├── LICENSE ├── README.md ├── authorization-policy.yaml ├── blogpost.md ├── cluster-issuer.yaml ├── dex-istio-gw.yaml ├── dex-tls-cert.yaml ├── dex-values.yaml ├── httpbin-deploy.yaml ├── httpbin-istio-gw.yaml ├── httpbin-tls-cert.yaml ├── istio-1.12.1 ├── LICENSE ├── README.md ├── bin │ └── istioctl ├── manifest.yaml ├── manifests │ ├── charts │ │ ├── README-helm3.md │ │ ├── README.md │ │ ├── UPDATING-CHARTS.md │ │ ├── base │ │ │ ├── Chart.yaml │ │ │ ├── README.md │ │ │ ├── crds │ │ │ │ ├── crd-all.gen.yaml │ │ │ │ └── crd-operator.yaml │ │ │ ├── files │ │ │ │ └── gen-istio-cluster.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── crds.yaml │ │ │ │ ├── default.yaml │ │ │ │ ├── endpoints.yaml │ │ │ │ ├── reader-serviceaccount.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── rolebinding.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ └── services.yaml │ │ │ └── values.yaml │ │ ├── default │ │ │ ├── Chart.yaml │ │ │ ├── templates │ │ │ │ ├── mutatingwebhook.yaml │ │ │ │ └── validatingwebhook.yaml │ │ │ └── values.yaml │ │ ├── gateway │ │ │ ├── Chart.yaml │ │ │ ├── README.md │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ ├── _helpers.tpl │ │ │ │ ├── deployment.yaml │ │ │ │ ├── hpa.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ ├── values.schema.json │ │ │ └── values.yaml │ │ ├── gateways │ │ │ ├── istio-egress │ │ │ │ ├── Chart.yaml │ │ │ │ ├── NOTES.txt │ │ │ │ ├── templates │ │ │ │ │ ├── _affinity.tpl │ │ │ │ │ ├── autoscale.yaml │ │ │ │ │ ├── deployment.yaml │ │ │ │ │ ├── injected-deployment.yaml │ │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ │ ├── role.yaml │ │ │ │ │ ├── rolebindings.yaml │ │ │ │ │ ├── service.yaml │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ └── values.yaml │ │ │ └── istio-ingress │ │ │ │ ├── Chart.yaml │ │ │ │ ├── NOTES.txt │ │ │ │ ├── templates │ │ │ │ ├── _affinity.tpl │ │ │ │ ├── autoscale.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── injected-deployment.yaml │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── rolebindings.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ │ └── values.yaml │ │ ├── install-OpenShift.md │ │ ├── istio-cni │ │ │ ├── Chart.yaml │ │ │ ├── README.md │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── configmap-cni.yaml │ │ │ │ ├── daemonset.yaml │ │ │ │ ├── resourcequota.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ └── values.yaml │ │ ├── istio-control │ │ │ └── istio-discovery │ │ │ │ ├── Chart.yaml │ │ │ │ ├── README.md │ │ │ │ ├── files │ │ │ │ ├── gateway-injection-template.yaml │ │ │ │ ├── gen-istio.yaml │ │ │ │ ├── grpc-agent.yaml │ │ │ │ ├── grpc-simple.yaml │ │ │ │ └── injection-template.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ ├── autoscale.yaml │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── configmap-jwks.yaml │ │ │ │ ├── configmap.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── istiod-injector-configmap.yaml │ │ │ │ ├── mutatingwebhook.yaml │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ ├── reader-clusterrole.yaml │ │ │ │ ├── reader-clusterrolebinding.yaml │ │ │ │ ├── revision-tags.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── rolebinding.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ ├── telemetryv2_1.10.yaml │ │ │ │ ├── telemetryv2_1.11.yaml │ │ │ │ ├── telemetryv2_1.12.yaml │ │ │ │ └── validatingwebhookconfiguration.yaml │ │ │ │ └── values.yaml │ │ ├── istio-operator │ │ │ ├── Chart.yaml │ │ │ ├── crds │ │ │ │ └── crd-operator.yaml │ │ │ ├── files │ │ │ │ └── gen-operator.yaml │ │ │ ├── templates │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrole_binding.yaml │ │ │ │ ├── crds.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── service_account.yaml │ │ │ └── values.yaml │ │ └── istiod-remote │ │ │ ├── Chart.yaml │ │ │ ├── NOTES.txt │ │ │ ├── files │ │ │ ├── gateway-injection-template.yaml │ │ │ └── injection-template.yaml │ │ │ ├── templates │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── configmap.yaml │ │ │ ├── crd-all.gen.yaml │ │ │ ├── crd-operator.yaml │ │ │ ├── istiod-injector-configmap.yaml │ │ │ ├── mutatingwebhook.yaml │ │ │ ├── reader-clusterrole.yaml │ │ │ ├── reader-clusterrolebinding.yaml │ │ │ ├── reader-serviceaccount.yaml │ │ │ ├── role.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── telemetryv2_1.10.yaml │ │ │ ├── telemetryv2_1.11.yaml │ │ │ ├── telemetryv2_1.12.yaml │ │ │ └── validatingwebhookconfiguration.yaml │ │ │ └── values.yaml │ ├── examples │ │ ├── customresource │ │ │ └── istio_v1alpha1_istiooperator_cr.yaml │ │ └── user-gateway │ │ │ └── ingress-gateway-only.yaml │ └── profiles │ │ ├── default.yaml │ │ ├── demo.yaml │ │ ├── empty.yaml │ │ ├── external.yaml │ │ ├── minimal.yaml │ │ ├── openshift.yaml │ │ ├── preview.yaml │ │ └── remote.yaml ├── samples │ ├── README.md │ ├── addons │ │ ├── README.md │ │ ├── extras │ │ │ ├── prometheus-operator.yaml │ │ │ ├── prometheus_vm.yaml │ │ │ ├── prometheus_vm_tls.yaml │ │ │ └── zipkin.yaml │ │ ├── grafana.yaml │ │ ├── jaeger.yaml │ │ ├── kiali.yaml │ │ └── prometheus.yaml │ ├── bookinfo │ │ ├── README.md │ │ ├── build_push_update_images.sh │ │ ├── networking │ │ │ ├── bookinfo-gateway.yaml │ │ │ ├── certmanager-gateway.yaml │ │ │ ├── destination-rule-all-mtls.yaml │ │ │ ├── destination-rule-all.yaml │ │ │ ├── destination-rule-reviews.yaml │ │ │ ├── egress-rule-google-apis.yaml │ │ │ ├── fault-injection-details-v1.yaml │ │ │ ├── virtual-service-all-v1.yaml │ │ │ ├── virtual-service-details-v2.yaml │ │ │ ├── virtual-service-ratings-db.yaml │ │ │ ├── virtual-service-ratings-mysql-vm.yaml │ │ │ ├── virtual-service-ratings-mysql.yaml │ │ │ ├── virtual-service-ratings-test-abort.yaml │ │ │ ├── virtual-service-ratings-test-delay.yaml │ │ │ ├── virtual-service-reviews-50-v3.yaml │ │ │ ├── virtual-service-reviews-80-20.yaml │ │ │ ├── virtual-service-reviews-90-10.yaml │ │ │ ├── virtual-service-reviews-jason-v2-v3.yaml │ │ │ ├── virtual-service-reviews-test-v2.yaml │ │ │ ├── virtual-service-reviews-v2-v3.yaml │ │ │ └── virtual-service-reviews-v3.yaml │ │ ├── platform │ │ │ └── kube │ │ │ │ ├── README.md │ │ │ │ ├── bookinfo-certificate.yaml │ │ │ │ ├── bookinfo-db.yaml │ │ │ │ ├── bookinfo-details-v2.yaml │ │ │ │ ├── bookinfo-details.yaml │ │ │ │ ├── bookinfo-ingress.yaml │ │ │ │ ├── bookinfo-mysql.yaml │ │ │ │ ├── bookinfo-ratings-discovery.yaml │ │ │ │ ├── bookinfo-ratings-v2-mysql-vm.yaml │ │ │ │ ├── bookinfo-ratings-v2-mysql.yaml │ │ │ │ ├── bookinfo-ratings-v2.yaml │ │ │ │ ├── bookinfo-ratings.yaml │ │ │ │ ├── bookinfo-reviews-v2.yaml │ │ │ │ ├── bookinfo.yaml │ │ │ │ ├── cleanup.sh │ │ │ │ └── productpage-nodeport.yaml │ │ ├── policy │ │ │ └── productpage_envoy_ratelimit.yaml │ │ ├── src │ │ │ ├── build-services.sh │ │ │ ├── mongodb │ │ │ │ ├── ratings_data.json │ │ │ │ └── script.sh │ │ │ ├── productpage │ │ │ │ ├── requirements.txt │ │ │ │ └── test-requirements.txt │ │ │ └── ratings │ │ │ │ └── package.json │ │ └── swagger.yaml │ ├── certs │ │ ├── README.md │ │ ├── ca-cert-alt.pem │ │ ├── ca-cert.pem │ │ ├── ca-key-alt.pem │ │ ├── ca-key.pem │ │ ├── cert-chain-alt.pem │ │ ├── cert-chain.pem │ │ ├── generate-workload.sh │ │ ├── root-cert-alt.pem │ │ ├── root-cert.pem │ │ ├── workload-bar-cert.pem │ │ ├── workload-bar-key.pem │ │ ├── workload-foo-cert.pem │ │ └── workload-foo-key.pem │ ├── custom-bootstrap │ │ ├── README.md │ │ ├── custom-bootstrap.yaml │ │ └── example-app.yaml │ ├── extauthz │ │ ├── README.md │ │ ├── ext-authz.yaml │ │ ├── local-ext-authz.yaml │ │ └── src │ │ │ └── Makefile │ ├── external │ │ ├── README.md │ │ ├── aptget.yaml │ │ ├── github.yaml │ │ └── pypi.yaml │ ├── grpc-echo │ │ ├── README.md │ │ └── grpc-echo.yaml │ ├── health-check │ │ ├── liveness-command.yaml │ │ └── liveness-http-same-port.yaml │ ├── helloworld │ │ ├── README.md │ │ ├── gen-helloworld.sh │ │ ├── helloworld-gateway.yaml │ │ ├── helloworld.yaml │ │ ├── loadgen.sh │ │ └── src │ │ │ ├── build_service.sh │ │ │ └── requirements.txt │ ├── httpbin │ │ ├── README.md │ │ ├── httpbin-gateway.yaml │ │ ├── httpbin-nodeport.yaml │ │ ├── httpbin-vault.yaml │ │ ├── httpbin.yaml │ │ └── sample-client │ │ │ └── fortio-deploy.yaml │ ├── jwt-server │ │ ├── jwt-server.yaml │ │ └── src │ │ │ └── Makefile │ ├── kubernetes-blog │ │ ├── bookinfo-ratings.yaml │ │ ├── bookinfo-reviews-v2.yaml │ │ └── bookinfo-v1.yaml │ ├── multicluster │ │ ├── README.md │ │ ├── expose-istiod-https.yaml │ │ ├── expose-istiod.yaml │ │ ├── expose-services.yaml │ │ └── gen-eastwest-gateway.sh │ ├── operator │ │ ├── cni-on.yaml │ │ ├── default-install.yaml │ │ ├── pilot-advanced-override.yaml │ │ ├── pilot-k8s.yaml │ │ ├── values-global.yaml │ │ └── values-pilot.yaml │ ├── ratelimit │ │ └── rate-limit-service.yaml │ ├── security │ │ └── psp │ │ │ └── sidecar-psp.yaml │ ├── sleep │ │ ├── README.md │ │ ├── sleep-vault.yaml │ │ └── sleep.yaml │ ├── tcp-echo │ │ ├── README.md │ │ ├── tcp-echo-20-v2.yaml │ │ ├── tcp-echo-all-v1.yaml │ │ ├── tcp-echo-services.yaml │ │ └── tcp-echo.yaml │ └── websockets │ │ ├── README.md │ │ ├── app.yaml │ │ └── route.yaml └── tools │ ├── _istioctl │ ├── certs │ ├── Makefile.k8s.mk │ ├── Makefile.selfsigned.mk │ ├── README.md │ └── common.mk │ └── istioctl.bash ├── istio-controlplane.yaml ├── namespaces.yaml └── oauth2-proxy-values.yaml /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Emil 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /authorization-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: oauth-policy 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | matchLabels: 9 | istio: ingressgateway 10 | action: CUSTOM 11 | provider: 12 | name: "oauth2-proxy" 13 | rules: 14 | # The rules specify when to trigger the external authorizer. 15 | - to: 16 | - operation: 17 | hosts: 18 | - "httpbin.example.com" -------------------------------------------------------------------------------- /cluster-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: ClusterIssuer 3 | metadata: 4 | name: letsencrypt 5 | spec: 6 | acme: 7 | email: "example@example.com" 8 | privateKeySecretRef: 9 | name: letsencrypt 10 | server: https://acme-v02.api.letsencrypt.org/directory 11 | solvers: 12 | # An empty selector will 'match' all Certificate resources that 13 | # reference this Issuer. 14 | - selector: {} 15 | http01: 16 | ingress: 17 | class: istio 18 | -------------------------------------------------------------------------------- /dex-istio-gw.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: dex-gateway 5 | namespace: demo 6 | spec: 7 | selector: 8 | istio: ingressgateway # use Istio default gateway implementation 9 | servers: 10 | - port: 11 | number: 80 12 | name: http 13 | protocol: HTTP 14 | # tls: 15 | # httpsRedirect: true 16 | hosts: 17 | - "dex.example.com" 18 | - port: 19 | number: 443 20 | name: https 21 | protocol: HTTPS 22 | hosts: 23 | - "dex.example.com" 24 | tls: 25 | mode: SIMPLE 26 | credentialName: dex-tls-cert 27 | --- 28 | apiVersion: networking.istio.io/v1alpha3 29 | kind: VirtualService 30 | metadata: 31 | namespace: demo 32 | name: dex-vsvc 33 | spec: 34 | hosts: 35 | - "dex.example.com" 36 | gateways: 37 | - dex-gateway 38 | http: 39 | - match: 40 | - uri: 41 | prefix: / 42 | route: 43 | - destination: 44 | port: 45 | number: 5556 46 | host: dex.demo.svc.cluster.local -------------------------------------------------------------------------------- /dex-tls-cert.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: dex-tls-cert 5 | namespace: istio-system 6 | spec: 7 | # Secret names are always required. 8 | secretName: dex-tls-cert 9 | privateKey: 10 | algorithm: RSA 11 | encoding: PKCS1 12 | size: 4096 13 | # At least one of a DNS Name, URI, or IP address is required. 14 | dnsNames: 15 | - dex.example.com 16 | # Issuer references are always required. 17 | issuerRef: 18 | name: letsencrypt 19 | # We can reference ClusterIssuers by changing the kind here. 20 | # The default value is Issuer (i.e. a locally namespaced Issuer) 21 | kind: ClusterIssuer 22 | -------------------------------------------------------------------------------- /dex-values.yaml: -------------------------------------------------------------------------------- 1 | https: 2 | # -- Enable the HTTPS endpoint. 3 | enabled: false 4 | 5 | # -- Application configuration. 6 | # See the [official documentation](https://dexidp.io/docs/). 7 | config: 8 | storage: 9 | type: memory 10 | issuer: https:/dex.example.com 11 | staticClients: 12 | - id: oauth2-proxy 13 | name: oauth2-proxy 14 | redirectURIs: 15 | - 'https://httpbin.example.com/oauth2/callback' 16 | - 'http://httpbin.example.com/oauth2/callback' 17 | secret: proxy 18 | enablePasswordDB: true 19 | staticPasswords: 20 | - email: "admin@example.com" 21 | # bcrypt hash of the string "password" 22 | hash: $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W 23 | username: "admin" 24 | userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" 25 | 26 | service: 27 | # -- Annotations to be added to the service. 