresent 260 | ports: 261 | - containerPort: 9091 262 | - containerPort: 9093 263 | - containerPort: 9094 264 | - containerPort: 42422 265 | args: 266 | - --configStoreURL=k8s:// 267 | - --configDefaultNamespace=istio-system 268 | - --zipkinURL=http://zipkin:9411/api/v1/spans 269 | - --logtostderr 270 | - -v 271 | - "2" 272 | - name: istio-proxy 273 | image: docker.io/istio/proxy:0.5.0 274 | imagePullPolicy: IfNotPresent 275 | ports: 276 | - containerPort: 15004 277 | args: 278 | - proxy 279 | - mixer 280 | - -v 281 | - "2" 282 | - --controlPlaneAuthPolicy 283 | - NONE #--controlPlaneAuthPolicy 284 | - --customConfigFile 285 | - /etc/istio/proxy/envoy_mixer.json 286 | volumeMounts: 287 | - name: istio-certs 288 | mountPath: /etc/certs 289 | readOnly: true 290 | volumes: 291 | - name: istio-certs 292 | secret: 293 | secretName: istio.istio-mixer-service-account 294 | optional: true 295 | - name: config-volume 296 | configMap: 297 | name: istio-mixer 298 | --- 299 | # Mixer CRD definitions are generated using 300 | # mixs crd all 301 | 302 | kind: CustomResourceDefinition 303 | apiVersion: apiextensions.k8s.io/v1beta1 304 | metadata: 305 | name: rules.config.istio.io 306 | labels: 307 | package: istio.io.mixer 308 | istio: core 309 | spec: 310 | group: config.istio.io 311 | names: 312 | kind: rule 313 | plural: rules 314 | singular: rule 315 | scope: Namespaced 316 | version: v1alpha2 317 | --- 318 | 319 | kind: CustomResourceDefinition 320 | apiVersion: apiextensions.k8s.io/v1beta1 321 | metadata: 322 | name: attributemanifests.config.istio.io 323 | labels: 324 | package: istio.io.mixer 325 | istio: core 326 | spec: 327 | group: config.istio.io 328 | names: 329 | kind: attributemanifest 330 | plural: attributemanifests 331 | singular: attributemanifest 332 | scope: Namespaced 333 | version: v1alpha2 334 | --- 335 | 336 | kind: CustomResourceDefinition 337 | apiVersion: apiextensions.k8s.io/v1beta1 338 | metadata: 339 | name: circonuses.config.istio.io 340 | labels: 341 | package: circonus 342 | istio: mixer-adapter 343 | spec: 344 | group: config.istio.io 345 | names: 346 | kind: circonus 347 | plural: circonuses 348 | singular: circonus 349 | scope: Namespaced 350 | version: v1alpha2 351 | --- 352 | 353 | kind: CustomResourceDefinition 354 | apiVersion: apiextensions.k8s.io/v1beta1 355 | metadata: 356 | name: deniers.config.istio.io 357 | labels: 358 | package: denier 359 | istio: mixer-adapter 360 | spec: 361 | group: config.istio.io 362 | names: 363 | kind: denier 364 | plural: deniers 365 | singular: denier 366 | scope: Namespaced 367 | version: v1alpha2 368 | --- 369 | 370 | kind: CustomResourceDefinition 371 | apiVersion: apiextensions.k8s.io/v1beta1 372 | metadata: 373 | name: fluentds.config.istio.io 374 | labels: 375 | package: fluentd 376 | istio: mixer-adapter 377 | spec: 378 | group: config.istio.io 379 | names: 380 | kind: fluentd 381 | plural: fluentds 382 | singular: fluentd 383 | scope: Namespaced 384 | version: v1alpha2 385 | --- 386 | 387 | kind: CustomResourceDefinition 388 | apiVersion: apiextensions.k8s.io/v1beta1 389 | metadata: 390 | name: kubernetesenvs.config.istio.io 391 | labels: 392 | package: kubernetesenv 393 | istio: mixer-adapter 394 | spec: 395 | group: config.istio.io 396 | names: 397 | kind: kubernetesenv 398 | plural: kubernetesenvs 399 | singular: kubernetesenv 400 | scope: Namespaced 401 | version: v1alpha2 402 | --- 403 | 404 | kind: CustomResourceDefinition 405 | apiVersion: apiextensions.k8s.io/v1beta1 406 | metadata: 407 | name: listcheckers.config.istio.io 408 | labels: 409 | package: listchecker 410 | istio: mixer-adapter 411 | spec: 412 | group: config.istio.io 413 | names: 414 | kind: listchecker 415 | plural: listcheckers 416 | singular: listchecker 417 | scope: Namespaced 418 | version: v1alpha2 419 | --- 420 | 421 | kind: CustomResourceDefinition 422 | apiVersion: apiextensions.k8s.io/v1beta1 423 | metadata: 424 | name: memquotas.config.istio.io 425 | labels: 426 | package: memquota 427 | istio: mixer-adapter 428 | spec: 429 | group: config.istio.io 430 | names: 431 | kind: memquota 432 | plural: memquotas 433 | singular: memquota 434 | scope: Namespaced 435 | version: v1alpha2 436 | --- 437 | 438 | kind: CustomResourceDefinition 439 | apiVersion: apiextensions.k8s.io/v1beta1 440 | metadata: 441 | name: noops.config.istio.io 442 | labels: 443 | package: noop 444 | istio: mixer-adapter 445 | spec: 446 | group: config.istio.io 447 | names: 448 | kind: noop 449 | plural: noops 450 | singular: noop 451 | scope: Namespaced 452 | version: v1alpha2 453 | --- 454 | 455 | kind: CustomResourceDefinition 456 | apiVersion: apiextensions.k8s.io/v1beta1 457 | metadata: 458 | name: opas.config.istio.io 459 | labels: 460 | package: opa 461 | istio: mixer-adapter 462 | spec: 463 | group: config.istio.io 464 | names: 465 | kind: opa 466 | plural: opas 467 | singular: opa 468 | scope: Namespaced 469 | version: v1alpha2 470 | --- 471 | 472 | kind: CustomResourceDefinition 473 | apiVersion: apiextensions.k8s.io/v1beta1 474 | metadata: 475 | name: prometheuses.config.istio.io 476 | labels: 477 | package: prometheus 478 | istio: mixer-adapter 479 | spec: 480 | group: config.istio.io 481 | names: 482 | kind: prometheus 483 | plural: prometheuses 484 | singular: prometheus 485 | scope: Namespaced 486 | version: v1alpha2 487 | --- 488 | 489 | kind: CustomResourceDefinition 490 | apiVersion: apiextensions.k8s.io/v1beta1 491 | metadata: 492 | name: rbacs.config.istio.io 493 | labels: 494 | package: rbac 495 | istio: mixer-adapter 496 | spec: 497 | group: config.istio.io 498 | names: 499 | kind: rbac 500 | plural: rbacs 501 | singular: rbac 502 | scope: Namespaced 503 | version: v1alpha2 504 | --- 505 | 506 | kind: CustomResourceDefinition 507 | apiVersion: apiextensions.k8s.io/v1beta1 508 | metadata: 509 | name: servicecontrols.config.istio.io 510 | labels: 511 | package: servicecontrol 512 | istio: mixer-adapter 513 | spec: 514 | group: config.istio.io 515 | names: 516 | kind: servicecontrol 517 | plural: servicecontrols 518 | singular: servicecontrol 519 | scope: Namespaced 520 | version: v1alpha2 521 | --- 522 | 523 | kind: CustomResourceDefinition 524 | apiVersion: apiextensions.k8s.io/v1beta1 525 | metadata: 526 | name: stackdrivers.config.istio.io 527 | labels: 528 | package: stackdriver 529 | istio: mixer-adapter 530 | spec: 531 | group: config.istio.io 532 | names: 533 | kind: stackdriver 534 | plural: stackdrivers 535 | singular: stackdriver 536 | scope: Namespaced 537 | version: v1alpha2 538 | --- 539 | 540 | kind: CustomResourceDefinition 541 | apiVersion: apiextensions.k8s.io/v1beta1 542 | metadata: 543 | name: statsds.config.istio.io 544 | labels: 545 | package: statsd 546 | istio: mixer-adapter 547 | spec: 548 | group: config.istio.io 549 | names: 550 | kind: statsd 551 | plural: statsds 552 | singular: statsd 553 | scope: Namespaced 554 | version: v1alpha2 555 | --- 556 | 557 | kind: CustomResourceDefinition 558 | apiVersion: apiextensions.k8s.io/v1beta1 559 | metadata: 560 | name: stdios.config.istio.io 561 | labels: 562 | package: stdio 563 | istio: mixer-adapter 564 | spec: 565 | group: config.istio.io 566 | names: 567 | kind: stdio 568 | plural: stdios 569 | singular: stdio 570 | scope: Namespaced 571 | version: v1alpha2 572 | --- 573 | 574 | kind: CustomResourceDefinition 575 | apiVersion: apiextensions.k8s.io/v1beta1 576 | metadata: 577 | name: apikeies.config.istio.io 578 | labels: 579 | package: apikey 580 | istio: mixer-instance 581 | spec: 582 | group: config.istio.io 583 | names: 584 | kind: apikey 585 | plural: apikeies 586 | singular: apikey 587 | scope: Namespaced 588 | version: v1alpha2 589 | --- 590 | 591 | kind: CustomResourceDefinition 592 | apiVersion: apiextensions.k8s.io/v1beta1 593 | metadata: 594 | name: authorizations.config.istio.io 595 | labels: 596 | package: authorization 597 | istio: mixer-instance 598 | spec: 599 | group: config.istio.io 600 | names: 601 | kind: authorization 602 | plural: authorizations 603 | singular: authorization 604 | scope: Namespaced 605 | version: v1alpha2 606 | --- 607 | 608 | kind: CustomResourceDefinition 609 | apiVersion: apiextensions.k8s.io/v1beta1 610 | metadata: 611 | name: checknothings.config.istio.io 612 | labels: 613 | package: checknothing 614 | istio: mixer-instance 615 | spec: 616 | group: config.istio.io 617 | names: 618 | kind: checknothing 619 | plural: checknothings 620 | singular: checknothing 621 | scope: Namespaced 622 | version: v1alpha2 623 | --- 624 | 625 | kind: CustomResourceDefinition 626 | apiVersion: apiextensions.k8s.io/v1beta1 627 | metadata: 628 | name: kuberneteses.config.istio.io 629 | labels: 630 | package: adapter.template.kubernetes 631 | istio: mixer-instance 632 | spec: 633 | group: config.istio.io 634 | names: 635 | kind: kubernetes 636 | plural: kuberneteses 637 | singular: kubernetes 638 | scope: Namespaced 639 | version: v1alpha2 640 | --- 641 | 642 | kind: CustomResourceDefinition 643 | apiVersion: apiextensions.k8s.io/v1beta1 644 | metadata: 645 | name: listentries.config.istio.io 646 | labels: 647 | package: listentry 648 | istio: mixer-instance 649 | spec: 650 | group: config.istio.io 651 | names: 652 | kind: listentry 653 | plural: listentries 654 | singular: listentry 655 | scope: Namespaced 656 | version: v1alpha2 657 | --- 658 | 659 | kind: CustomResourceDefinition 660 | apiVersion: apiextensions.k8s.io/v1beta1 661 | metadata: 662 | name: logentries.config.istio.io 663 | labels: 664 | package: logentry 665 | istio: mixer-instance 666 | spec: 667 | group: config.istio.io 668 | names: 669 | kind: logentry 670 | plural: logentries 671 | singular: logentry 672 | scope: Namespaced 673 | version: v1alpha2 674 | --- 675 | 676 | kind: CustomResourceDefinition 677 | apiVersion: apiextensions.k8s.io/v1beta1 678 | metadata: 679 | name: metrics.config.istio.io 680 | labels: 681 | package: metric 682 | istio: mixer-instance 683 | spec: 684 | group: config.istio.io 685 | names: 686 | kind: metric 687 | plural: metrics 688 | singular: metric 689 | scope: Namespaced 690 | version: v1alpha2 691 | --- 692 | 693 | kind: CustomResourceDefinition 694 | apiVersion: apiextensions.k8s.io/v1beta1 695 | metadata: 696 | name: quotas.config.istio.io 697 | labels: 698 | package: quota 699 | istio: mixer-instance 700 | spec: 701 | group: config.istio.io 702 | names: 703 | kind: quota 704 | plural: quotas 705 | singular: quota 706 | scope: Namespaced 707 | version: v1alpha2 708 | --- 709 | 710 | kind: CustomResourceDefinition 711 | apiVersion: apiextensions.k8s.io/v1beta1 712 | metadata: 713 | name: reportnothings.config.istio.io 714 | labels: 715 | package: reportnothing 716 | istio: mixer-instance 717 | spec: 718 | group: config.istio.io 719 | names: 720 | kind: reportnothing 721 | plural: reportnothings 722 | singular: reportnothing 723 | scope: Namespaced 724 | version: v1alpha2 725 | --- 726 | 727 | kind: CustomResourceDefinition 728 | apiVersion: apiextensions.k8s.io/v1beta1 729 | metadata: 730 | name: servicecontrolreports.config.istio.io 731 | labels: 732 | package: servicecontrolreport 733 | istio: mixer-instance 734 | spec: 735 | group: config.istio.io 736 | names: 737 | kind: servicecontrolreport 738 | plural: servicecontrolreports 739 | singular: servicecontrolreport 740 | scope: Namespaced 741 | version: v1alpha2 742 | --- 743 | 744 | kind: CustomResourceDefinition 745 | apiVersion: apiextensions.k8s.io/v1beta1 746 | metadata: 747 | name: tracespans.config.istio.io 748 | labels: 749 | package: tracespan 750 | istio: mixer-instance 751 | spec: 752 | group: config.istio.io 753 | names: 754 | kind: tracespan 755 | plural: tracespans 756 | singular: tracespan 757 | scope: Namespaced 758 | version: v1alpha2 759 | --- 760 | 761 | kind: CustomResourceDefinition 762 | apiVersion: apiextensions.k8s.io/v1beta1 763 | metadata: 764 | name: serviceroles.config.istio.io 765 | labels: 766 | istio: rbac 767 | spec: 768 | group: config.istio.io 769 | names: 770 | kind: ServiceRole 771 | plural: serviceroles 772 | singular: servicerole 773 | scope: Namespaced 774 | version: v1alpha2 775 | --- 776 | 777 | kind: CustomResourceDefinition 778 | apiVersion: apiextensions.k8s.io/v1beta1 779 | metadata: 780 | name: servicerolebindings.config.istio.io 781 | labels: 782 | istio: rbac 783 | spec: 784 | group: config.istio.io 785 | names: 786 | kind: ServiceRoleBinding 787 | plural: servicerolebindings 788 | singular: servicerolebinding 789 | scope: Namespaced 790 | version: v1alpha2 791 | --- 792 | 793 | apiVersion: "config.istio.io/v1alpha2" 794 | kind: attributemanifest 795 | metadata: 796 | name: istioproxy 797 | namespace: istio-system 798 | spec: 799 | attributes: 800 | origin.ip: 801 | valueType: IP_ADDRESS 802 | origin.uid: 803 | valueType: STRING 804 | origin.user: 805 | valueType: STRING 806 | request.headers: 807 | valueType: STRING_MAP 808 | request.id: 809 | valueType: STRING 810 | request.host: 811 | valueType: STRING 812 | request.method: 813 | valueType: STRING 814 | request.path: 815 | valueType: STRING 816 | request.reason: 817 | valueType: STRING 818 | request.referer: 819 | valueType: STRING 820 | request.scheme: 821 | valueType: STRING 822 | request.size: 823 | valueType: INT64 824 | request.time: 825 | valueType: TIMESTAMP 826 | request.useragent: 827 | valueType: STRING 828 | response.code: 829 | valueType: INT64 830 | response.duration: 831 | valueType: DURATION 832 | response.headers: 833 | valueType: STRING_MAP 834 | response.size: 835 | valueType: INT64 836 | response.time: 837 | valueType: TIMESTAMP 838 | source.uid: 839 | valueType: STRING 840 | source.user: 841 | valueType: STRING 842 | destination.uid: 843 | valueType: STRING 844 | connection.id: 845 | valueType: STRING 846 | connection.received.bytes: 847 | valueType: INT64 848 | connection.received.bytes_total: 849 | valueType: INT64 850 | connection.sent.bytes: 851 | valueType: INT64 852 | connection.sent.bytes_total: 853 | valueType: INT64 854 | connection.duration: 855 | valueType: DURATION 856 | context.protocol: 857 | valueType: STRING 858 | context.timestamp: 859 | valueType: TIMESTAMP 860 | context.time: 861 | valueType: TIMESTAMP 862 | api.service: 863 | valueType: STRING 864 | api.version: 865 | valueType: STRING 866 | api.operation: 867 | valueType: STRING 868 | api.protocol: 869 | valueType: STRING 870 | request.auth.principal: 871 | valueType: STRING 872 | request.auth.audiences: 873 | valueType: STRING 874 | request.auth.presenter: 875 | valueType: STRING 876 | request.api_key: 877 | valueType: STRING 