28 | annotations: {} 29 | 30 | # -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). 31 | type: ClusterIP 32 | 33 | # -- Internal cluster service IP (when applicable) 34 | clusterIP: "" 35 | 36 | ports: 37 | http: 38 | # -- HTTP service port 39 | port: 5556 40 | 41 | # -- (int) HTTP node port (when applicable) 42 | nodePort: 43 | 44 | https: 45 | # -- HTTPS service port 46 | port: 5554 47 | 48 | # -- (int) HTTPS node port (when applicable) 49 | nodePort: 50 | 51 | grpc: 52 | # -- gRPC service port 53 | port: 5557 54 | 55 | # -- (int) gRPC node port (when applicable) 56 | nodePort: 57 | 58 | ingress: 59 | # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). 60 | enabled: false -------------------------------------------------------------------------------- /httpbin-deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: httpbin 5 | namespace: demo 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | app: httpbin 11 | version: v1 12 | template: 13 | metadata: 14 | creationTimestamp: null 15 | labels: 16 | app: httpbin 17 | version: v1 18 | spec: 19 | containers: 20 | - image: docker.io/kennethreitz/httpbin 21 | imagePullPolicy: IfNotPresent 22 | name: httpbin 23 | ports: 24 | - containerPort: 80 25 | protocol: TCP 26 | --- 27 | apiVersion: v1 28 | kind: Service 29 | metadata: 30 | annotations: 31 | labels: 32 | app: httpbin 33 | service: httpbin 34 | name: httpbin 35 | namespace: demo 36 | spec: 37 | ports: 38 | - name: http 39 | port: 8000 40 | protocol: TCP 41 | targetPort: 80 42 | selector: 43 | app: httpbin 44 | sessionAffinity: None 45 | type: ClusterIP 46 | -------------------------------------------------------------------------------- /httpbin-istio-gw.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: httpbin-gateway 5 | namespace: demo 6 | spec: 7 | selector: 8 | istio: ingressgateway # use Istio default gateway implementation 9 | servers: 10 | - port: 11 | number: 80 12 | name: http 13 | protocol: HTTP 14 | # tls: 15 | # httpsRedirect: true 16 | hosts: 17 | - "httpbin.example.com" 18 | - port: 19 | number: 443 20 | name: https 21 | protocol: HTTPS 22 | hosts: 23 | - "httpbin.example.com" 24 | tls: 25 | mode: SIMPLE 26 | credentialName: httpbin-tls-cert 27 | --- 28 | apiVersion: networking.istio.io/v1alpha3 29 | kind: VirtualService 30 | metadata: 31 | namespace: demo 32 | name: httpbin-vsvc 33 | spec: 34 | hosts: 35 | - "httpbin.example.com" 36 | gateways: 37 | - httpbin-gateway 38 | http: 39 | - match: 40 | - uri: 41 | prefix: / 42 | route: 43 | - destination: 44 | port: 45 | number: 8000 46 | host: httpbin.demo.svc.cluster.local -------------------------------------------------------------------------------- /httpbin-tls-cert.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: httpbin-tls-cert 5 | namespace: istio-system 6 | spec: 7 | # Secret names are always required. 8 | secretName: httpbin-tls-cert 9 | privateKey: 10 | algorithm: RSA 11 | encoding: PKCS1 12 | size: 4096 13 | # At least one of a DNS Name, URI, or IP address is required. 14 | dnsNames: 15 | - httpbin.example.com 16 | # Issuer references are always required. 17 | issuerRef: 18 | name: letsencrypt 19 | # We can reference ClusterIssuers by changing the kind here. 20 | # The default value is Issuer (i.e. a locally namespaced Issuer) 21 | kind: ClusterIssuer 22 | -------------------------------------------------------------------------------- /istio-1.12.1/bin/istioctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vanneback/istio-external-auth-demo/1cb71a8469e6af739802900df5fee52cfbf07490/istio-1.12.1/bin/istioctl -------------------------------------------------------------------------------- /istio-1.12.1/manifest.yaml: -------------------------------------------------------------------------------- 1 | dashboards: 2 | istio-extension-dashboard: 13277 3 | istio-mesh-dashboard: 7639 4 | istio-performance-dashboard: 11829 5 | istio-service-dashboard: 7636 6 | istio-workload-dashboard: 7630 7 | pilot-dashboard: 7645 8 | dependencies: 9 | api: 10 | sha: 1a632586cbd49d7b151affa135e69bcd8da2db18 11 | client-go: 12 | goversionenabled: true 13 | sha: 6cbf560fe24ab852d213eaa5ef8adc0b182893ae 14 | envoy: 15 | sha: ea23f47b27464794980c05ab290a3b73d801405e 16 | gogo-genproto: 17 | sha: 5eda25c962701b2c662124de51756bbba2b6afed 18 | istio: 19 | sha: 88902a51acfb0383809608ccff169319560f768c 20 | pkg: 21 | sha: 57f93bc2eff758f4daf523988aaf89b789af55b7 22 | proxy: 23 | sha: e6f45abcf874983fbff384459d70b28c072f68b5 24 | test-infra: 25 | sha: cd5b05895243226cce64411bac33bce72f2fd29d 26 | tools: 27 | sha: 8aa7dcd19fa4ea57628f5ad57b0303acc7228d93 28 | docker: docker.io/istio 29 | version: 1.12.1 30 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: base 3 | # This version is never actually shipped. istio/release-builder will replace it at build-time 4 | # with the appropriate version 5 | version: 1.12.1 6 | appVersion: 1.12.1 7 | tillerVersion: ">=2.7.2" 8 | description: Helm chart for deploying Istio cluster resources and CRDs 9 | keywords: 10 | - istio 11 | sources: 12 | - http://github.com/istio/istio 13 | engine: gotpl 14 | icon: https://istio.io/latest/favicons/android-192x192.png 15 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/README.md: -------------------------------------------------------------------------------- 1 | # Istio base Helm Chart 2 | 3 | This chart installs resources shared by all Istio revisions. This includes Istio CRDs. 4 | 5 | ## Setup Repo Info 6 | 7 | ```console 8 | helm repo add istio https://istio-release.storage.googleapis.com/charts 9 | helm repo update 10 | ``` 11 | 12 | _See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ 13 | 14 | ## Installing the Chart 15 | 16 | To install the chart with the release name `istio-base`: 17 | 18 | ```console 19 | kubectl create namespace istio-system 20 | helm install istio-base istio/base -n istio-system 21 | ``` 22 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/crds/crd-operator.yaml: -------------------------------------------------------------------------------- 1 | # SYNC WITH manifests/charts/istio-operator/templates 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: istiooperators.install.istio.io 6 | labels: 7 | release: istio 8 | spec: 9 | conversion: 10 | strategy: None 11 | group: install.istio.io 12 | names: 13 | kind: IstioOperator 14 | listKind: IstioOperatorList 15 | plural: istiooperators 16 | singular: istiooperator 17 | shortNames: 18 | - iop 19 | - io 20 | scope: Namespaced 21 | versions: 22 | - additionalPrinterColumns: 23 | - description: Istio control plane revision 24 | jsonPath: .spec.revision 25 | name: Revision 26 | type: string 27 | - description: IOP current state 28 | jsonPath: .status.status 29 | name: Status 30 | type: string 31 | - description: 'CreationTimestamp is a timestamp representing the server time 32 | when this object was created. It is not guaranteed to be set in happens-before 33 | order across separate operations. Clients may not set this value. It is represented 34 | in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 35 | lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 36 | jsonPath: .metadata.creationTimestamp 37 | name: Age 38 | type: date 39 | subresources: 40 | status: {} 41 | name: v1alpha1 42 | schema: 43 | openAPIV3Schema: 44 | type: object 45 | x-kubernetes-preserve-unknown-fields: true 46 | served: true 47 | storage: true 48 | --- 49 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - files/gen-istio-cluster.yaml 6 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Istio base successfully installed! 2 | 3 | To learn more about the release, try: 4 | $ helm status {{ .Release.Name }} 5 | $ helm get all {{ .Release.Name }} 6 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 2 | # DO NOT EDIT! 3 | # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT 4 | # UPDATED CHART AT manifests/charts/istio-control/istio-discovery 5 | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRoleBinding 8 | metadata: 9 | name: istio-reader-{{ .Values.global.istioNamespace }} 10 | labels: 11 | app: istio-reader 12 | release: {{ .Release.Name }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: istio-reader-{{ .Values.global.istioNamespace }} 17 | subjects: 18 | - kind: ServiceAccount 19 | name: istio-reader-service-account 20 | namespace: {{ .Values.global.istioNamespace }} 21 | --- 22 | apiVersion: rbac.authorization.k8s.io/v1 23 | kind: ClusterRoleBinding 24 | metadata: 25 | name: istiod-{{ .Values.global.istioNamespace }} 26 | labels: 27 | app: istiod 28 | release: {{ .Release.Name }} 29 | roleRef: 30 | apiGroup: rbac.authorization.k8s.io 31 | kind: ClusterRole 32 | name: istiod-{{ .Values.global.istioNamespace }} 33 | subjects: 34 | - kind: ServiceAccount 35 | name: istiod-service-account 36 | namespace: {{ .Values.global.istioNamespace }} 37 | --- 38 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/crds.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.base.enableCRDTemplates }} 2 | {{ .Files.Get "crds/crd-all.gen.yaml" }} 3 | {{ .Files.Get "crds/crd-operator.yaml" }} 4 | {{- end }} 5 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/default.yaml: -------------------------------------------------------------------------------- 1 | {{- if not (eq .Values.defaultRevision "") }} 2 | apiVersion: admissionregistration.k8s.io/v1 3 | kind: ValidatingWebhookConfiguration 4 | metadata: 5 | name: istiod-default-validator 6 | labels: 7 | app: istiod 8 | release: {{ .Release.Name }} 9 | istio: istiod 10 | istio.io/rev: {{ .Values.defaultRevision }} 11 | webhooks: 12 | - name: validation.istio.io 13 | clientConfig: 14 | {{- if .Values.base.validationURL }} 15 | url: {{ .Values.base.validationURL }} 16 | {{- else }} 17 | service: 18 | {{- if (eq .Values.defaultRevision "default") }} 19 | name: istiod 20 | {{- else }} 21 | name: istiod-{{ .Values.defaultRevision }} 22 | {{- end }} 23 | namespace: {{ .Values.global.istioNamespace }} 24 | path: "/validate" 25 | {{- end }} 26 | rules: 27 | - operations: 28 | - CREATE 29 | - UPDATE 30 | apiGroups: 31 | - security.istio.io 32 | - networking.istio.io 33 | apiVersions: 34 | - "*" 35 | resources: 36 | - "*" 37 | # Fail open until the validation webhook is ready. The webhook controller 38 | # will update this to `Fail` and patch in the `caBundle` when the webhook 39 | # endpoint is ready. 40 | failurePolicy: Ignore 41 | sideEffects: None 42 | admissionReviewVersions: ["v1beta1", "v1"] 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/endpoints.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.remotePilotAddress }} 2 | {{- if not .Values.global.externalIstiod }} 3 | apiVersion: v1 4 | kind: Endpoints 5 | metadata: 6 | name: istiod-remote 7 | namespace: {{ .Release.Namespace }} 8 | subsets: 9 | - addresses: 10 | - ip: {{ .Values.global.remotePilotAddress }} 11 | ports: 12 | - port: 15012 13 | name: tcp-istiod 14 | protocol: TCP 15 | {{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} 16 | apiVersion: v1 17 | kind: Endpoints 18 | metadata: 19 | name: istiod 20 | namespace: {{ .Release.Namespace }} 21 | subsets: 22 | - addresses: 23 | - ip: {{ .Values.global.remotePilotAddress }} 24 | ports: 25 | - port: 15012 26 | name: tcp-istiod 27 | protocol: TCP 28 | {{- end }} 29 | --- 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/reader-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | # This service account aggregates reader permissions for the revisions in a given cluster 2 | # Should be used for remote secret creation. 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | {{- if .Values.global.imagePullSecrets }} 6 | imagePullSecrets: 7 | {{- range .Values.global.imagePullSecrets }} 8 | - name: {{ . }} 9 | {{- end }} 10 | {{- end }} 11 | metadata: 12 | name: istio-reader-service-account 13 | namespace: {{ .Values.global.istioNamespace }} 14 | labels: 15 | app: istio-reader 16 | release: {{ .Release.Name }} 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/role.yaml: -------------------------------------------------------------------------------- 1 | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 2 | # DO NOT EDIT! 3 | # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT 4 | # UPDATED CHART AT manifests/charts/istio-control/istio-discovery 5 | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: Role 8 | metadata: 9 | name: istiod-{{ .Values.global.istioNamespace }} 10 | namespace: {{ .Values.global.istioNamespace }} 11 | labels: 12 | app: istiod 13 | release: {{ .Release.Name }} 14 | rules: 15 | # permissions to verify the webhook is ready and rejecting 16 | # invalid config. We use --server-dry-run so no config is persisted. 17 | - apiGroups: ["networking.istio.io"] 18 | verbs: ["create"] 19 | resources: ["gateways"] 20 | 21 | # For storing CA secret 22 | - apiGroups: [""] 23 | resources: ["secrets"] 24 | # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config 25 | verbs: ["create", "get", "watch", "list", "update", "delete"] 26 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 2 | # DO NOT EDIT! 3 | # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT 4 | # UPDATED CHART AT manifests/charts/istio-control/istio-discovery 5 | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: RoleBinding 8 | metadata: 9 | name: istiod-{{ .Values.global.istioNamespace }} 10 | namespace: {{ .Values.global.istioNamespace }} 11 | labels: 12 | app: istiod 13 | release: {{ .Release.Name }} 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: Role 17 | name: istiod-{{ .Values.global.istioNamespace }} 18 | subjects: 19 | - kind: ServiceAccount 20 | name: istiod-service-account 21 | namespace: {{ .Values.global.istioNamespace }} 22 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 2 | # DO NOT EDIT! 3 | # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT 4 | # UPDATED CHART AT manifests/charts/istio-control/istio-discovery 5 | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | {{- if .Values.global.imagePullSecrets }} 9 | imagePullSecrets: 10 | {{- range .Values.global.imagePullSecrets }} 11 | - name: {{ . }} 12 | {{- end }} 13 | {{- end }} 14 | metadata: 15 | name: istiod-service-account 16 | namespace: {{ .Values.global.istioNamespace }} 17 | labels: 18 | app: istiod 19 | release: {{ .Release.Name }} 20 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/templates/services.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.remotePilotAddress }} 2 | {{- if not .Values.global.externalIstiod }} 3 | # when istiod is enabled in remote cluster, we can't use istiod service name 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | name: istiod-remote 8 | namespace: {{ .Release.Namespace }} 9 | spec: 10 | ports: 11 | - port: 15012 12 | name: tcp-istiod 13 | protocol: TCP 14 | clusterIP: None 15 | {{- else }} 16 | # when istiod isn't enabled in remote cluster, we can use istiod service name 17 | apiVersion: v1 18 | kind: Service 19 | metadata: 20 | name: istiod 21 | namespace: {{ .Release.Namespace }} 22 | spec: 23 | ports: 24 | - port: 15012 25 | name: tcp-istiod 26 | protocol: TCP 27 | # if the remotePilotAddress is IP addr, we use clusterIP: None. 28 | # else, we use externalName 29 | {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} 30 | clusterIP: None 31 | {{- else }} 32 | type: ExternalName 33 | externalName: {{ .Values.global.remotePilotAddress }} 34 | {{- end }} 35 | {{- end }} 36 | --- 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/base/values.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | 3 | # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace 4 | # to use for pulling any images in pods that reference this ServiceAccount. 5 | # Must be set for any cluster configured with private docker registry. 6 | imagePullSecrets: [] 7 | 8 | # Used to locate istiod. 9 | istioNamespace: istio-system 10 | 11 | istiod: 12 | enableAnalysis: false 13 | 14 | configValidation: true 15 | externalIstiod: false 16 | remotePilotAddress: "" 17 | 18 | base: 19 | # Used for helm2 to add the CRDs to templates. 20 | enableCRDTemplates: false 21 | 22 | # Validation webhook configuration url 23 | # For example: https://$remotePilotAddress:15017/validate 24 | validationURL: "" 25 | 26 | # For istioctl usage to disable istio config crds in base 27 | enableIstioConfigCRDs: true 28 | 29 | defaultRevision: "default" 30 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/default/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-default 3 | # This version is never actually shipped. istio/release-builder will replace it at build-time 4 | # with the appropriate version 5 | version: 1.0.0 6 | appVersion: 1.0.0 7 | description: Helm chart for istio default revision components. 8 | keywords: 9 | - istio 10 | sources: 11 | - http://github.com/istio/istio 12 | engine: gotpl 13 | icon: https://istio.io/latest/favicons/android-192x192.png 14 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/default/templates/validatingwebhook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: admissionregistration.k8s.io/v1 2 | kind: ValidatingWebhookConfiguration 3 | metadata: 4 | name: istiod-default-validator 5 | labels: 6 | app: istiod 7 | istio: istiod 8 | istio.io/rev: {{ .Values.revision | default "default" }} 9 | istio.io/tag: "default" 10 | # Required to make sure this resource is removed 11 | # when purging Istio resources 12 | operator.istio.io/component: Pilot 13 | webhooks: 14 | - name: validation.istio.io 15 | clientConfig: 16 | {{- if .Values.base.validationURL }} 17 | url: {{ .Values.base.validationURL }} 18 | {{- else }} 19 | service: 20 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 21 | namespace: {{ .Values.global.istioNamespace }} 22 | path: "/validate" 23 | {{- end }} 24 | caBundle: "" # patched at runtime when the webhook is ready. 25 | rules: 26 | - operations: 27 | - CREATE 28 | - UPDATE 29 | apiGroups: 30 | - security.istio.io 31 | - networking.istio.io 32 | - telemetry.istio.io 33 | - extensions.istio.io 34 | apiVersions: 35 | - "*" 36 | resources: 37 | - "*" 38 | failurePolicy: Ignore 39 | sideEffects: None 40 | admissionReviewVersions: ["v1beta1", "v1"] 41 | objectSelector: 42 | matchExpressions: 43 | - key: istio.io/rev 44 | operator: DoesNotExist 45 | --- 46 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/default/values.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | # Used to locate istiod. 3 | istioNamespace: "istio-system" 4 | 5 | base: 6 | # Validation webhook configuration url 7 | # For example: https://$remotePilotAddress:15017/validate 8 | validationURL: "" 9 | 10 | istiodRemote: 11 | # Sidecar injector mutating webhook configuration url 12 | # For example: https://$remotePilotAddress:15017/inject 13 | injectionURL: "" 14 | 15 | # Revision is set as 'version' label and part of the resource names when installing multiple control planes. 16 | revision: "" 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateway/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: gateway 3 | description: Helm chart for deploying Istio gateways 4 | type: application 5 | 6 | # This version is never actually shipped. istio/release-builder will replace it at build-time 7 | # with the appropriate version 8 | version: 1.12.1 9 | appVersion: 1.12.1 10 | 11 | sources: 12 | - http://github.com/istio/istio 13 | icon: https://istio.io/latest/favicons/android-192x192.png 14 | keywords: 15 | - istio 16 | - gateways -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateway/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | "{{ include "gateway.name" . }}" successfully installed! 2 | 3 | To learn more about the release, try: 4 | $ helm status {{ .Release.Name }} 5 | $ helm get all {{ .Release.Name }} 6 | 7 | Next steps: 8 | * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ 9 | * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ 10 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateway/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "gateway.name" -}} 2 | {{- if eq .Release.Name "RELEASE-NAME" -}} 3 | {{- .Values.name | default "istio-ingressgateway" -}} 4 | {{- else -}} 5 | {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} 6 | {{- end -}} 7 | {{- end }} 8 | 9 | {{/* 10 | Create chart name and version as used by the chart label. 11 | */}} 12 | {{- define "gateway.chart" -}} 13 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 14 | {{- end }} 15 | 16 | {{- define "gateway.labels" -}} 17 | helm.sh/chart: {{ include "gateway.chart" . }} 18 | {{ include "gateway.selectorLabels" . }} 19 | {{- if .Chart.AppVersion }} 20 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 21 | {{- end }} 22 | app.kubernetes.io/managed-by: {{ .Release.Service }} 23 | app.kubernetes.io/name: {{ include "gateway.name" . }} 24 | {{- range $key, $val := .Values.labels }} 25 | {{- if not (or (eq $key "app") (eq $key "istio")) }} 26 | {{ $key | quote }}: {{ $val | quote }} 27 | {{- end }} 28 | {{- end }} 29 | {{- end }} 30 | 31 | {{- define "gateway.selectorLabels" -}} 32 | {{- if hasKey .Values.labels "app" }} 33 | {{- with .Values.labels.app }}app: {{.|quote}} 34 | {{- end}} 35 | {{- else }}app: {{ include "gateway.name" . }} 36 | {{- end }} 37 | {{- if hasKey .Values.labels "istio" }} 38 | {{- with .Values.labels.istio }} 39 | istio: {{.|quote}} 40 | {{- end}} 41 | {{- else }} 42 | istio: {{ include "gateway.name" . | trimPrefix "istio-" }} 43 | {{- end }} 44 | {{- end }} 45 | 46 | {{- define "gateway.serviceAccountName" -}} 47 | {{- if .Values.serviceAccount.create }} 48 | {{- .Values.serviceAccount.name | default (include "gateway.name" .) }} 49 | {{- else }} 50 | {{- .Values.serviceAccount.name | default "default" }} 51 | {{- end }} 52 | {{- end }} 53 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateway/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta2 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "gateway.name" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "gateway.labels" . | nindent 4 }} 9 | annotations: 10 | {{- .Values.annotations | toYaml | nindent 4 }} 11 | spec: 12 | scaleTargetRef: 13 | apiVersion: apps/v1 14 | kind: Deployment 15 | name: {{ include "gateway.name" . }} 16 | minReplicas: {{ .Values.autoscaling.minReplicas }} 17 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 18 | metrics: 19 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 20 | - type: Resource 21 | resource: 22 | name: cpu 23 | target: 24 | averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 25 | type: Utilization 26 | {{- end }} 27 | 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateway/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} 2 | {{- if .Values.rbac.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: {{ include "gateway.serviceAccountName" . }} 7 | namespace: {{ .Release.Namespace }} 8 | rules: 9 | - apiGroups: [""] 10 | resources: ["secrets"] 11 | verbs: ["get", "watch", "list"] 12 | --- 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | kind: RoleBinding 15 | metadata: 16 | name: {{ include "gateway.serviceAccountName" . }} 17 | namespace: {{ .Release.Namespace }} 18 | roleRef: 19 | apiGroup: rbac.authorization.k8s.io 20 | kind: Role 21 | name: {{ include "gateway.serviceAccountName" . }} 22 | subjects: 23 | - kind: ServiceAccount 24 | name: {{ include "gateway.serviceAccountName" . }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateway/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if not (eq .Values.service.type "None") }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "gateway.name" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "gateway.labels" . | nindent 4 }} 9 | {{- with .Values.networkGateway }} 10 | topology.istio.io/network: "{{.}}" 11 | {{- end }} 12 | annotations: 13 | {{- .Values.annotations | toYaml | nindent 4 }} 14 | spec: 15 | {{- with .Values.service.loadBalancerIP }} 16 | loadBalancerIP: "{{ . }}" 17 | {{- end }} 18 | {{- with .Values.service.loadBalancerSourceRanges }} 19 | loadBalancerSourceRanges: 20 | {{ toYaml . | indent 4 }} 21 | {{- end }} 22 | {{- with .Values.service.externalTrafficPolicy }} 23 | externalTrafficPolicy: "{{ . }}" 24 | {{- end }} 25 | type: {{ .Values.service.type }} 26 | ports: 27 | {{- if .Values.networkGateway }} 28 | - name: status-port 29 | port: 15021 30 | targetPort: 15021 31 | - name: tls 32 | port: 15443 33 | targetPort: 15443 34 | - name: tls-istiod 35 | port: 15012 36 | targetPort: 15012 37 | - name: tls-webhook 38 | port: 15017 39 | targetPort: 15017 40 | {{- else }} 41 | {{ .Values.service.ports | toYaml | indent 4 }} 42 | {{- end }} 43 | selector: 44 | {{- include "gateway.selectorLabels" . | nindent 4 }} 45 | {{- end }} -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateway/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "gateway.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "gateway.