878 | 879 | --- 880 | apiVersion: "config.istio.io/v1alpha2" 881 | kind: attributemanifest 882 | metadata: 883 | name: kubernetes 884 | namespace: istio-system 885 | spec: 886 | attributes: 887 | source.ip: 888 | valueType: IP_ADDRESS 889 | source.labels: 890 | valueType: STRING_MAP 891 | source.name: 892 | valueType: STRING 893 | source.namespace: 894 | valueType: STRING 895 | source.service: 896 | valueType: STRING 897 | source.serviceAccount: 898 | valueType: STRING 899 | destination.ip: 900 | valueType: IP_ADDRESS 901 | destination.labels: 902 | valueType: STRING_MAP 903 | destination.name: 904 | valueType: STRING 905 | destination.namespace: 906 | valueType: STRING 907 | destination.service: 908 | valueType: STRING 909 | destination.serviceAccount: 910 | valueType: STRING 911 | --- 912 | apiVersion: "config.istio.io/v1alpha2" 913 | kind: stdio 914 | metadata: 915 | name: handler 916 | namespace: istio-system 917 | spec: 918 | outputAsJson: true 919 | --- 920 | apiVersion: "config.istio.io/v1alpha2" 921 | kind: logentry 922 | metadata: 923 | name: accesslog 924 | namespace: istio-system 925 | spec: 926 | severity: '"Default"' 927 | timestamp: request.time 928 | variables: 929 | sourceIp: source.ip | ip("0.0.0.0") 930 | destinationIp: destination.ip | ip("0.0.0.0") 931 | sourceUser: source.user | "" 932 | method: request.method | "" 933 | url: request.path | "" 934 | protocol: request.scheme | "http" 935 | responseCode: response.code | 0 936 | responseSize: response.size | 0 937 | requestSize: request.size | 0 938 | latency: response.duration | "0ms" 939 | monitored_resource_type: '"UNSPECIFIED"' 940 | --- 941 | apiVersion: "config.istio.io/v1alpha2" 942 | kind: rule 943 | metadata: 944 | name: stdio 945 | namespace: istio-system 946 | spec: 947 | match: "true" # If omitted match is true. 948 | actions: 949 | - handler: handler.stdio 950 | instances: 951 | - accesslog.logentry 952 | --- 953 | apiVersion: "config.istio.io/v1alpha2" 954 | kind: metric 955 | metadata: 956 | name: requestcount 957 | namespace: istio-system 958 | spec: 959 | value: "1" 960 | dimensions: 961 | source_service: source.service | "unknown" 962 | source_version: source.labels["version"] | "unknown" 963 | destination_service: destination.service | "unknown" 964 | destination_version: destination.labels["version"] | "unknown" 965 | response_code: response.code | 200 966 | monitored_resource_type: '"UNSPECIFIED"' 967 | --- 968 | apiVersion: "config.istio.io/v1alpha2" 969 | kind: metric 970 | metadata: 971 | name: requestduration 972 | namespace: istio-system 973 | spec: 974 | value: response.duration | "0ms" 975 | dimensions: 976 | source_service: source.service | "unknown" 977 | source_version: source.labels["version"] | "unknown" 978 | destination_service: destination.service | "unknown" 979 | destination_version: destination.labels["version"] | "unknown" 980 | response_code: response.code | 200 981 | monitored_resource_type: '"UNSPECIFIED"' 982 | --- 983 | apiVersion: "config.istio.io/v1alpha2" 984 | kind: metric 985 | metadata: 986 | name: requestsize 987 | namespace: istio-system 988 | spec: 989 | value: request.size | 0 990 | dimensions: 991 | source_service: source.service | "unknown" 992 | source_version: source.labels["version"] | "unknown" 993 | destination_service: destination.service | "unknown" 994 | destination_version: destination.labels["version"] | "unknown" 995 | response_code: response.code | 200 996 | monitored_resource_type: '"UNSPECIFIED"' 997 | --- 998 | apiVersion: "config.istio.io/v1alpha2" 999 | kind: metric 1000 | metadata: 1001 | name: responsesize 1002 | namespace: istio-system 1003 | spec: 1004 | value: response.size | 0 1005 | dimensions: 1006 | source_service: source.service | "unknown" 1007 | source_version: source.labels["version"] | "unknown" 1008 | destination_service: destination.service | "unknown" 1009 | destination_version: destination.labels["version"] | "unknown" 1010 | response_code: response.code | 200 1011 | monitored_resource_type: '"UNSPECIFIED"' 1012 | --- 1013 | apiVersion: "config.istio.io/v1alpha2" 1014 | kind: metric 1015 | metadata: 1016 | name: tcpbytesent 1017 | namespace: istio-system 1018 | labels: 1019 | istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp 1020 | spec: 1021 | value: connection.sent.bytes | 0 1022 | dimensions: 1023 | source_service: source.service | "unknown" 1024 | source_version: source.labels["version"] | "unknown" 1025 | destination_service: destination.service | "unknown" 1026 | destination_version: destination.labels["version"] | "unknown" 1027 | monitored_resource_type: '"UNSPECIFIED"' 1028 | --- 1029 | apiVersion: "config.istio.io/v1alpha2" 1030 | kind: metric 1031 | metadata: 1032 | name: tcpbytereceived 1033 | namespace: istio-system 1034 | labels: 1035 | istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp 1036 | spec: 1037 | value: connection.received.bytes | 0 1038 | dimensions: 1039 | source_service: source.service | "unknown" 1040 | source_version: source.labels["version"] | "unknown" 1041 | destination_service: destination.service | "unknown" 1042 | destination_version: destination.labels["version"] | "unknown" 1043 | monitored_resource_type: '"UNSPECIFIED"' 1044 | --- 1045 | apiVersion: "config.istio.io/v1alpha2" 1046 | kind: prometheus 1047 | metadata: 1048 | name: handler 1049 | namespace: istio-system 1050 | spec: 1051 | metrics: 1052 | - name: request_count 1053 | instance_name: requestcount.metric.istio-system 1054 | kind: COUNTER 1055 | label_names: 1056 | - source_service 1057 | - source_version 1058 | - destination_service 1059 | - destination_version 1060 | - response_code 1061 | - name: request_duration 1062 | instance_name: requestduration.metric.istio-system 1063 | kind: DISTRIBUTION 1064 | label_names: 1065 | - source_service 1066 | - source_version 1067 | - destination_service 1068 | - destination_version 1069 | - response_code 1070 | buckets: 1071 | explicit_buckets: 1072 | bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] 1073 | - name: request_size 1074 | instance_name: requestsize.metric.istio-system 1075 | kind: DISTRIBUTION 1076 | label_names: 1077 | - source_service 1078 | - source_version 1079 | - destination_service 1080 | - destination_version 1081 | - response_code 1082 | buckets: 1083 | exponentialBuckets: 1084 | numFiniteBuckets: 8 1085 | scale: 1 1086 | growthFactor: 10 1087 | - name: response_size 1088 | instance_name: responsesize.metric.istio-system 1089 | kind: DISTRIBUTION 1090 | label_names: 1091 | - source_service 1092 | - source_version 1093 | - destination_service 1094 | - destination_version 1095 | - response_code 1096 | buckets: 1097 | exponentialBuckets: 1098 | numFiniteBuckets: 8 1099 | scale: 1 1100 | growthFactor: 10 1101 | - name: tcp_bytes_sent 1102 | instance_name: tcpbytesent.metric.istio-system 1103 | kind: COUNTER 1104 | label_names: 1105 | - source_service 1106 | - source_version 1107 | - destination_service 1108 | - destination_version 1109 | - name: tcp_bytes_received 1110 | instance_name: tcpbytereceived.metric.istio-system 1111 | kind: COUNTER 1112 | label_names: 1113 | - source_service 1114 | - source_version 1115 | - destination_service 1116 | - destination_version 1117 | --- 1118 | apiVersion: "config.istio.io/v1alpha2" 1119 | kind: rule 1120 | metadata: 1121 | name: promhttp 1122 | namespace: istio-system 1123 | labels: 1124 | istio-protocol: http 1125 | spec: 1126 | actions: 1127 | - handler: handler.prometheus 1128 | instances: 1129 | - requestcount.metric 1130 | - requestduration.metric 1131 | - requestsize.metric 1132 | - responsesize.metric 1133 | --- 1134 | apiVersion: "config.istio.io/v1alpha2" 1135 | kind: rule 1136 | metadata: 1137 | name: promtcp 1138 | namespace: istio-system 1139 | labels: 1140 | istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP 1141 | spec: 1142 | actions: 1143 | - handler: handler.prometheus 1144 | instances: 1145 | - tcpbytesent.metric 1146 | - tcpbytereceived.metric 1147 | --- 1148 | 1149 | apiVersion: "config.istio.io/v1alpha2" 1150 | kind: kubernetesenv 1151 | metadata: 1152 | name: handler 1153 | namespace: istio-system 1154 | spec: 1155 | # when running from mixer root, use the following config after adding a 1156 | # symbolic link to a kubernetes config file via: 1157 | # 1158 | # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig 1159 | # 1160 | # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" 1161 | 1162 | --- 1163 | apiVersion: "config.istio.io/v1alpha2" 1164 | kind: rule 1165 | metadata: 1166 | name: kubeattrgenrulerule 1167 | namespace: istio-system 1168 | spec: 1169 | actions: 1170 | - handler: handler.kubernetesenv 1171 | instances: 1172 | - attributes.kubernetes 1173 | --- 1174 | apiVersion: "config.istio.io/v1alpha2" 1175 | kind: kubernetes 1176 | metadata: 1177 | name: attributes 1178 | namespace: istio-system 1179 | spec: 1180 | # Pass the required attribute data to the adapter 1181 | source_uid: source.uid | "" 1182 | source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr 1183 | destination_uid: destination.uid | "" 1184 | destination_ip: destination.ip | ip("0.0.0.0") # default to unspecified ip addr 1185 | origin_uid: '""' 1186 | origin_ip: ip("0.0.0.0") # default to unspecified ip addr 1187 | attribute_bindings: 1188 | # Fill the new attributes from the adapter produced output. 1189 | # $out refers to an instance of OutputTemplate message 1190 | source.ip: $out.source_pod_ip 1191 | source.labels: $out.source_labels 1192 | source.namespace: $out.source_namespace 1193 | source.service: $out.source_service 1194 | source.serviceAccount: $out.source_service_account_name 1195 | destination.ip: $out.destination_pod_ip 1196 | destination.labels: $out.destination_labels 1197 | destination.namespace: $out.destination_namespace 1198 | destination.service: $out.destination_service 1199 | destination.serviceAccount: $out.destination_service_account_name 1200 | --- 1201 | ################################ 1202 | # Istio configMap cluster-wide 1203 | ################################ 1204 | apiVersion: v1 1205 | kind: ConfigMap 1206 | metadata: 1207 | name: istio 1208 | namespace: istio-system 1209 | data: 1210 | mesh: |- 1211 | # Uncomment the following line to enable mutual TLS between proxies 1212 | # authPolicy: MUTUAL_TLS 1213 | # 1214 | # Edit this list to avoid using mTLS to connect to these services. 1215 | # Typically, these are control services (e.g kubernetes API server) that don't have Istio sidecar 1216 | # to transparently terminate mTLS authentication. 1217 | mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"] 1218 | 1219 | # Set the following variable to true to disable policy checks by the Mixer. 1220 | # Note that metrics will still be reported to the Mixer. 1221 | disablePolicyChecks: false 1222 | # Set enableTracing to false to disable request tracing. 1223 | enableTracing: true 1224 | # 1225 | # To disable the mixer completely (including metrics), comment out 1226 | # the following line 1227 | mixerAddress: istio-mixer.istio-system:15004 1228 | # This is the ingress service name, update if you used a different name 1229 | ingressService: istio-ingress 1230 | # 1231 | # Along with discoveryRefreshDelay, this setting determines how 1232 | # frequently should Envoy fetch and update its internal configuration 1233 | # from Istio Pilot. Lower refresh delay results in higher CPU 1234 | # utilization and potential performance loss in exchange for faster 1235 | # convergence. Tweak this value according to your setup. 1236 | rdsRefreshDelay: 1s 1237 | # 1238 | defaultConfig: 1239 | # NOTE: If you change any values in this section, make sure to make 1240 | # the same changes in start up args in istio-ingress pods. 1241 | # See rdsRefreshDelay for explanation about this setting. 1242 | discoveryRefreshDelay: 1s 1243 | # 1244 | # TCP connection timeout between Envoy & the application, and between Envoys. 1245 | connectTimeout: 10s 1246 | # 1247 | ### ADVANCED SETTINGS ############# 1248 | # Where should envoy's configuration be stored in the istio-proxy container 1249 | configPath: "/etc/istio/proxy" 1250 | binaryPath: "/usr/local/bin/envoy" 1251 | # The pseudo service name used for Envoy. 1252 | serviceCluster: istio-proxy 1253 | # These settings that determine how long an old Envoy 1254 | # process should be kept alive after an occasional reload. 1255 | drainDuration: 45s 1256 | parentShutdownDuration: 1m0s 1257 | # 1258 | # Port where Envoy listens (on local host) for admin commands 1259 | # You can exec into the istio-proxy container in a pod and 1260 | # curl the admin port (curl http://localhost:15000/) to obtain 1261 | # diagnostic information from Envoy. See 1262 | # https://lyft.github.io/envoy/docs/operations/admin.html 1263 | # for more details 1264 | proxyAdminPort: 15000 1265 | # 1266 | # Address where Istio Pilot service is running 1267 | discoveryAddress: istio-pilot.istio-system:15003 1268 | # 1269 | # Zipkin trace collector 1270 | zipkinAddress: zipkin.istio-system:9411 1271 | # 1272 | # Statsd metrics collector. Istio mixer exposes a UDP endpoint 1273 | # to collect and convert statsd metrics into Prometheus metrics. 1274 | statsdUdpAddress: istio-mixer.istio-system:9125 1275 | # Uncomment the following line to enable mutual TLS authentication between 1276 | # sidecars and istio control plane. 1277 | # controlPlaneAuthPolicy: MUTUAL_TLS 1278 | --- 1279 | ################################ 1280 | # Pilot 1281 | ################################ 1282 | # Pilot CRDs 1283 | apiVersion: apiextensions.k8s.io/v1beta1 1284 | kind: CustomResourceDefinition 1285 | metadata: 1286 | name: destinationpolicies.config.istio.io 1287 | spec: 1288 | group: config.istio.io 1289 | names: 1290 | kind: DestinationPolicy 1291 | listKind: DestinationPolicyList 1292 | plural: destinationpolicies 1293 | singular: destinationpolicy 1294 | scope: Namespaced 1295 | version: v1alpha2 1296 | --- 1297 | apiVersion: apiextensions.k8s.io/v1beta1 1298 | kind: CustomResourceDefinition 1299 | metadata: 1300 | name: egressrules.config.istio.io 1301 | spec: 1302 | group: config.istio.io 1303 | names: 1304 | kind: EgressRule 1305 | listKind: EgressRuleList 1306 | plural: egressrules 1307 | singular: egressrule 1308 | scope: Namespaced 1309 | version: v1alpha2 1310 | --- 1311 | apiVersion: apiextensions.k8s.io/v1beta1 1312 | kind: CustomResourceDefinition 1313 | metadata: 1314 | name: routerules.config.istio.io 1315 | spec: 1316 | group: config.istio.io 1317 | names: 1318 | kind: RouteRule 1319 | listKind: RouteRuleList 1320 | plural: routerules 1321 | singular: routerule 1322 | scope: Namespaced 1323 | version: v1alpha2 1324 | --- 1325 | # Pilot service for discovery 1326 | apiVersion: v1 1327 | kind: Service 1328 | metadata: 1329 | name: istio-pilot 1330 | namespace: istio-system 1331 | labels: 1332 | istio: pilot 1333 | spec: 1334 | ports: 1335 | - port: 15003 1336 | name: http-discovery 1337 | - port: 8080 1338 | name: http-legacy-discovery 1339 | - port: 9093 1340 | name: http-monitoring 1341 | - port: 443 1342 | name: admission-webhook 1343 | selector: 1344 | istio: pilot 1345 | --- 1346 | apiVersion: v1 1347 | kind: ServiceAccount 1348 | metadata: 1349 | name: istio-pilot-service-account 1350 | namespace: istio-system 1351 | --- 1352 | apiVersion: extensions/v1beta1 1353 | kind: Deployment 1354 | metadata: 1355 | name: istio-pilot 1356 | namespace: istio-system 1357 | annotations: 1358 | sidecar.istio.io/inject: "false" 1359 | spec: 1360 | replicas: 1 1361 | template: 1362 | metadata: 1363 | labels: 1364 | istio: pilot 1365 | spec: 1366 | serviceAccountName: istio-pilot-service-account 1367 | containers: 1368 | - name: discovery 1369 | image: docker.io/istio/pilot:0.5.0 1370 | imagePullPolicy: IfNotPresent 1371 | args: ["discovery", "-v", "2", "--admission-service", "istio-pilot"] 1372 | ports: 1373 | - containerPort: 8080 1374 | - containerPort: 443 1375 | env: 1376 | - name: POD_NAME 1377 | valueFrom: 1378 | fieldRef: 1379 | apiVersion: v1 1380 | fieldPath: metadata.name 1381 | - name: POD_NAMESPACE 1382 | valueFrom: 1383 | fieldRef: 1384 | apiVersion: v1 1385 | fieldPath: metadata.namespace 1386 | volumeMounts: 1387 | - name: config-volume 1388 | mountPath: /etc/istio/config 1389 | - name: istio-proxy 1390 | image: docker.io/istio/proxy:0.5.0 1391 | imagePullPolicy: IfNotPresent 1392 | ports: 1393 | - containerPort: 15003 1394 | args: 1395 | - proxy 1396 | - pilot 1397 | - -v 1398 | - "2" 1399 | - --discoveryAddress 1400 | - istio-pilot:15003 1401 | - --controlPlaneAuthPolicy 1402 | - NONE #--controlPlaneAuthPolicy 1403 | - --customConfigFile 1404 | - /etc/istio/proxy/envoy_pilot.json 1405 | volumeMounts: 1406 | - name: istio-certs 1407 | mountPath: /etc/certs 1408 | readOnly: true 1409 | volumes: 1410 | - name: config-volume 1411 | configMap: 1412 | name: istio 1413 | - name: istio-certs 1414 | secret: 1415 | secretName: istio.istio-pilot-service-account 1416 | optional: true 1417 | --- 1418 | ################################ 1419 | # Istio ingress 1420 | ################################ 1421 | apiVersion: v1 1422 | kind: Service 1423 | metadata: 1424 | name: istio-ingress 1425 | namespace: istio-system 1426 | labels: 1427 | istio: ingress 1428 | spec: 1429 | type: LoadBalancer 1430 | ports: 1431 | - port: 80 1432 | # nodePort: 32000 1433 | name: http 1434 | - port: 443 1435 | name: https 1436 | selector: 1437 | istio: ingress 1438 | --- 1439 | apiVersion: v1 1440 | kind: ServiceAccount 1441 | metadata: 1442 | name: istio-ingress-service-account 1443 | namespace: istio-system 1444 | --- 1445 | apiVersion: extensions/v1beta1 1446 | kind: Deployment 1447 | metadata: 1448 | name: istio-ingress 1449 | namespace: istio-system 1450 | annotations: 1451 | sidecar.istio.io/inject: "false" 1452 | spec: 1453 | replicas: 1 1454 | template: 1455 | metadata: 1456 | labels: 1457 | istio: ingress 1458 | spec: 1459 | serviceAccountName: istio-ingress-service-account 1460 | containers: 1461 | - name: istio-ingress 1462 | image: docker.io/istio/proxy:0.5.0 1463 | args: 1464 | - proxy 1465 | - ingress 1466 | - -v 1467 | - "2" 1468 | - --discoveryAddress 1469 | - istio-pilot:15003 1470 | - --discoveryRefreshDelay 1471 | - '1s' #discoveryRefreshDelay 1472 | - --drainDuration 1473 | - '45s' #drainDuration 1474 | - --parentShutdownDuration 1475 | - '1m0s' #parentShutdownDuration 1476 | - --connectTimeout 1477 | - '10s' #connectTimeout 1478 | - --serviceCluster 1479 | - istio-ingress 1480 | - --zipkinAddress 1481 | - zipkin:9411 1482 | - --statsdUdpAddress 1483 | - istio-mixer:9125 1484 | - --proxyAdminPort 1485 | - "15000" 1486 | - --controlPlaneAuthPolicy 1487 | - NONE #--controlPlaneAuthPolicy 1488 | imagePullPolicy: IfNotPresent 1489 | ports: 1490 | - containerPort: 80 1491 | - containerPort: 443 1492 | env: 1493 | - name: POD_NAME 1494 | valueFrom: 1495 | fieldRef: 1496 | apiVersion: v1 1497 | fieldPath: metadata.name 1498 | - name: POD_NAMESPACE 1499 | valueFrom: 1500 | fieldRef: 1501 | apiVersion: v1 1502 | fieldPath: metadata.namespace 1503 | volumeMounts: 1504 | - name: istio-certs 1505 | mountPath: /etc/certs 1506 | readOnly: true 1507 | - name: ingress-certs 1508 | mountPath: /etc/istio/ingress-certs 1509 | readOnly: true 1510 | volumes: 1511 | - name: istio-certs 1512 | secret: 1513 | secretName: istio.default 1514 | optional: true 1515 | - name: ingress-certs 1516 | secret: 1517 | secretName: istio-ingress-certs 1518 | optional: true 1519 | --- 1520 | ################################ 1521 | # Istio-CA cluster-wide 1522 | ################################ 1523 | # Service account CA 1524 | apiVersion: v1 1525 | kind: ServiceAccount 1526 | metadata: 1527 | name: istio-ca-service-account 1528 | namespace: istio-system 1529 | --- 1530 | # Istio CA watching all namespaces 1531 | apiVersion: v1 1532 | kind: Deployment 1533 | apiVersion: extensions/v1beta1 1534 | metadata: 1535 | name: istio-ca 1536 | namespace: istio-system 1537 | annotations: 1538 | sidecar.istio.io/inject: "false" 1539 | spec: 1540 | replicas: 1 1541 | template: 1542 | metadata: 1543 | labels: 1544 | istio: istio-ca 1545 | spec: 1546 | serviceAccountName: istio-ca-service-account 1547 | containers: 1548 | - name: istio-ca 1549 | image: docker.io/istio/istio-ca:0.5.0 1550 | imagePullPolicy: IfNotPresent 1551 | command: ["/usr/local/bin/istio_ca"] 1552 | args: 1553 | - --istio-ca-storage-namespace=istio-system 1554 | - --grpc-port=8060 1555 | - --grpc-hostname=istio-ca 1556 | - --self-signed-ca=true 1557 | - --logtostderr 1558 | - --stderrthreshold 1559 | - INFO 1560 | --- 1561 | ################################ 1562 | # Prometheus 1563 | ################################ 1564 | apiVersion: v1 1565 | kind: ConfigMap 1566 | metadata: 1567 | name: prometheus 1568 | namespace: istio-system 1569 | data: 1570 | prometheus.yml: |- 1571 | global: 1572 | scrape_interval: 15s 1573 | scrape_configs: 1574 | 1575 | - job_name: 'istio-mesh' 1576 | # Override the global default and scrape targets from this job every 5 seconds. 1577 | scrape_interval: 5s 1578 | 1579 | kubernetes_sd_configs: 1580 | - role: endpoints 1581 | 1582 | relabel_configs: 1583 | - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 1584 | action: keep 1585 | regex: istio-system;istio-mixer;prometheus 1586 | 1587 | - job_name: 'envoy' 1588 | # Override the global default and scrape targets from this job every 5 seconds. 1589 | scrape_interval: 5s 1590 | # metrics_path defaults to '/metrics' 1591 | # scheme defaults to 'http'. 1592 | 1593 | kubernetes_sd_configs: 1594 | - role: endpoints 1595 | 1596 | relabel_configs: 1597 | - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 1598 | action: keep 1599 | regex: istio-system;istio-mixer;statsd-prom 1600 | 1601 | - job_name: 'mixer' 1602 | # Override the global default and scrape targets from this job every 5 seconds. 