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-egress/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-egress 3 | # This version is never actually shipped. istio/release-builder will replace it at build-time 4 | # with the appropriate version 5 | version: 1.12.1 6 | appVersion: 1.12.1 7 | tillerVersion: ">=2.7.2" 8 | description: Helm chart for deploying Istio gateways 9 | keywords: 10 | - istio 11 | - egressgateway 12 | - gateways 13 | sources: 14 | - http://github.com/istio/istio 15 | engine: gotpl 16 | icon: https://istio.io/latest/favicons/android-192x192.png 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-egress/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | Changes: 3 | - separate namespace allows: 4 | -- easier reconfig of just the gateway 5 | -- TLS secrets and domain name management is isolated, for better security 6 | -- simplified configuration 7 | -- multiple versions of the ingress can be used, to minize upgrade risks 8 | 9 | - the new chart uses the default namespace service account, and doesn't require 10 | additional RBAC permissions. 11 | 12 | - simplified label structure. Label change is not supported on upgrade. 13 | 14 | - for 'internal load balancer' you should deploy a separate gateway, in a different 15 | namespace. 16 | 17 | All ingress gateway have a "app:ingressgateway" label, used to identify it as an 18 | ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection. 19 | 20 | The Gateways use "istio: ingressgateway$SUFFIX" selectors. 21 | 22 | 23 | # Multiple gateway versions 24 | 25 | 26 | 27 | # Using different pilot versions 28 | 29 | 30 | 31 | # Migration from istio-system 32 | 33 | Istio 1.0 includes the gateways in istio-system. Since the external IP is associated 34 | with the Service and bound to the namespace, it is recommended to: 35 | 36 | 1. Install the new gateway in a new namespace. 37 | 2. Copy any TLS certificate to the new namespace, and configure the domains. 38 | 3. Checking the new gateway work - for example by overriding the IP in /etc/hosts 39 | 4. Modify the DNS server to add the A record of the new namespace 40 | 5. Check traffic 41 | 6. Delete the A record corresponding to the gateway in istio-system 42 | 7. Upgrade istio-system, disabling the ingressgateway 43 | 8. Delete the domain TLS certs from istio-system. 44 | 45 | If using certmanager, all Certificate and associated configs must be moved as well. 46 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-egress/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | {{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} 3 | apiVersion: autoscaling/v2beta1 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | indent 4 }} 10 | release: {{ .Release.Name }} 11 | istio.io/rev: {{ .Values.revision | default "default" }} 12 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 13 | operator.istio.io/component: "EgressGateways" 14 | spec: 15 | maxReplicas: {{ $gateway.autoscaleMax }} 16 | minReplicas: {{ $gateway.autoscaleMin }} 17 | scaleTargetRef: 18 | apiVersion: apps/v1 19 | kind: Deployment 20 | name: {{ $gateway.name }} 21 | metrics: 22 | - type: Resource 23 | resource: 24 | name: cpu 25 | targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} 26 | --- 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 3 | apiVersion: policy/v1beta1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | trim | indent 4 }} 10 | release: {{ .Release.Name }} 11 | istio.io/rev: {{ .Values.revision | default "default" }} 12 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 13 | operator.istio.io/component: "EgressGateways" 14 | spec: 15 | minAvailable: 1 16 | selector: 17 | matchLabels: 18 | {{ $gateway.labels | toYaml | trim | indent 6 }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-egress/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ $gateway.name }}-sds 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | istio.io/rev: {{ .Values.revision | default "default" }} 10 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 11 | operator.istio.io/component: "EgressGateways" 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["secrets"] 15 | verbs: ["get", "watch", "list"] 16 | --- 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ $gateway.name }}-sds 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | istio.io/rev: {{ .Values.revision | default "default" }} 10 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 11 | operator.istio.io/component: "EgressGateways" 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ $gateway.name }}-sds 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ $gateway.name }}-service-account 19 | --- 20 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-egress/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | {{- if not $gateway.customService }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | annotations: 9 | {{- range $key, $val := $gateway.serviceAnnotations }} 10 | {{ $key }}: {{ $val | quote }} 11 | {{- end }} 12 | labels: 13 | {{ $gateway.labels | toYaml | indent 4 }} 14 | release: {{ .Release.Name }} 15 | istio.io/rev: {{ .Values.revision | default "default" }} 16 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 17 | operator.istio.io/component: "EgressGateways" 18 | spec: 19 | {{- if $gateway.loadBalancerIP }} 20 | loadBalancerIP: "{{ $gateway.loadBalancerIP }}" 21 | {{- end }} 22 | {{- if $gateway.loadBalancerSourceRanges }} 23 | loadBalancerSourceRanges: 24 | {{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} 25 | {{- end }} 26 | {{- if $gateway.externalTrafficPolicy }} 27 | externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} 28 | {{- end }} 29 | type: {{ $gateway.type }} 30 | selector: 31 | {{ $gateway.labels | toYaml | indent 4 }} 32 | ports: 33 | 34 | {{- range $key, $val := $gateway.ports }} 35 | - 36 | {{- range $pkey, $pval := $val }} 37 | {{ $pkey}}: {{ $pval }} 38 | {{- end }} 39 | {{- end }} 40 | 41 | {{ range $app := $gateway.egressPorts }} 42 | - 43 | port: {{ $app.port }} 44 | name: {{ $app.name }} 45 | {{- end }} 46 | --- 47 | {{ end }} 48 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-egressgateway" }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{- end }} 10 | metadata: 11 | name: {{ $gateway.name }}-service-account 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | {{ $gateway.labels | toYaml | trim | indent 4 }} 15 | release: {{ .Release.Name }} 16 | istio.io/rev: {{ .Values.revision | default "default" }} 17 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 18 | operator.istio.io/component: "EgressGateways" 19 | {{- with $gateway.serviceAccount.annotations }} 20 | annotations: 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-ingress/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-ingress 3 | # This version is never actually shipped. istio/release-builder will replace it at build-time 4 | # with the appropriate version 5 | version: 1.12.1 6 | appVersion: 1.12.1 7 | tillerVersion: ">=2.7.2" 8 | description: Helm chart for deploying Istio gateways 9 | keywords: 10 | - istio 11 | - ingressgateway 12 | - gateways 13 | sources: 14 | - http://github.com/istio/istio 15 | engine: gotpl 16 | icon: https://istio.io/latest/favicons/android-192x192.png 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | {{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} 3 | apiVersion: autoscaling/v2beta1 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | indent 4 }} 10 | release: {{ .Release.Name }} 11 | istio.io/rev: {{ .Values.revision | default "default" }} 12 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 13 | operator.istio.io/component: "IngressGateways" 14 | spec: 15 | maxReplicas: {{ $gateway.autoscaleMax }} 16 | minReplicas: {{ $gateway.autoscaleMin }} 17 | scaleTargetRef: 18 | apiVersion: apps/v1 19 | kind: Deployment 20 | name: {{ $gateway.name }} 21 | metrics: 22 | - type: Resource 23 | resource: 24 | name: cpu 25 | targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} 26 | --- 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 3 | apiVersion: policy/v1beta1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ $gateway.labels | toYaml | trim | indent 4 }} 10 | release: {{ .Release.Name }} 11 | istio.io/rev: {{ .Values.revision | default "default" }} 12 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 13 | operator.istio.io/component: "IngressGateways" 14 | spec: 15 | minAvailable: 1 16 | selector: 17 | matchLabels: 18 | {{ $gateway.labels | toYaml | trim | indent 6 }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-ingress/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ $gateway.name }}-sds 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | istio.io/rev: {{ .Values.revision | default "default" }} 10 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 11 | operator.istio.io/component: "IngressGateways" 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["secrets"] 15 | verbs: ["get", "watch", "list"] 16 | --- 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ $gateway.name }}-sds 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | istio.io/rev: {{ .Values.revision | default "default" }} 10 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 11 | operator.istio.io/component: "IngressGateways" 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ $gateway.name }}-sds 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ $gateway.name }}-service-account 19 | --- 20 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-ingress/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | {{- if not $gateway.customService }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ $gateway.name }} 7 | namespace: {{ .Release.Namespace }} 8 | annotations: 9 | {{- range $key, $val := $gateway.serviceAnnotations }} 10 | {{ $key }}: {{ $val | quote }} 11 | {{- end }} 12 | labels: 13 | {{ $gateway.labels | toYaml | indent 4 }} 14 | release: {{ .Release.Name }} 15 | istio.io/rev: {{ .Values.revision | default "default" }} 16 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 17 | operator.istio.io/component: "IngressGateways" 18 | spec: 19 | {{- if $gateway.loadBalancerIP }} 20 | loadBalancerIP: "{{ $gateway.loadBalancerIP }}" 21 | {{- end }} 22 | {{- if $gateway.loadBalancerSourceRanges }} 23 | loadBalancerSourceRanges: 24 | {{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} 25 | {{- end }} 26 | {{- if $gateway.externalTrafficPolicy }} 27 | externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} 28 | {{- end }} 29 | type: {{ $gateway.type }} 30 | selector: 31 | {{ $gateway.labels | toYaml | indent 4 }} 32 | ports: 33 | 34 | {{- range $key, $val := $gateway.ports }} 35 | - 36 | {{- range $pkey, $pval := $val }} 37 | {{ $pkey}}: {{ $pval }} 38 | {{- end }} 39 | {{- end }} 40 | 41 | {{ range $app := $gateway.ingressPorts }} 42 | - 43 | port: {{ $app.port }} 44 | name: {{ $app.name }} 45 | {{- end }} 46 | --- 47 | {{ end }} 48 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{- end }} 10 | metadata: 11 | name: {{ $gateway.name }}-service-account 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | {{ $gateway.labels | toYaml | trim | indent 4 }} 15 | release: {{ .Release.Name }} 16 | istio.io/rev: {{ .Values.revision | default "default" }} 17 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 18 | operator.istio.io/component: "IngressGateways" 19 | {{- with $gateway.serviceAccount.annotations }} 20 | annotations: 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-cni/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: cni 3 | # This version is never actually shipped. istio/release-builder will replace it at build-time 4 | # with the appropriate version 5 | version: 1.12.1 6 | appVersion: 1.12.1 7 | description: Helm chart for istio-cni components 8 | keywords: 9 | - istio-cni 10 | - istio 11 | sources: 12 | - http://github.com/istio/cni 13 | engine: gotpl 14 | icon: https://istio.io/latest/favicons/android-192x192.png 15 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-cni/README.md: -------------------------------------------------------------------------------- 1 | # Istio CNI Helm Chart 2 | 3 | This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) 4 | for more information. 5 | 6 | ## Setup Repo Info 7 | 8 | ```console 9 | helm repo add istio https://istio-release.storage.googleapis.com/charts 10 | helm repo update 11 | ``` 12 | 13 | _See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ 14 | 15 | ## Installing the Chart 16 | 17 | To install the chart with the release name `istio-cni`: 18 | 19 | ```console 20 | helm install istio-cni istio/cni -n kube-system 21 | ``` 22 | 23 | Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) 24 | `priorityClassName` can be used. 25 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-cni/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | "{{ .Release.Name }}" successfully installed! 2 | 3 | To learn more about the release, try: 4 | $ helm status {{ .Release.Name }} 5 | $ helm get all {{ .Release.Name }} 6 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-cni/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: istio-cni 5 | labels: 6 | app: istio-cni 7 | release: {{ .Release.Name }} 8 | istio.io/rev: {{ .Values.revision | default "default" }} 9 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 10 | operator.istio.io/component: "Cni" 11 | rules: 12 | - apiGroups: [""] 13 | resources: 14 | - pods 15 | - nodes 16 | verbs: 17 | - get 18 | --- 19 | {{- if .Values.cni.repair.enabled }} 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | kind: ClusterRole 22 | metadata: 23 | name: istio-cni-repair-role 24 | labels: 25 | app: istio-cni 26 | release: {{ .Release.Name }} 27 | istio.io/rev: {{ .Values.revision | default "default" }} 28 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 29 | operator.istio.io/component: "Cni" 30 | rules: 31 | - apiGroups: [""] 32 | resources: ["pods"] 33 | verbs: ["get", "list", "watch", "delete", "patch", "update" ] 34 | - apiGroups: [""] 35 | resources: ["events"] 36 | verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] 37 | {{- end }} 38 | --- 39 | {{- if .Values.cni.taint.enabled }} 40 | apiVersion: rbac.authorization.k8s.io/v1 41 | kind: ClusterRole 42 | metadata: 43 | name: istio-cni-taint-role 44 | labels: 45 | app: istio-cni 46 | release: {{ .Release.Name }} 47 | istio.io/rev: {{ .Values.revision | default "default" }} 48 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 49 | operator.istio.io/component: "Cni" 50 | rules: 51 | - apiGroups: [""] 52 | resources: ["pods"] 53 | verbs: ["get", "list", "watch", "patch"] 54 | - apiGroups: [""] 55 | resources: ["nodes"] 56 | verbs: ["get", "list", "watch", "update", "patch"] 57 | - apiGroups: [""] 58 | resources: ["configmaps"] 59 | verbs: ["get", "list"] 60 | - apiGroups: ["coordination.k8s.io"] 61 | resources: ["leases"] 62 | verbs: ["get", "list", "create", "update"] 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-cni/templates/configmap-cni.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: istio-cni-config 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: istio-cni 8 | release: {{ .Release.Name }} 9 | istio.io/rev: {{ .Values.revision | default "default" }} 10 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 11 | operator.istio.io/component: "Cni" 12 | data: 13 | # The CNI network configuration to add to the plugin chain on each node. The special 14 | # values in this config will be automatically populated. 15 | cni_network_config: |- 16 | { 17 | "cniVersion": "0.3.1", 18 | "name": "istio-cni", 19 | "type": "istio-cni", 20 | "log_level": {{ quote .Values.cni.logLevel }}, 21 | "log_uds_address": "__LOG_UDS_ADDRESS__", 22 | "kubernetes": { 23 | "kubeconfig": "__KUBECONFIG_FILEPATH__", 24 | "cni_bin_dir": {{ quote .Values.cni.cniBinDir }}, 25 | "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] 26 | } 27 | } 28 | --- 29 | {{- if .Values.cni.taint.enabled }} 30 | apiVersion: v1 31 | kind: ConfigMap 32 | metadata: 33 | name: "istio-cni-taint-configmap" 34 | namespace: {{ .Release.Namespace }} 35 | labels: 36 | app: istio-cni 37 | release: {{ .Release.Name }} 38 | istio.io/rev: {{ .Values.revision | default "default" }} 39 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 40 | operator.istio.io/component: "Cni" 41 | data: 42 | config: | 43 | - name: istio-cni 44 | selector: k8s-app=istio-cni-node 45 | namespace: {{ .Release.Namespace }} 46 | {{- end }} 47 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-cni/templates/resourcequota.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cni.resourceQuotas.enabled }} 2 | apiVersion: v1 3 | kind: ResourceQuota 4 | metadata: 5 | name: istio-cni-resource-quota 6 | namespace: {{ .Release.Namespace }} 7 | spec: 8 | hard: 9 | pods: {{ .Values.cni.resourceQuotas.pods | quote }} 10 | scopeSelector: 11 | matchExpressions: 12 | - operator: In 13 | scopeName: PriorityClass 14 | values: 15 | - system-node-critical 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-cni/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: istio-cni 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: istio-cni 14 | release: {{ .Release.Name }} 15 | istio.io/rev: {{ .Values.revision | default "default" }} 16 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 17 | operator.istio.io/component: "Cni" 18 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istiod 3 | # This version is never actually shipped. istio/release-builder will replace it at build-time 4 | # with the appropriate version 5 | version: 1.12.1 6 | appVersion: 1.12.1 7 | tillerVersion: ">=2.7.2" 8 | description: Helm chart for istio control plane 9 | keywords: 10 | - istio 11 | - istiod 12 | - istio-discovery 13 | sources: 14 | - http://github.com/istio/istio 15 | engine: gotpl 16 | icon: https://istio.io/latest/favicons/android-192x192.png 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/README.md: -------------------------------------------------------------------------------- 1 | # Istiod Helm Chart 2 | 3 | This chart installs an Istiod deployment. 4 | 5 | ## Setup Repo Info 6 | 7 | ```console 8 | helm repo add istio https://istio-release.storage.googleapis.com/charts 9 | helm repo update 10 | ``` 11 | 12 | _See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ 13 | 14 | ## Installing the Chart 15 | 16 | Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). 17 | 18 | To install the chart with the release name `istiod`: 19 | 20 | ```console 21 | kubectl create namespace istio-system 22 | helm install istiod istio/istiod --namespace istio-system 23 | ``` 24 | 25 | ## Uninstalling the Chart 26 | 27 | To uninstall/delete the `istiod` deployment: 28 | 29 | ```console 30 | helm delete istiod --namespace istio-system 31 | ``` 32 | 33 | ## Configuration 34 | 35 | To view support configuration options and documentation, run: 36 | 37 | ```console 38 | helm show values istio/istiod 39 | ``` 40 | 41 | ### Examples 42 | 43 | #### Configuring mesh configuration settings 44 | 45 | Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: 46 | 47 | ```yaml 48 | meshConfig: 49 | accessLogFile: /dev/stdout 50 | ``` 51 | 52 | #### Revisions 53 | 54 | Control plane revisions allow deploying multiple versions of the control plane in the same cluster. 55 | This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) 56 | 57 | ```yaml 58 | revision: my-revision-name 59 | ``` 60 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml: -------------------------------------------------------------------------------- 1 | metadata: 2 | sidecar.istio.io/rewriteAppHTTPProbers: "false" 3 | spec: 4 | initContainers: 5 | - name: grpc-bootstrap-init 6 | image: busybox:1.28 7 | volumeMounts: 8 | - mountPath: /var/lib/grpc/data/ 9 | name: grpc-io-proxyless-bootstrap 10 | env: 11 | - name: INSTANCE_IP 12 | valueFrom: 13 | fieldRef: 14 | fieldPath: status.podIP 15 | - name: POD_NAME 16 | valueFrom: 17 | fieldRef: 18 | fieldPath: metadata.name 19 | - name: POD_NAMESPACE 20 | valueFrom: 21 | fieldRef: 22 | fieldPath: metadata.namespace 23 | - name: ISTIO_NAMESPACE 24 | value: | 25 | {{ .Values.global.istioNamespace }} 26 | command: 27 | - sh 28 | - "-c" 29 | - |- 30 | NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" 31 | SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" 32 | echo ' 33 | { 34 | "xds_servers": [ 35 | { 36 | "server_uri": "'${SERVER_URI}'", 37 | "channel_creds": [{"type": "insecure"}], 38 | "server_features" : ["xds_v3"] 39 | } 40 | ], 41 | "node": { 42 | "id": "'${NODE_ID}'", 43 | "metadata": { 44 | "GENERATOR": "grpc" 45 | } 46 | } 47 | }' > /var/lib/grpc/data/bootstrap.json 48 | containers: 49 | {{- range $index, $container := .Spec.Containers }} 50 | - name: {{ $container.Name }} 51 | env: 52 | - name: GRPC_XDS_BOOTSTRAP 53 | value: /var/lib/grpc/data/bootstrap.json 54 | - name: GRPC_GO_LOG_VERBOSITY_LEVEL 55 | value: "99" 56 | - name: GRPC_GO_LOG_SEVERITY_LEVEL 57 | value: info 58 | volumeMounts: 59 | - mountPath: /var/lib/grpc/data/ 60 | name: grpc-io-proxyless-bootstrap 61 | {{- end }} 62 | volumes: 63 | - name: grpc-io-proxyless-bootstrap 64 | emptyDir: {} 65 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - files/gen-istio.yaml 6 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | "istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! 2 | 3 | To learn more about the release, try: 4 | $ helm status {{ .Release.Name }} 5 | $ helm get all {{ .Release.Name }} 6 | 7 | Next steps: 8 | * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ 9 | * Try out our tasks to get started on common configurations: 10 | * https://istio.io/latest/docs/tasks/traffic-management 11 | * https://istio.io/latest/docs/tasks/security/ 12 | * https://istio.io/latest/docs/tasks/policy-enforcement/ 13 | * https://istio.io/latest/docs/tasks/policy-enforcement/ 14 | * Review the list of actively supported releases, CVE publications and our hardening guide: 15 | * https://istio.io/latest/docs/releases/supported-releases/ 16 | * https://istio.io/latest/news/security/ 17 | * https://istio.io/latest/docs/ops/best-practices/security/ 18 | 19 | For further documentation see https://istio.io website 20 | 21 | Tell us how your install/upgrade experience went at https://forms.gle/FegQbc9UvePd4Z9z7 22 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: istiod 9 | release: {{ .Release.Name }} 10 | istio.io/rev: {{ .Values.revision | default "default" }} 11 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 12 | operator.istio.io/component: "Pilot" 13 | spec: 14 | maxReplicas: {{ .Values.pilot.autoscaleMax }} 15 | minReplicas: {{ .Values.pilot.autoscaleMin }} 16 | scaleTargetRef: 17 | apiVersion: apps/v1 18 | kind: Deployment 19 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 20 | metrics: 21 | - type: Resource 22 | resource: 23 | name: cpu 24 | targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} 25 | --- 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 5 | labels: 6 | app: istiod 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 15 | namespace: {{ .Values.global.istioNamespace }} 16 | --- 17 | {{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: ClusterRoleBinding 20 | metadata: 21 | name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 22 | labels: 23 | app: istiod 24 | release: {{ .Release.Name }} 25 | roleRef: 26 | apiGroup: rbac.authorization.k8s.io 27 | kind: ClusterRole 28 | name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 29 | subjects: 30 | - kind: ServiceAccount 31 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 32 | namespace: {{ .Values.global.istioNamespace }} 33 | {{- end }} -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pilot.jwksResolverExtraRootCA }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | release: {{ .Release.Name }} 9 | istio.io/rev: {{ .Values.revision | default "default" }} 10 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 11 | operator.istio.io/component: "Pilot" 12 | data: 13 | extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.defaultPodDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: istiod 9 | istio.io/rev: {{ .Values.revision | default "default" }} 10 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 11 | operator.istio.io/component: "Pilot" 12 | release: {{ .Release.Name }} 13 | istio: pilot 14 | spec: 15 | minAvailable: 1 16 | selector: 17 | matchLabels: 18 | app: istiod 19 | {{- if ne .Values.revision "" }} 20 | istio.io/rev: {{ .Values.revision }} 21 | {{- else }} 22 | istio: pilot 23 | {{- end }} 24 | --- 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 5 | labels: 6 | app: istio-reader 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istio-reader-service-account 15 | namespace: {{ .Values.global.istioNamespace }} 16 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 5 | namespace: {{ .Values.global.istioNamespace }} 6 | labels: 7 | app: istiod 8 | release: {{ .Release.Name }} 9 | rules: 10 | # permissions to verify the webhook is ready and rejecting 11 | # invalid config. We use --server-dry-run so no config is persisted. 