1603 | scrape_interval: 5s 1604 | # metrics_path defaults to '/metrics' 1605 | # scheme defaults to 'http'. 1606 | 1607 | kubernetes_sd_configs: 1608 | - role: endpoints 1609 | 1610 | relabel_configs: 1611 | - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 1612 | action: keep 1613 | regex: istio-system;istio-mixer;http-monitoring 1614 | 1615 | - job_name: 'pilot' 1616 | # Override the global default and scrape targets from this job every 5 seconds. 1617 | scrape_interval: 5s 1618 | # metrics_path defaults to '/metrics' 1619 | # scheme defaults to 'http'. 1620 | 1621 | kubernetes_sd_configs: 1622 | - role: endpoints 1623 | 1624 | relabel_configs: 1625 | - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 1626 | action: keep 1627 | regex: istio-system;istio-pilot;http-monitoring 1628 | 1629 | # scrape config for API servers 1630 | - job_name: 'kubernetes-apiservers' 1631 | kubernetes_sd_configs: 1632 | - role: endpoints 1633 | scheme: https 1634 | tls_config: 1635 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 1636 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 1637 | relabel_configs: 1638 | - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 1639 | action: keep 1640 | regex: default;kubernetes;https 1641 | 1642 | # scrape config for nodes (kubelet) 1643 | - job_name: 'kubernetes-nodes' 1644 | scheme: https 1645 | tls_config: 1646 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 1647 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 1648 | kubernetes_sd_configs: 1649 | - role: node 1650 | relabel_configs: 1651 | - action: labelmap 1652 | regex: __meta_kubernetes_node_label_(.+) 1653 | - target_label: __address__ 1654 | replacement: kubernetes.default.svc:443 1655 | - source_labels: [__meta_kubernetes_node_name] 1656 | regex: (.+) 1657 | target_label: __metrics_path__ 1658 | replacement: /api/v1/nodes/${1}/proxy/metrics 1659 | 1660 | # Scrape config for Kubelet cAdvisor. 1661 | # 1662 | # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics 1663 | # (those whose names begin with 'container_') have been removed from the 1664 | # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to 1665 | # retrieve those metrics. 1666 | # 1667 | # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor 1668 | # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" 1669 | # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with 1670 | # the --cadvisor-port=0 Kubelet flag). 1671 | # 1672 | # This job is not necessary and should be removed in Kubernetes 1.6 and 1673 | # earlier versions, or it will cause the metrics to be scraped twice. 1674 | - job_name: 'kubernetes-cadvisor' 1675 | scheme: https 1676 | tls_config: 1677 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 1678 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 1679 | kubernetes_sd_configs: 1680 | - role: node 1681 | relabel_configs: 1682 | - action: labelmap 1683 | regex: __meta_kubernetes_node_label_(.+) 1684 | - target_label: __address__ 1685 | replacement: kubernetes.default.svc:443 1686 | - source_labels: [__meta_kubernetes_node_name] 1687 | regex: (.+) 1688 | target_label: __metrics_path__ 1689 | replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor 1690 | 1691 | # scrape config for service endpoints. 1692 | - job_name: 'kubernetes-service-endpoints' 1693 | kubernetes_sd_configs: 1694 | - role: endpoints 1695 | relabel_configs: 1696 | - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] 1697 | action: keep 1698 | regex: true 1699 | - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] 1700 | action: replace 1701 | target_label: __scheme__ 1702 | regex: (https?) 1703 | - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] 1704 | action: replace 1705 | target_label: __metrics_path__ 1706 | regex: (.+) 1707 | - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] 1708 | action: replace 1709 | target_label: __address__ 1710 | regex: ([^:]+)(?::\d+)?;(\d+) 1711 | replacement: $1:$2 1712 | - action: labelmap 1713 | regex: __meta_kubernetes_service_label_(.+) 1714 | - source_labels: [__meta_kubernetes_namespace] 1715 | action: replace 1716 | target_label: kubernetes_namespace 1717 | - source_labels: [__meta_kubernetes_service_name] 1718 | action: replace 1719 | target_label: kubernetes_name 1720 | 1721 | # Example scrape config for pods 1722 | - job_name: 'kubernetes-pods' 1723 | kubernetes_sd_configs: 1724 | - role: pod 1725 | 1726 | relabel_configs: 1727 | - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 1728 | action: keep 1729 | regex: true 1730 | - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 1731 | action: replace 1732 | target_label: __metrics_path__ 1733 | regex: (.+) 1734 | - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 1735 | action: replace 1736 | regex: ([^:]+)(?::\d+)?;(\d+) 1737 | replacement: $1:$2 1738 | target_label: __address__ 1739 | - action: labelmap 1740 | regex: __meta_kubernetes_pod_label_(.+) 1741 | - source_labels: [__meta_kubernetes_namespace] 1742 | action: replace 1743 | target_label: namespace 1744 | - source_labels: [__meta_kubernetes_pod_name] 1745 | action: replace 1746 | target_label: pod_name 1747 | 1748 | --- 1749 | apiVersion: v1 1750 | kind: Service 1751 | metadata: 1752 | annotations: 1753 | prometheus.io/scrape: 'true' 1754 | labels: 1755 | name: prometheus 1756 | name: prometheus 1757 | namespace: istio-system 1758 | spec: 1759 | selector: 1760 | app: prometheus 1761 | ports: 1762 | - name: prometheus 1763 | protocol: TCP 1764 | port: 9090 1765 | --- 1766 | apiVersion: extensions/v1beta1 1767 | kind: Deployment 1768 | metadata: 1769 | name: prometheus 1770 | namespace: istio-system 1771 | annotations: 1772 | sidecar.istio.io/inject: "false" 1773 | spec: 1774 | replicas: 1 1775 | selector: 1776 | matchLabels: 1777 | app: prometheus 1778 | template: 1779 | metadata: 1780 | name: prometheus 1781 | labels: 1782 | app: prometheus 1783 | spec: 1784 | containers: 1785 | - name: prometheus 1786 | image: docker.io/prom/prometheus:v2.0.0 1787 | imagePullPolicy: IfNotPresent 1788 | args: 1789 | - '--storage.tsdb.retention=6h' 1790 | - '--config.file=/etc/prometheus/prometheus.yml' 1791 | ports: 1792 | - name: web 1793 | containerPort: 9090 1794 | volumeMounts: 1795 | - name: config-volume 1796 | mountPath: /etc/prometheus 1797 | volumes: 1798 | - name: config-volume 1799 | configMap: 1800 | name: prometheus 1801 | --- 1802 | ################################ 1803 | # Grafana 1804 | ################################ 1805 | apiVersion: v1 1806 | kind: Service 1807 | metadata: 1808 | name: grafana 1809 | namespace: istio-system 1810 | spec: 1811 | ports: 1812 | - port: 3000 1813 | protocol: TCP 1814 | name: http 1815 | selector: 1816 | app: grafana 1817 | --- 1818 | apiVersion: extensions/v1beta1 1819 | kind: Deployment 1820 | metadata: 1821 | name: grafana 1822 | namespace: istio-system 1823 | annotations: 1824 | sidecar.istio.io/inject: "false" 1825 | spec: 1826 | replicas: 1 1827 | template: 1828 | metadata: 1829 | labels: 1830 | app: grafana 1831 | spec: 1832 | containers: 1833 | - name: grafana 1834 | image: docker.io/istio/grafana:0.5.0 1835 | imagePullPolicy: IfNotPresent 1836 | ports: 1837 | - containerPort: 3000 1838 | env: 1839 | - name: GRAFANA_PORT 1840 | value: "3000" 1841 | - name: GF_AUTH_BASIC_ENABLED 1842 | value: "false" 1843 | - name: GF_AUTH_ANONYMOUS_ENABLED 1844 | value: "true" 1845 | - name: GF_AUTH_ANONYMOUS_ORG_ROLE 1846 | value: Admin 1847 | - name: GF_PATHS_DATA 1848 | value: /data/grafana 1849 | volumeMounts: 1850 | - mountPath: /data/grafana 1851 | name: grafana-data 1852 | volumes: 1853 | - name: grafana-data 1854 | emptyDir: {} 1855 | --- 1856 | # 1857 | # Copyright 2017 The Jaeger Authors 1858 | # 1859 | # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except 1860 | # in compliance with the License. You may obtain a copy of the License at 1861 | # 1862 | # http://www.apache.org/licenses/LICENSE-2.0 1863 | # 1864 | # Unless required by applicable law or agreed to in writing, software distributed under the License 1865 | # is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express 1866 | # or implied. See the License for the specific language governing permissions and limitations under 1867 | # the License. 