12 | - apiGroups: ["networking.istio.io"] 13 | verbs: ["create"] 14 | resources: ["gateways"] 15 | 16 | # For storing CA secret 17 | - apiGroups: [""] 18 | resources: ["secrets"] 19 | # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config 20 | verbs: ["create", "get", "watch", "list", "update", "delete"] 21 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 5 | namespace: {{ .Values.global.istioNamespace }} 6 | labels: 7 | app: istiod 8 | release: {{ .Release.Name }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: Role 12 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 16 | namespace: {{ .Values.global.istioNamespace }} 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 5 | namespace: {{ .Release.Namespace }} 6 | {{- if .Values.pilot.serviceAnnotations }} 7 | annotations: 8 | {{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} 9 | {{- end }} 10 | labels: 11 | istio.io/rev: {{ .Values.revision | default "default" }} 12 | install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 13 | operator.istio.io/component: "Pilot" 14 | app: istiod 15 | istio: pilot 16 | release: {{ .Release.Name }} 17 | spec: 18 | ports: 19 | - port: 15010 20 | name: grpc-xds # plaintext 21 | protocol: TCP 22 | - port: 15012 23 | name: https-dns # mTLS with k8s-signed cert 24 | protocol: TCP 25 | - port: 443 26 | name: https-webhook # validation and injection 27 | targetPort: 15017 28 | protocol: TCP 29 | - port: 15014 30 | name: http-monitoring # prometheus stats 31 | protocol: TCP 32 | selector: 33 | app: istiod 34 | {{- if ne .Values.revision "" }} 35 | istio.io/rev: {{ .Values.revision }} 36 | {{- else }} 37 | # Label used by the 'default' service. For versioned deployments we match with app and version. 38 | # This avoids default deployment picking the canary 39 | istio: pilot 40 | {{- end }} 41 | --- 42 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | {{- if .Values.global.imagePullSecrets }} 4 | imagePullSecrets: 5 | {{- range .Values.global.imagePullSecrets }} 6 | - name: {{ . }} 7 | {{- end }} 8 | {{- end }} 9 | metadata: 10 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 11 | namespace: {{ .Values.global.istioNamespace }} 12 | labels: 13 | app: istiod 14 | release: {{ .Release.Name }} 15 | --- 16 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.configValidation }} 2 | apiVersion: admissionregistration.k8s.io/v1 3 | kind: ValidatingWebhookConfiguration 4 | metadata: 5 | name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} 6 | labels: 7 | app: istiod 8 | release: {{ .Release.Name }} 9 | istio: istiod 10 | istio.io/rev: {{ .Values.revision | default "default" }} 11 | webhooks: 12 | # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks 13 | # are rejecting invalid configs on a per-revision basis. 14 | - name: rev.validation.istio.io 15 | clientConfig: 16 | # Should change from base but cannot for API compat 17 | {{- if .Values.base.validationURL }} 18 | url: {{ .Values.base.validationURL }} 19 | {{- else }} 20 | service: 21 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 22 | namespace: {{ .Values.global.istioNamespace }} 23 | path: "/validate" 24 | {{- end }} 25 | caBundle: "" # patched at runtime when the webhook is ready. 26 | rules: 27 | - operations: 28 | - CREATE 29 | - UPDATE 30 | apiGroups: 31 | - security.istio.io 32 | - networking.istio.io 33 | - telemetry.istio.io 34 | - extensions.istio.io 35 | apiVersions: 36 | - "*" 37 | resources: 38 | - "*" 39 | # Fail open until the validation webhook is ready. The webhook controller 40 | # will update this to `Fail` and patch in the `caBundle` when the webhook 41 | # endpoint is ready. 42 | failurePolicy: Ignore 43 | sideEffects: None 44 | admissionReviewVersions: ["v1beta1", "v1"] 45 | objectSelector: 46 | matchExpressions: 47 | - key: istio.io/rev 48 | operator: In 49 | values: 50 | {{- if (eq .Values.revision "") }} 51 | - "default" 52 | {{- else }} 53 | - "{{ .Values.revision }}" 54 | {{- end }} 55 | --- 56 | {{- end }} 57 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istio-operator 3 | # This version is never actually shipped. istio/release-builder will replace it at build-time 4 | # with the appropriate version 5 | version: 1.12.1 6 | appVersion: 1.12.1 7 | tillerVersion: ">=2.7.2" 8 | description: Helm chart for deploying Istio operator 9 | keywords: 10 | - istio 11 | - operator 12 | sources: 13 | - https://github.com/istio/istio/tree/master/operator 14 | engine: gotpl 15 | icon: https://istio.io/latest/favicons/android-192x192.png 16 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-operator/crds/crd-operator.yaml: -------------------------------------------------------------------------------- 1 | # SYNC WITH manifests/charts/base/files 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: istiooperators.install.istio.io 6 | labels: 7 | release: istio 8 | spec: 9 | conversion: 10 | strategy: None 11 | group: install.istio.io 12 | names: 13 | kind: IstioOperator 14 | listKind: IstioOperatorList 15 | plural: istiooperators 16 | singular: istiooperator 17 | shortNames: 18 | - iop 19 | - io 20 | scope: Namespaced 21 | versions: 22 | - additionalPrinterColumns: 23 | - description: Istio control plane revision 24 | jsonPath: .spec.revision 25 | name: Revision 26 | type: string 27 | - description: IOP current state 28 | jsonPath: .status.status 29 | name: Status 30 | type: string 31 | - description: 'CreationTimestamp is a timestamp representing the server time 32 | when this object was created. It is not guaranteed to be set in happens-before 33 | order across separate operations. Clients may not set this value. It is represented 34 | in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 35 | lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 36 | jsonPath: .metadata.creationTimestamp 37 | name: Age 38 | type: date 39 | name: v1alpha1 40 | subresources: 41 | status: {} 42 | schema: 43 | openAPIV3Schema: 44 | type: object 45 | x-kubernetes-preserve-unknown-fields: true 46 | served: true 47 | storage: true 48 | --- 49 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-operator/templates/clusterrole_binding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 5 | subjects: 6 | - kind: ServiceAccount 7 | name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 8 | namespace: {{.Release.Namespace}} 9 | roleRef: 10 | kind: ClusterRole 11 | name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 12 | apiGroup: rbac.authorization.k8s.io 13 | --- 14 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-operator/templates/crds.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.enableCRDTemplates -}} 2 | {{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} 3 | --- 4 | {{ $.Files.Get $path }} 5 | {{- end -}} 6 | {{- end -}} 7 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-operator/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: {{.Release.Namespace}} 5 | name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | name: istio-operator 11 | template: 12 | metadata: 13 | labels: 14 | name: istio-operator 15 | {{- range $key, $val := .Values.podLabels }} 16 | {{ $key }}: "{{ $val }}" 17 | {{- end }} 18 | {{- if .Values.podAnnotations }} 19 | annotations: 20 | {{ toYaml .Values.podAnnotations | indent 8 }} 21 | {{- end }} 22 | spec: 23 | serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 24 | containers: 25 | - name: istio-operator 26 | image: {{.Values.hub}}/operator:{{.Values.tag}} 27 | command: 28 | - operator 29 | - server 30 | securityContext: 31 | allowPrivilegeEscalation: false 32 | capabilities: 33 | drop: 34 | - ALL 35 | privileged: false 36 | readOnlyRootFilesystem: true 37 | runAsGroup: 1337 38 | runAsUser: 1337 39 | runAsNonRoot: true 40 | imagePullPolicy: IfNotPresent 41 | resources: 42 | {{ toYaml .Values.operator.resources | trim | indent 12 }} 43 | env: 44 | - name: WATCH_NAMESPACE 45 | value: {{.Values.watchedNamespaces | quote}} 46 | - name: LEADER_ELECTION_NAMESPACE 47 | value: {{.Release.Namespace | quote}} 48 | - name: POD_NAME 49 | valueFrom: 50 | fieldRef: 51 | fieldPath: metadata.name 52 | - name: OPERATOR_NAME 53 | value: {{.Release.Namespace | quote}} 54 | - name: WAIT_FOR_RESOURCES_TIMEOUT 55 | value: {{.Values.waitForResourcesTimeout | quote}} 56 | - name: REVISION 57 | value: {{.Values.revision | quote}} 58 | --- 59 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-operator/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | namespace: {{.Release.Namespace}} 5 | labels: 6 | name: istio-operator 7 | name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 8 | spec: 9 | ports: 10 | - name: http-metrics 11 | port: 8383 12 | targetPort: 8383 13 | protocol: TCP 14 | selector: 15 | name: istio-operator 16 | --- 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-operator/templates/service_account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | namespace: {{.Release.Namespace}} 5 | name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 6 | {{- if .Values.imagePullSecrets }} 7 | imagePullSecrets: 8 | {{- range .Values.imagePullSecrets }} 9 | - name: {{ . }} 10 | {{- end }} 11 | {{- end }} 12 | --- 13 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istio-operator/values.yaml: -------------------------------------------------------------------------------- 1 | hub: docker.io/istio 2 | tag: 1.12.1 3 | 4 | # ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace 5 | # used to pull operator image. Must be set for any cluster configured with private docker registry. 6 | imagePullSecrets: [] 7 | 8 | # Used to replace istioNamespace to support operator watch multiple namespaces. 9 | watchedNamespaces: istio-system 10 | waitForResourcesTimeout: 300s 11 | 12 | # Used for helm2 to add the CRDs to templates. 13 | enableCRDTemplates: false 14 | 15 | # revision for the operator resources 16 | revision: "" 17 | 18 | # Operator resource defaults 19 | operator: 20 | resources: 21 | limits: 22 | cpu: 200m 23 | memory: 256Mi 24 | requests: 25 | cpu: 50m 26 | memory: 128Mi 27 | 28 | # Additional labels and annotations to apply on the pod level for monitoring and logging configuration. 29 | podLabels: {} 30 | podAnnotations: {} 31 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: istiod-remote 3 | # This version is never actually shipped. istio/release-builder will replace it at build-time 4 | # with the appropriate version 5 | version: 1.12.1 6 | appVersion: 1.12.1 7 | tillerVersion: ">=2.7.2" 8 | description: Helm chart for a remote cluster using an external istio control plane 9 | keywords: 10 | - istio 11 | - external-istiod 12 | sources: 13 | - http://github.com/istio/istio 14 | engine: gotpl 15 | icon: https://istio.io/latest/favicons/android-192x192.png 16 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/NOTES.txt: -------------------------------------------------------------------------------- 1 | Install for a remote cluster using an external control plane. 2 | 3 | The templates in this directory are copies of base and istio-discovery templates. 4 | DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. 5 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.configCluster }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 6 | labels: 7 | app: istiod 8 | release: {{ .Release.Name }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 16 | namespace: {{ .Values.global.istioNamespace }} 17 | --- 18 | {{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 23 | labels: 24 | app: istiod 25 | release: {{ .Release.Name }} 26 | roleRef: 27 | apiGroup: rbac.authorization.k8s.io 28 | kind: ClusterRole 29 | name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 30 | subjects: 31 | - kind: ServiceAccount 32 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 33 | namespace: {{ .Values.global.istioNamespace }} 34 | {{- end }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/templates/crd-operator.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.configCluster }} 2 | # SYNC WITH manifests/charts/istio-operator/templates 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: istiooperators.install.istio.io 7 | labels: 8 | release: istio 9 | spec: 10 | conversion: 11 | strategy: None 12 | group: install.istio.io 13 | names: 14 | kind: IstioOperator 15 | listKind: IstioOperatorList 16 | plural: istiooperators 17 | singular: istiooperator 18 | shortNames: 19 | - iop 20 | - io 21 | scope: Namespaced 22 | versions: 23 | - additionalPrinterColumns: 24 | - description: Istio control plane revision 25 | jsonPath: .spec.revision 26 | name: Revision 27 | type: string 28 | - description: IOP current state 29 | jsonPath: .status.status 30 | name: Status 31 | type: string 32 | - description: 'CreationTimestamp is a timestamp representing the server time 33 | when this object was created. It is not guaranteed to be set in happens-before 34 | order across separate operations. Clients may not set this value. It is represented 35 | in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 36 | lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 37 | jsonPath: .metadata.creationTimestamp 38 | name: Age 39 | type: date 40 | subresources: 41 | status: {} 42 | name: v1alpha1 43 | schema: 44 | openAPIV3Schema: 45 | type: object 46 | x-kubernetes-preserve-unknown-fields: true 47 | served: true 48 | storage: true 49 | --- 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 5 | labels: 6 | app: istio-reader 7 | release: {{ .Release.Name }} 8 | rules: 9 | - apiGroups: 10 | - "config.istio.io" 11 | - "security.istio.io" 12 | - "networking.istio.io" 13 | - "authentication.istio.io" 14 | - "rbac.istio.io" 15 | resources: ["*"] 16 | verbs: ["get", "list", "watch"] 17 | - apiGroups: [""] 18 | resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] 19 | verbs: ["get", "list", "watch"] 20 | - apiGroups: ["networking.istio.io"] 21 | verbs: [ "get", "watch", "list" ] 22 | resources: [ "workloadentries" ] 23 | - apiGroups: ["apiextensions.k8s.io"] 24 | resources: ["customresourcedefinitions"] 25 | verbs: ["get", "list", "watch"] 26 | - apiGroups: ["discovery.k8s.io"] 27 | resources: ["endpointslices"] 28 | verbs: ["get", "list", "watch"] 29 | - apiGroups: ["multicluster.x-k8s.io"] 30 | resources: ["serviceexports"] 31 | verbs: ["get", "list", "watch"] 32 | - apiGroups: ["multicluster.x-k8s.io"] 33 | resources: ["serviceimports"] 34 | verbs: ["get", "list", "watch"] 35 | - apiGroups: ["apps"] 36 | resources: ["replicasets"] 37 | verbs: ["get", "list", "watch"] 38 | - apiGroups: ["authentication.k8s.io"] 39 | resources: ["tokenreviews"] 40 | verbs: ["create"] 41 | - apiGroups: ["authorization.k8s.io"] 42 | resources: ["subjectaccessreviews"] 43 | verbs: ["create"] 44 | {{- if .Values.global.externalIstiod }} 45 | - apiGroups: [""] 46 | resources: ["configmaps"] 47 | verbs: ["create", "get", "list", "watch", "update"] 48 | - apiGroups: ["admissionregistration.k8s.io"] 49 | resources: ["mutatingwebhookconfigurations"] 50 | verbs: ["get", "list", "watch", "update", "patch"] 51 | - apiGroups: ["admissionregistration.k8s.io"] 52 | resources: ["validatingwebhookconfigurations"] 53 | verbs: ["get", "list", "watch", "update"] 54 | {{- end}} 55 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 5 | labels: 6 | app: istio-reader 7 | release: {{ .Release.Name }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: istio-reader-service-account 15 | namespace: {{ .Values.global.istioNamespace }} 16 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | # This service account aggregates reader permissions for the revisions in a given cluster 2 | # Should be used for remote secret creation. 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | {{- if .Values.global.imagePullSecrets }} 6 | imagePullSecrets: 7 | {{- range .Values.global.imagePullSecrets }} 8 | - name: {{ . }} 9 | {{- end }} 10 | {{- end }} 11 | metadata: 12 | name: istio-reader-service-account 13 | namespace: {{ .Values.global.istioNamespace }} 14 | labels: 15 | app: istio-reader 16 | release: {{ .Release.Name }} 17 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.configCluster }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 6 | namespace: {{ .Values.global.istioNamespace }} 7 | labels: 8 | app: istiod 9 | release: {{ .Release.Name }} 10 | rules: 11 | # permissions to verify the webhook is ready and rejecting 12 | # invalid config. We use --server-dry-run so no config is persisted. 13 | - apiGroups: ["networking.istio.io"] 14 | verbs: ["create"] 15 | resources: ["gateways"] 16 | 17 | # For storing CA secret 18 | - apiGroups: [""] 19 | resources: ["secrets"] 20 | # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config 21 | verbs: ["create", "get", "watch", "list", "update", "delete"] 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.configCluster }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 6 | namespace: {{ .Values.global.istioNamespace }} 7 | labels: 8 | app: istiod 9 | release: {{ .Release.Name }} 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: Role 13 | name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} 14 | subjects: 15 | - kind: ServiceAccount 16 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 17 | namespace: {{ .Values.global.istioNamespace }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/charts/istiod-remote/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.configCluster }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- range .Values.global.imagePullSecrets }} 7 | - name: {{ . }} 8 | {{- end }} 9 | {{- end }} 10 | metadata: 11 | name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 12 | namespace: {{ .Values.global.istioNamespace }} 13 | labels: 14 | app: istiod 15 | release: {{ .Release.Name }} 16 | --- 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: install.istio.io/v1alpha1 3 | kind: IstioOperator 4 | metadata: 5 | namespace: istio-system 6 | name: example-istiocontrolplane 7 | spec: 8 | profile: demo 9 | ... 10 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/examples/user-gateway/ingress-gateway-only.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | profile: empty 5 | components: 6 | ingressGateways: 7 | - enabled: true 8 | namespace: my-namespace 9 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/profiles/demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | meshConfig: 5 | accessLogFile: /dev/stdout 6 | components: 7 | egressGateways: 8 | - name: istio-egressgateway 9 | enabled: true 10 | k8s: 11 | resources: 12 | requests: 13 | cpu: 10m 14 | memory: 40Mi 15 | 16 | ingressGateways: 17 | - name: istio-ingressgateway 18 | enabled: true 19 | k8s: 20 | resources: 21 | requests: 22 | cpu: 10m 23 | memory: 40Mi 24 | service: 25 | ports: 26 | ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. 27 | # Note that AWS ELB will by default perform health checks on the first port 28 | # on this list. Setting this to the health check port will ensure that health 29 | # checks always work. https://github.com/istio/istio/issues/12503 30 | - port: 15021 31 | targetPort: 15021 32 | name: status-port 33 | - port: 80 34 | targetPort: 8080 35 | name: http2 36 | - port: 443 37 | targetPort: 8443 38 | name: https 39 | - port: 31400 40 | targetPort: 31400 41 | name: tcp 42 | # This is the port where sni routing happens 43 | - port: 15443 44 | targetPort: 15443 45 | name: tls 46 | 47 | pilot: 48 | k8s: 49 | env: 50 | - name: PILOT_TRACE_SAMPLING 51 | value: "100" 52 | resources: 53 | requests: 54 | cpu: 10m 55 | memory: 100Mi 56 | 57 | values: 58 | global: 59 | proxy: 60 | resources: 61 | requests: 62 | cpu: 10m 63 | memory: 40Mi 64 | 65 | pilot: 66 | autoscaleEnabled: false 67 | 68 | gateways: 69 | istio-egressgateway: 70 | autoscaleEnabled: false 71 | istio-ingressgateway: 72 | autoscaleEnabled: false 73 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/profiles/empty.yaml: -------------------------------------------------------------------------------- 1 | # The empty profile has everything disabled 2 | # This is useful as a base for custom user configuration 3 | apiVersion: install.istio.io/v1alpha1 4 | kind: IstioOperator 5 | spec: 6 | components: 7 | base: 8 | enabled: false 9 | pilot: 10 | enabled: false 11 | ingressGateways: 12 | - name: istio-ingressgateway 13 | enabled: false 14 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/profiles/external.yaml: -------------------------------------------------------------------------------- 1 | # The external profile is used to configure a mesh using an external control plane. 2 | # Only the injector mutating webhook configuration is installed. 3 | apiVersion: install.istio.io/v1alpha1 4 | kind: IstioOperator 5 | spec: 6 | components: 7 | base: 8 | enabled: false 9 | pilot: 10 | enabled: false 11 | ingressGateways: 12 | - name: istio-ingressgateway 13 | enabled: false 14 | istiodRemote: 15 | enabled: true 16 | values: 17 | global: 18 | externalIstiod: true 19 | omitSidecarInjectorConfigMap: true 20 | configCluster: false 21 | pilot: 22 | configMap: false 23 | telemetry: 24 | enabled: false 25 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/profiles/minimal.yaml: -------------------------------------------------------------------------------- 1 | # The minimal profile will install just the core control plane 2 | apiVersion: install.istio.io/v1alpha1 3 | kind: IstioOperator 4 | spec: 5 | components: 6 | ingressGateways: 7 | - name: istio-ingressgateway 8 | enabled: false 9 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/profiles/openshift.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | components: 5 | cni: 6 | enabled: true 7 | namespace: kube-system 8 | k8s: 9 | overlays: 10 | - kind: DaemonSet 11 | name: istio-cni-node 12 | patches: 13 | - path: spec.template.spec.containers[0].securityContext.privileged 14 | value: true 15 | values: 16 | cni: 17 | cniBinDir: /var/lib/cni/bin 18 | cniConfDir: /etc/cni/multus/net.d 19 | chained: false 20 | cniConfFileName: "istio-cni.conf" 21 | excludeNamespaces: 22 | - istio-system 23 | - kube-system 24 | logLevel: info 25 | sidecarInjectorWebhook: 26 | injectedAnnotations: 27 | k8s.v1.cni.cncf.io/networks: istio-cni 28 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/profiles/preview.yaml: -------------------------------------------------------------------------------- 1 | # The preview profile contains features that are experimental. 2 | # This is intended to explore new features coming to Istio. 3 | # Stability, security, and performance are not guaranteed - use at your own risk. 4 | apiVersion: install.istio.io/v1alpha1 5 | kind: IstioOperator 6 | spec: 7 | meshConfig: 8 | defaultConfig: 9 | proxyMetadata: 10 | # Enable Istio agent to handle DNS requests for known hosts 11 | # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf 12 | ISTIO_META_DNS_CAPTURE: "true" 13 | # Enable dynamic bootstrap generation. 14 | BOOTSTRAP_XDS_AGENT: "true" 15 | values: 16 | telemetry: 17 | v2: 18 | metadataExchange: 19 | wasmEnabled: true 20 | prometheus: 21 | wasmEnabled: true 22 | -------------------------------------------------------------------------------- /istio-1.12.1/manifests/profiles/remote.yaml: -------------------------------------------------------------------------------- 1 | # Deprecated. Use the `default` profile instead. 2 | apiVersion: install.istio.io/v1alpha1 3 | kind: IstioOperator 4 | spec: {} 5 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/README.md: -------------------------------------------------------------------------------- 1 | # Istio Samples 2 | 3 | This directory contains sample applications highlighting various Istio features. 4 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/addons/extras/prometheus-operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: PodMonitor 3 | metadata: 4 | name: envoy-stats-monitor 5 | namespace: istio-system 6 | labels: 7 | monitoring: istio-proxies 8 | release: istio 9 | spec: 10 | selector: 11 | matchExpressions: 12 | - {key: istio-prometheus-ignore, operator: DoesNotExist} 13 | namespaceSelector: 14 | any: true 15 | jobLabel: envoy-stats 16 | podMetricsEndpoints: 17 | - path: /stats/prometheus 18 | interval: 15s 19 | relabelings: 20 | - action: keep 21 | sourceLabels: [__meta_kubernetes_pod_container_name] 22 | regex: "istio-proxy" 23 | - action: keep 24 | sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape] 25 | - sourceLabels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 26 | action: replace 27 | regex: ([^:]+)(?::\d+)?;(\d+) 28 | replacement: $1:$2 29 | targetLabel: __address__ 30 | - action: labeldrop 31 | regex: "__meta_kubernetes_pod_label_(.+)" 32 | - sourceLabels: [__meta_kubernetes_namespace] 33 | action: replace 34 | targetLabel: namespace 35 | - sourceLabels: [__meta_kubernetes_pod_name] 36 | action: replace 37 | targetLabel: pod_name 38 | --- 39 | apiVersion: monitoring.coreos.com/v1 40 | kind: ServiceMonitor 41 | metadata: 42 | name: istio-component-monitor 43 | namespace: istio-system 44 | labels: 45 | monitoring: istio-components 46 | release: istio 47 | spec: 48 | jobLabel: istio 49 | targetLabels: [app] 50 | selector: 51 | matchExpressions: 52 | - {key: istio, operator: In, values: [pilot]} 53 | namespaceSelector: 54 | any: true 55 | endpoints: 56 | - port: http-monitoring 57 | interval: 15s 58 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/addons/extras/zipkin.