1868 | # 1869 | 1870 | apiVersion: v1 1871 | kind: List 1872 | items: 1873 | - apiVersion: extensions/v1beta1 1874 | kind: Deployment 1875 | metadata: 1876 | name: jaeger-deployment 1877 | namespace: istio-system 1878 | labels: 1879 | app: jaeger 1880 | jaeger-infra: jaeger-deployment 1881 | spec: 1882 | replicas: 1 1883 | strategy: 1884 | type: Recreate 1885 | template: 1886 | metadata: 1887 | labels: 1888 | app: jaeger 1889 | jaeger-infra: jaeger-pod 1890 | spec: 1891 | containers: 1892 | - env: 1893 | - name: COLLECTOR_ZIPKIN_HTTP_PORT 1894 | value: "9411" 1895 | image: jaegertracing/all-in-one 1896 | name: jaeger 1897 | ports: 1898 | - containerPort: 5775 1899 | protocol: UDP 1900 | - containerPort: 6831 1901 | protocol: UDP 1902 | - containerPort: 6832 1903 | protocol: UDP 1904 | - containerPort: 16686 1905 | protocol: TCP 1906 | - containerPort: 9411 1907 | protocol: TCP 1908 | readinessProbe: 1909 | httpGet: 1910 | path: "/" 1911 | port: 16686 1912 | initialDelaySeconds: 5 1913 | - apiVersion: v1 1914 | kind: Service 1915 | metadata: 1916 | name: jaeger-query 1917 | namespace: istio-system 1918 | labels: 1919 | app: jaeger 1920 | jaeger-infra: jaeger-service 1921 | spec: 1922 | ports: 1923 | - name: query-http 1924 | port: 80 1925 | protocol: TCP 1926 | targetPort: 16686 1927 | selector: 1928 | jaeger-infra: jaeger-pod 1929 | type: LoadBalancer 1930 | - apiVersion: v1 1931 | kind: Service 1932 | metadata: 1933 | name: jaeger-collector 1934 | namespace: istio-system 1935 | labels: 1936 | app: jaeger 1937 | jaeger-infra: collector-service 1938 | spec: 1939 | ports: 1940 | - name: jaeger-collector-tchannel 1941 | port: 14267 1942 | protocol: TCP 1943 | targetPort: 14267 1944 | - name: jaeger-collector-http 1945 | port: 14268 1946 | protocol: TCP 1947 | targetPort: 14268 1948 | - name: jaeger-collector-zipkin 1949 | port: 9411 1950 | protocol: TCP 1951 | targetPort: 9411 1952 | selector: 1953 | jaeger-infra: jaeger-pod 1954 | type: ClusterIP 1955 | - apiVersion: v1 1956 | kind: Service 1957 | metadata: 1958 | name: jaeger-agent 1959 | namespace: istio-system 1960 | labels: 1961 | app: jaeger 1962 | jaeger-infra: agent-service 1963 | spec: 1964 | ports: 1965 | - name: agent-zipkin-thrift 1966 | port: 5775 1967 | protocol: UDP 1968 | targetPort: 5775 1969 | - name: agent-compact 1970 | port: 6831 1971 | protocol: UDP 1972 | targetPort: 6831 1973 | - name: agent-binary 1974 | port: 6832 1975 | protocol: UDP 1976 | targetPort: 6832 1977 | clusterIP: None 1978 | selector: 1979 | jaeger-infra: jaeger-pod 1980 | - apiVersion: v1 1981 | kind: Service 1982 | metadata: 1983 | name: zipkin 1984 | namespace: istio-system 1985 | labels: 1986 | app: jaeger 1987 | jaeger-infra: zipkin-service 1988 | spec: 1989 | ports: 1990 | - name: jaeger-collector-zipkin 1991 | port: 9411 1992 | protocol: TCP 1993 | targetPort: 9411 1994 | clusterIP: None 1995 | selector: 1996 | jaeger-infra: jaeger-pod 1997 | --- 1998 | apiVersion: v1 1999 | kind: Secret 2000 | metadata: 2001 | name: sidecar-injector-certs 2002 | namespace: istio-system 2003 | type: Opaque 2004 | data: 2005 | cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiVENDQWxXZ0F3SUJBZ0lRWjY3VGxkbmM1bHVlWmJkZ1g1UjBGREFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRMU1tWmxPVFF3TXkwNU1UazJMVFF3TVdJdE9EWXpOQzB4WXpKaFptSmhZbVUxWW1NdwpIaGNOTVRnd01qRXlNRFV3TXpFeldoY05Nak13TWpFeE1EVXdNekV6V2pBeU1UQXdMZ1lEVlFRREV5ZHBjM1JwCmJ5MXphV1JsWTJGeUxXbHVhbVZqZEc5eUxtbHpkR2x2TFhONWMzUmxiUzV6ZG1Nd2dnRWlNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDL0Nua0hKendpczJrWTlrU3hweHdQR1gvNnZLUVdHa1BGVHB4cAo1eVZHWDRuQXl1NkZKVjNiUDlZMndia1huLzRzdmlnS05ZQk1Lc3owcVJuYk42QnN5UVBweDZMbTluV1ZMQUF3Cm9oYndRa3dvWTdZSmVGRk9hdXAwVmhmUDllSCtsUndyRkVrS1Y0UUltYlFUV1EvMUk1ZVhvNHJ5MGJ0a0lMQTgKWlJiN2w4YktSN2ZwbDdkTDM4Ty9vV1J1RE5rM0Q5Ri9NZ2kzeDdVY3VodXpHd0IwQ05nOTRGdUk1UkFaVVFINQpvZnR4L0w4d3owRTdySTkrL1Q0MGRBMkswUmNvVVZVS0RFRC9FbWIway9yQUtLR3dRb1NRSk1GVU50MFZSS3VDCnhiOWNCdGg0NVlIUHoycFlwckNoNjIwWEVaWW8zWXF6cmJIMnlmZmY1SkowaDR2NUFnTUJBQUdqZ1lFd2Z6QU0KQmdOVkhSTUJBZjhFQWpBQU1HOEdBMVVkRVFSb01HYUNGbWx6ZEdsdkxYTnBaR1ZqWVhJdGFXNXFaV04wYjNLQwpJMmx6ZEdsdkxYTnBaR1ZqWVhJdGFXNXFaV04wYjNJdWFYTjBhVzh0YzNsemRHVnRnaWRwYzNScGJ5MXphV1JsClkyRnlMV2x1YW1WamRHOXlMbWx6ZEdsdkxYTjVjM1JsYlM1emRtTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUI4RER5U3Fna1ZnRWdHbkwwZ3hCMC9UaVJRZFkrWVo4Mk00eVI0b3liTVpJdkpHMm5jN1ljK1RmdVRvNXVLSApnL2l6ci9WZ1ExNFA0OGZ5Y1l2Mms3djl5Z1l6cmJqSnFEZ0YvK1Vsc1lGRENoam1tRVBod1A2bnJEc0JPMDM3CjV6WGNEaTVTZDNkOFNVc25za2FYeWJoRk1QY3lBMzlIb2toMFU5Y1NEb3Nvd3Z4b3lYWUdpOVFTM2dQaE5IcVMKdjNHRHhWNFlCUnVYaXMwREQ0N2FFZS9BeU1yWHFFVm9mbnM3QUhsSzZMWTloWTA0bVN6V2FYeGd3ZFpJMmRucApSdlcwanovcVZEUFh5c3Nrd2lwQmFSSkx4b1VWUUxoTU9ncndWK1BZUUdnM0RHTUp5ckJNeEwvSXNUaDBrSnRwCmg1TDZtY0JZQkZsWmd4czBoY2sxRFlZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== 2006 | key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdndwNUJ5YzhJck5wR1BaRXNhY2NEeGwvK3J5a0ZocER4VTZjYWVjbFJsK0p3TXJ1CmhTVmQyei9XTnNHNUY1LytMTDRvQ2pXQVRDck05S2taMnplZ2JNa0Q2Y2VpNXZaMWxTd0FNS0lXOEVKTUtHTzIKQ1hoUlRtcnFkRllYei9YaC9wVWNLeFJKQ2xlRUNKbTBFMWtQOVNPWGw2T0s4dEc3WkNDd1BHVVcrNWZHeWtlMwo2WmUzUzkvRHY2RmtiZ3paTncvUmZ6SUl0OGUxSExvYnN4c0FkQWpZUGVCYmlPVVFHVkVCK2FIN2NmeS9NTTlCCk82eVBmdjArTkhRTml0RVhLRkZWQ2d4QS94Sm05SlA2d0NpaHNFS0VrQ1RCVkRiZEZVU3Jnc1cvWEFiWWVPV0IKejg5cVdLYXdvZXR0RnhHV0tOMktzNjJ4OXNuMzMrU1NkSWVMK1FJREFRQUJBb0lCQUd1c3NXNVF0Tm95R01oUwo5WURUMlVMQmNwcVYvRDNnNjlXbmF3MWRsR3JIcWxLWmpqcEpSMDh0K2NTL0IxM0RkWFV1Y0U3Z3ZNRXhWbmVIClgrVm93dWpObTRFR1hsQ2pGTDdSSUFKSk9YaU5SWE4yVDhHaXFPRHo3ZFZJT1AramJJOGE1OWQ0Qlhyb3ZLaEUKU1hTbVBCSkV6MHBPaVNBM0NkRnpneUZuTUw3NFlJQm53VGdGLzZXYkRXVUNnelprY1V0dGZtWmEya1pZcjJ3OQpRSnFBODlUSkJsNVBxcE1BdTI5TUtjWFdMS3dZSFVKMkdMVFdJMkoxS0lueDlNM1BnRklkUGVSQVdwREJRQlIwCkxwMFczcmxBZDVIem4yRFVrLzVJdzFxbWttZ2h4Um90TFZxMTlQQkFJM25vai9qMVlvVXEraFhzM2R5MTVCZnYKVXUxRVhBRUNnWUVBOFJhVTJ3dXR4a01rQ1FWZStFYU9INFN2d1ZkdGNYN2ZrMWFKSkFwd3ZtQktsMXA5c3AzbQo2ZjNRVENlVjJvQnRTWEpNMG5NWjQvU1BRUHkrak12eHRnbk11R1BScVpIK1VaUWtFVnpqMnFLaVBjWWFWcktNCldHMU9IMmJWblBucjlPbnFaMFlkaFdkT1ErZ1IrdjBIT2pjbmJwZFlXQ2tadkRYUXE2K2xDcmtDZ1lFQXl0dHYKdzVKckJKOWUyblNDMy9pWGNSdDI0UzVtRVZnRXFOdVRBRG9IZFNTaVJockdJbkoyTmRwNExhS3l4dGhGdVRyTwpYcExNelVaQjFiRXJpZDRucG1uUWVUWEpSWXFGUi9HazAyaS9VeE9zMURYMFpWeDFSYXBiRllnalZHcXltb0xXCkxsaWFrWTJiaXJpUzYrTnJJSG4waTVNNkhZTEIyRXVzajYwSTYwRUNnWUJGbjAzUmpDZmM3NXJDZUNpYTdsVXcKeVBLd2xQem9IOG1WRlJKNXRBSW5HRXV5TmRIQytWS3NGRDVKSDgxbzBsbTlNaUw1UzRBWWtwR2tKTmtxYytNVAp2UFMvOHlPaklxUWREdmp6Z3EzU2Y5RDJvZlVOUUhiRE9wMnE5OW1NZ2FnZ2pFVERHajZBUGZzZUpUQzhHTUl6Cmo2WDFqQU5aUWxWS1F3aEY3RzF2RVFLQmdRQ0JZdzlaVmFXTzBEd0c2SE9sZVlEV3N1YlRYKzNZT0NUWXN4eUMKODRCWU5tS09obnREODIvMGo0RkIwbGxuUFFEVDBXOVpvUmFpQTZMd01zNExaTGd6aTZCZC8zRitPb2tpUnoyVApYbWRTRE9XYWdVTjk5MGdSaEVRT2FzUG1EeHdXTTBkN1RpWmdta3JRWTBQSzAwWTc4NjJIN1FNUFdaeGNZb0FSCk1CUFZRUUtCZ0E4NWhSc3ZUcGw1QXZQem14TkJQeGhrUHpvMDZNbEhCbEdtUTZJREdiMUJEdStiKzV1UGtzWDgKb21BMUhQMDJLbklvMGw4K1M0dlQ4Q1c3N1QvYUNNajZDNG1NMFF5RGlHZ2ZRUGlGQS9VbjhqNlI4Y0lpQ05wRAo5Q3YwYXpVUk45UnB1WjlBLzBxUFhhTlhCMlRmK3ZTekFKdUpkbFprbG9VK1A1QUxsRHNrCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== 2007 | --- 2008 | kind: ConfigMap 2009 | metadata: 2010 | name: istio-inject 2011 | namespace: istio-system 2012 | apiVersion: v1 2013 | data: 2014 | config: | 2015 | policy: enabled 2016 | template: |- 2017 | initContainers: 2018 | - name: istio-init 2019 | image: docker.io/istio/proxy_init:0.5.0 2020 | args: 2021 | - "-p" 2022 | - {{ .MeshConfig.ProxyListenPort }} 2023 | - "-u" 2024 | - 1337 2025 | imagePullPolicy: IfNotPresent 2026 | securityContext: 2027 | capabilities: 2028 | add: 2029 | - NET_ADMIN 2030 | privileged: true 2031 | restartPolicy: Always 2032 | containers: 2033 | - name: istio-proxy 2034 | image: docker.io/istio/proxy:0.5.0 2035 | args: 2036 | - proxy 2037 | - sidecar 2038 | - --configPath 2039 | - {{ .ProxyConfig.ConfigPath }} 2040 | - --binaryPath 2041 | - {{ .ProxyConfig.BinaryPath }} 2042 | - --serviceCluster 2043 | {{ if ne "" (index .ObjectMeta.Labels "app") -}} 2044 | - {{ index .ObjectMeta.Labels "app" }} 2045 | {{ else -}} 2046 | - "istio-proxy" 2047 | {{ end -}} 2048 | - --drainDuration 2049 | - 2s 2050 | - --parentShutdownDuration 2051 | - 3s 2052 | - --discoveryAddress 2053 | - {{ .ProxyConfig.DiscoveryAddress }} 2054 | - --discoveryRefreshDelay 2055 | - 1s 2056 | - --zipkinAddress 2057 | - {{ .ProxyConfig.ZipkinAddress }} 2058 | - --connectTimeout 2059 | - 1s 2060 | - --statsdUdpAddress 2061 | - {{ .ProxyConfig.StatsdUdpAddress }} 2062 | - --proxyAdminPort 2063 | - {{ .ProxyConfig.ProxyAdminPort }} 2064 | - --controlPlaneAuthPolicy 2065 | - {{ .ProxyConfig.ControlPlaneAuthPolicy }} 2066 | env: 2067 | - name: POD_NAME 2068 | valueFrom: 2069 | fieldRef: 2070 | fieldPath: metadata.name 2071 | - name: POD_NAMESPACE 2072 | valueFrom: 2073 | fieldRef: 2074 | fieldPath: metadata.namespace 2075 | - name: INSTANCE_IP 2076 | valueFrom: 2077 | fieldRef: 2078 | fieldPath: status.podIP 2079 | imagePullPolicy: IfNotPresent 2080 | securityContext: 2081 | privileged: false 2082 | readOnlyRootFilesystem: true 2083 | runAsUser: 1337 2084 | restartPolicy: Always 2085 | volumeMounts: 2086 | - mountPath: /etc/istio/proxy 2087 | name: istio-envoy 2088 | - mountPath: /etc/certs/ 2089 | name: istio-certs 2090 | readOnly: true 2091 | volumes: 2092 | - emptyDir: 2093 | medium: Memory 2094 | name: istio-envoy 2095 | - name: istio-certs 2096 | secret: 2097 | optional: true 2098 | {{ if eq .Spec.ServiceAccountName "" -}} 2099 | secretName: istio.default 2100 | {{ else -}} 2101 | secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 2102 | {{ end -}} 2103 | --- 2104 | apiVersion: v1 2105 | kind: Service 2106 | metadata: 2107 | name: istio-sidecar-injector 2108 | namespace: istio-system 2109 | labels: 2110 | istio: sidecar-injector 2111 | spec: 2112 | ports: 2113 | - name: https-webhook # optional 2114 | port: 443 2115 | selector: 2116 | istio: sidecar-injector 2117 | --- 2118 | apiVersion: v1 2119 | kind: ServiceAccount 2120 | metadata: 2121 | name: istio-sidecar-injector-service-account 2122 | namespace: istio-system 2123 | --- 2124 | apiVersion: apps/v1 2125 | kind: Deployment 2126 | metadata: 2127 | name: istio-sidecar-injector 2128 | namespace: istio-system 2129 | labels: 2130 | istio: sidecar-injector 2131 | spec: 2132 | replicas: 1 2133 | selector: 2134 | matchLabels: 2135 | istio: sidecar-injector 2136 | template: 2137 | metadata: 2138 | name: istio-sidecar-injector 2139 | labels: 2140 | istio: sidecar-injector 2141 | spec: 2142 | serviceAccountName: istio-sidecar-injector-service-account 2143 | containers: 2144 | - name: webhook 2145 | image: docker.io/istio/sidecar_injector:0.5.0 2146 | imagePullPolicy: IfNotPresent 2147 | args: 2148 | - --tlsCertFile=/etc/istio/certs/cert.pem 2149 | - --tlsKeyFile=/etc/istio/certs/key.pem 2150 | - --injectConfig=/etc/istio/inject/config 2151 | - --meshConfig=/etc/istio/config/mesh 2152 | volumeMounts: 2153 | - name: config-volume 2154 | mountPath: /etc/istio/config 2155 | readOnly: true 2156 | - name: certs 2157 | mountPath: /etc/istio/certs 2158 | readOnly: true 2159 | - name: inject-config 2160 | mountPath: /etc/istio/inject 2161 | readOnly: true 2162 | volumes: 2163 | - name: config-volume 2164 | configMap: 2165 | name: istio 2166 | - name: certs 2167 | secret: 2168 | secretName: sidecar-injector-certs 2169 | - name: inject-config 2170 | configMap: 2171 | name: istio-inject 2172 | items: 2173 | - key: config 2174 | path: config 2175 | --- 2176 | apiVersion: admissionregistration.k8s.io/v1beta1 2177 | kind: MutatingWebhookConfiguration 2178 | metadata: 2179 | name: istio-sidecar-injector 2180 | webhooks: 2181 | - name: sidecar-injector.istio.io 2182 | clientConfig: 2183 | service: 2184 | name: istio-sidecar-injector 2185 | namespace: istio-system 2186 | path: "/inject" 2187 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRVFBiSWFhQ24zVVZUOHNUTk12VzVHREFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRMU1tWmxPVFF3TXkwNU1UazJMVFF3TVdJdE9EWXpOQzB4WXpKaFptSmhZbVUxWW1NdwpIaGNOTVRnd01qRXlNRE0wTlRNd1doY05Nak13TWpFeE1EUTBOVE13V2pBdk1TMHdLd1lEVlFRREV5UTFNbVpsCk9UUXdNeTA1TVRrMkxUUXdNV0l0T0RZek5DMHhZekpoWm1KaFltVTFZbU13Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNIanVyN1VwUTR1bXoyQTBCR2ZnRi9jUklTa1Uvc1V2S1hYNUxxTVl3aQowckNuM3NRU2tUdlBDV201YTM5Z3VDbFVLaFoxS1lRNW5ySW9mekpiOTlKNnFsWkRSQzVSLzVSZUl6dkxYai8wCkFsSitlNWEyaHMvcksxU2p3dFdDRHNFZ3dNWFZLcE9WSy9VSmRqdDJkN0F0RVVFZFhFQzFsTzV0cGErWE04Um4KaWJlbTdpdGJtNDNFcGhQT21RVHhPWnhGTlZJN1h6SGJwM2FTcmVOU1NCaVlWekN4R2tqTlN6YTlvd0VNaDB4YwpjcWtYOWNiazVUSGhXS2swSUNIMXpXSm5xbzd6Wm9lK014T2ZWZzJpNTcvZVNYZ0duVUM1Uk5XVjh6Wnh1RG84CkwrbmZ2YTFGdkoxeng2ckpQTnFlNVFMRlNSbHYrTFhjaCtseUJLYXA2bjdkQWdNQkFBR2pJekFoTUE0R0ExVWQKRHdFQi93UUVBd0lDQkRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBVAprUDVRWmhDSjhOQUl0dnZZd1RiN1NpZ1ZvcnJWbWlGRUxob3krZm1lS3RZVnY2YlpjOG1ScC8zSWhXM1ZpZUIvCnVjVi8rMlFKYnJSQnk1cVdXMnhQcmNyd1VBbDZaTU9tT3J1Ui9jU1JqT1pqN2dqVmZpaDB4MzhGWjdZTkQrV0kKMjVtRVFROE1uQVNmaWFjWStZSXJKRTk3c2E5NlJxbm9XOWpGUWJabCtGajdTUnNvWkRodFkwdnhRVTZEL0E4NgpWdjlqR0NkQ2N3RW11OFJTeVh2MUhUblJlNDMrMnB1MjNWMTlzcnIyTGNmRXAvT0VjQlh4aFcxL1Z4UDlhREk4CnFRMUxXZ05TTjIrRWtuWmNWQUdjS2NSeHZ1bEVjMFNyOHF1NjJ0L2FhWXZvTzhrYjNzM0p2ZGZwMml3WnV6VHEKWWtoN3A3ZFRHclNyQ2dPWDhkREoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 2188 | rules: 2189 | - operations: [ "CREATE" ] 2190 | apiGroups: [""] 2191 | apiVersions: ["v1"] 2192 | resources: ["pods"] 2193 | namespaceSelector: 2194 | matchLabels: 2195 | istio-injection: enabled 2196 | --------------------------------------------------------------------------------