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: zipkin 5 | namespace: istio-system 6 | labels: 7 | app: zipkin 8 | spec: 9 | selector: 10 | matchLabels: 11 | app: zipkin 12 | template: 13 | metadata: 14 | labels: 15 | app: zipkin 16 | annotations: 17 | sidecar.istio.io/inject: "false" 18 | spec: 19 | containers: 20 | - name: zipkin 21 | image: openzipkin/zipkin-slim:2.23.0 22 | env: 23 | - name: STORAGE_METHOD 24 | value: "mem" 25 | readinessProbe: 26 | httpGet: 27 | path: /health 28 | port: 9411 29 | initialDelaySeconds: 5 30 | periodSeconds: 5 31 | --- 32 | apiVersion: v1 33 | kind: Service 34 | metadata: 35 | name: tracing 36 | namespace: istio-system 37 | labels: 38 | app: zipkin 39 | spec: 40 | type: ClusterIP 41 | ports: 42 | - name: http-query 43 | port: 80 44 | protocol: TCP 45 | targetPort: 9411 46 | selector: 47 | app: zipkin 48 | --- 49 | apiVersion: v1 50 | kind: Service 51 | metadata: 52 | labels: 53 | name: zipkin 54 | name: zipkin 55 | namespace: istio-system 56 | spec: 57 | ports: 58 | - port: 9411 59 | targetPort: 9411 60 | name: http-query 61 | selector: 62 | app: zipkin 63 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/bookinfo-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: bookinfo-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway # use istio default controller 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "*" 15 | --- 16 | apiVersion: networking.istio.io/v1alpha3 17 | kind: VirtualService 18 | metadata: 19 | name: bookinfo 20 | spec: 21 | hosts: 22 | - "*" 23 | gateways: 24 | - bookinfo-gateway 25 | http: 26 | - match: 27 | - uri: 28 | exact: /productpage 29 | - uri: 30 | prefix: /static 31 | - uri: 32 | exact: /login 33 | - uri: 34 | exact: /logout 35 | - uri: 36 | prefix: /api/v1/products 37 | route: 38 | - destination: 39 | host: productpage 40 | port: 41 | number: 9080 42 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/certmanager-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: cert-manager-gateway 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | istio: ingressgateway 9 | servers: 10 | - port: 11 | number: 80 12 | name: http 13 | protocol: HTTP 14 | hosts: 15 | - "*" 16 | --- 17 | apiVersion: networking.istio.io/v1alpha3 18 | kind: VirtualService 19 | metadata: 20 | name: cert-manager 21 | namespace: istio-system 22 | spec: 23 | hosts: 24 | - "*" 25 | gateways: 26 | - cert-manager-gateway 27 | http: 28 | - match: 29 | - uri: 30 | prefix: /.well-known/acme-challenge/ 31 | route: 32 | - destination: 33 | host: cert-manager-resolver 34 | port: 35 | number: 8089 36 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/destination-rule-all-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: productpage 5 | spec: 6 | host: productpage 7 | trafficPolicy: 8 | tls: 9 | mode: ISTIO_MUTUAL 10 | subsets: 11 | - name: v1 12 | labels: 13 | version: v1 14 | --- 15 | apiVersion: networking.istio.io/v1alpha3 16 | kind: DestinationRule 17 | metadata: 18 | name: reviews 19 | spec: 20 | host: reviews 21 | trafficPolicy: 22 | tls: 23 | mode: ISTIO_MUTUAL 24 | subsets: 25 | - name: v1 26 | labels: 27 | version: v1 28 | - name: v2 29 | labels: 30 | version: v2 31 | - name: v3 32 | labels: 33 | version: v3 34 | --- 35 | apiVersion: networking.istio.io/v1alpha3 36 | kind: DestinationRule 37 | metadata: 38 | name: ratings 39 | spec: 40 | host: ratings 41 | trafficPolicy: 42 | tls: 43 | mode: ISTIO_MUTUAL 44 | subsets: 45 | - name: v1 46 | labels: 47 | version: v1 48 | - name: v2 49 | labels: 50 | version: v2 51 | - name: v2-mysql 52 | labels: 53 | version: v2-mysql 54 | - name: v2-mysql-vm 55 | labels: 56 | version: v2-mysql-vm 57 | --- 58 | apiVersion: networking.istio.io/v1alpha3 59 | kind: DestinationRule 60 | metadata: 61 | name: details 62 | spec: 63 | host: details 64 | trafficPolicy: 65 | tls: 66 | mode: ISTIO_MUTUAL 67 | subsets: 68 | - name: v1 69 | labels: 70 | version: v1 71 | - name: v2 72 | labels: 73 | version: v2 74 | --- 75 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/destination-rule-all.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: productpage 5 | spec: 6 | host: productpage 7 | subsets: 8 | - name: v1 9 | labels: 10 | version: v1 11 | --- 12 | apiVersion: networking.istio.io/v1alpha3 13 | kind: DestinationRule 14 | metadata: 15 | name: reviews 16 | spec: 17 | host: reviews 18 | subsets: 19 | - name: v1 20 | labels: 21 | version: v1 22 | - name: v2 23 | labels: 24 | version: v2 25 | - name: v3 26 | labels: 27 | version: v3 28 | --- 29 | apiVersion: networking.istio.io/v1alpha3 30 | kind: DestinationRule 31 | metadata: 32 | name: ratings 33 | spec: 34 | host: ratings 35 | subsets: 36 | - name: v1 37 | labels: 38 | version: v1 39 | - name: v2 40 | labels: 41 | version: v2 42 | - name: v2-mysql 43 | labels: 44 | version: v2-mysql 45 | - name: v2-mysql-vm 46 | labels: 47 | version: v2-mysql-vm 48 | --- 49 | apiVersion: networking.istio.io/v1alpha3 50 | kind: DestinationRule 51 | metadata: 52 | name: details 53 | spec: 54 | host: details 55 | subsets: 56 | - name: v1 57 | labels: 58 | version: v1 59 | - name: v2 60 | labels: 61 | version: v2 62 | --- 63 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/destination-rule-reviews.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: reviews 5 | spec: 6 | host: reviews 7 | trafficPolicy: 8 | loadBalancer: 9 | simple: RANDOM 10 | subsets: 11 | - name: v1 12 | labels: 13 | version: v1 14 | - name: v2 15 | labels: 16 | version: v2 17 | - name: v3 18 | labels: 19 | version: v3 20 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/egress-rule-google-apis.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: googleapis 5 | spec: 6 | hosts: 7 | - www.googleapis.com 8 | ports: 9 | - number: 80 10 | name: http 11 | protocol: HTTP 12 | - number: 443 13 | name: https 14 | protocol: HTTPS 15 | resolution: DNS 16 | --- 17 | apiVersion: networking.istio.io/v1alpha3 18 | kind: VirtualService 19 | metadata: 20 | name: rewrite-port-for-googleapis 21 | spec: 22 | hosts: 23 | - www.googleapis.com 24 | http: 25 | - match: 26 | - port: 80 27 | route: 28 | - destination: 29 | host: www.googleapis.com 30 | port: 31 | number: 443 32 | --- 33 | apiVersion: networking.istio.io/v1alpha3 34 | kind: DestinationRule 35 | metadata: 36 | name: originate-tls-for-googleapis 37 | spec: 38 | host: www.googleapis.com 39 | trafficPolicy: 40 | loadBalancer: 41 | simple: ROUND_ROBIN 42 | portLevelSettings: 43 | - port: 44 | number: 443 45 | tls: 46 | mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com 47 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/fault-injection-details-v1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: details 5 | spec: 6 | hosts: 7 | - details 8 | http: 9 | - fault: 10 | abort: 11 | httpStatus: 555 12 | percentage: 13 | value: 100 14 | route: 15 | - destination: 16 | host: details 17 | subset: v1 18 | - route: 19 | - destination: 20 | host: details 21 | subset: v1 22 | --- 23 | apiVersion: networking.istio.io/v1alpha3 24 | kind: DestinationRule 25 | metadata: 26 | name: details 27 | spec: 28 | host: details 29 | subsets: 30 | - name: v1 31 | labels: 32 | version: v1 -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-all-v1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: productpage 5 | spec: 6 | hosts: 7 | - productpage 8 | http: 9 | - route: 10 | - destination: 11 | host: productpage 12 | subset: v1 13 | --- 14 | apiVersion: networking.istio.io/v1alpha3 15 | kind: VirtualService 16 | metadata: 17 | name: reviews 18 | spec: 19 | hosts: 20 | - reviews 21 | http: 22 | - route: 23 | - destination: 24 | host: reviews 25 | subset: v1 26 | --- 27 | apiVersion: networking.istio.io/v1alpha3 28 | kind: VirtualService 29 | metadata: 30 | name: ratings 31 | spec: 32 | hosts: 33 | - ratings 34 | http: 35 | - route: 36 | - destination: 37 | host: ratings 38 | subset: v1 39 | --- 40 | apiVersion: networking.istio.io/v1alpha3 41 | kind: VirtualService 42 | metadata: 43 | name: details 44 | spec: 45 | hosts: 46 | - details 47 | http: 48 | - route: 49 | - destination: 50 | host: details 51 | subset: v1 52 | --- 53 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-details-v2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: details 5 | spec: 6 | hosts: 7 | - details 8 | http: 9 | - route: 10 | - destination: 11 | host: details 12 | subset: v2 13 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-ratings-db.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - route: 10 | - destination: 11 | host: reviews 12 | subset: v3 13 | --- 14 | apiVersion: networking.istio.io/v1alpha3 15 | kind: VirtualService 16 | metadata: 17 | name: ratings 18 | spec: 19 | hosts: 20 | - ratings 21 | http: 22 | - route: 23 | - destination: 24 | host: ratings 25 | subset: v2 26 | --- 27 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - route: 10 | - destination: 11 | host: reviews 12 | subset: v3 13 | --- 14 | apiVersion: networking.istio.io/v1alpha3 15 | kind: VirtualService 16 | metadata: 17 | name: ratings 18 | spec: 19 | hosts: 20 | - ratings 21 | http: 22 | - route: 23 | - destination: 24 | host: ratings 25 | subset: v2-mysql-vm 26 | --- 27 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - route: 10 | - destination: 11 | host: reviews 12 | subset: v3 13 | --- 14 | apiVersion: networking.istio.io/v1alpha3 15 | kind: VirtualService 16 | metadata: 17 | name: ratings 18 | spec: 19 | hosts: 20 | - ratings 21 | http: 22 | - route: 23 | - destination: 24 | host: ratings 25 | subset: v2-mysql 26 | --- 27 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: ratings 5 | spec: 6 | hosts: 7 | - ratings 8 | http: 9 | - match: 10 | - headers: 11 | end-user: 12 | exact: jason 13 | fault: 14 | abort: 15 | percentage: 16 | value: 100.0 17 | httpStatus: 500 18 | route: 19 | - destination: 20 | host: ratings 21 | subset: v1 22 | - route: 23 | - destination: 24 | host: ratings 25 | subset: v1 26 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: ratings 5 | spec: 6 | hosts: 7 | - ratings 8 | http: 9 | - match: 10 | - headers: 11 | end-user: 12 | exact: jason 13 | fault: 14 | delay: 15 | percentage: 16 | value: 100.0 17 | fixedDelay: 7s 18 | route: 19 | - destination: 20 | host: ratings 21 | subset: v1 22 | - route: 23 | - destination: 24 | host: ratings 25 | subset: v1 26 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - route: 10 | - destination: 11 | host: reviews 12 | subset: v1 13 | weight: 50 14 | - destination: 15 | host: reviews 16 | subset: v3 17 | weight: 50 18 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - route: 10 | - destination: 11 | host: reviews 12 | subset: v1 13 | weight: 80 14 | - destination: 15 | host: reviews 16 | subset: v2 17 | weight: 20 18 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - route: 10 | - destination: 11 | host: reviews 12 | subset: v1 13 | weight: 90 14 | - destination: 15 | host: reviews 16 | subset: v2 17 | weight: 10 18 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - match: 10 | - headers: 11 | end-user: 12 | exact: jason 13 | route: 14 | - destination: 15 | host: reviews 16 | subset: v2 17 | - route: 18 | - destination: 19 | host: reviews 20 | subset: v3 21 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - match: 10 | - headers: 11 | end-user: 12 | exact: jason 13 | route: 14 | - destination: 15 | host: reviews 16 | subset: v2 17 | - route: 18 | - destination: 19 | host: reviews 20 | subset: v1 21 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - route: 10 | - destination: 11 | host: reviews 12 | subset: v2 13 | weight: 50 14 | - destination: 15 | host: reviews 16 | subset: v3 17 | weight: 50 18 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/networking/virtual-service-reviews-v3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: reviews 5 | spec: 6 | hosts: 7 | - reviews 8 | http: 9 | - route: 10 | - destination: 11 | host: reviews 12 | subset: v3 13 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/README.md: -------------------------------------------------------------------------------- 1 | See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio 2 | docs for instructions on how to run this demo application. 3 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: certmanager.k8s.io/v1alpha1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-staging 6 | namespace: istio-system 7 | spec: 8 | acme: 9 | # The ACME server URL 10 | server: https://acme-staging-v02.api.letsencrypt.org/directory 11 | # Email address used for ACME registration 12 | email: stage@istio.io 13 | # Name of a secret used to store the ACME account private key 14 | privateKeySecretRef: 15 | name: letsencrypt-staging 16 | # Enable the HTTP-01 challenge provider 17 | http01: {} 18 | --- 19 | apiVersion: certmanager.k8s.io/v1alpha1 20 | kind: Certificate 21 | metadata: 22 | name: istio-ingressgateway-certs 23 | namespace: istio-system 24 | spec: 25 | secretName: istio-ingressgateway-certs 26 | issuerRef: 27 | name: letsencrypt-staging 28 | kind: ClusterIssuer 29 | commonName: bookinfo.example.com 30 | dnsNames: 31 | - bookinfo.example.com 32 | acme: 33 | config: 34 | - http01: 35 | ingressClass: none 36 | domains: 37 | - bookinfo.example.com 38 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-db.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: v1 16 | kind: Service 17 | metadata: 18 | name: mongodb 19 | labels: 20 | app: mongodb 21 | service: mongodb 22 | spec: 23 | ports: 24 | - port: 27017 25 | name: mongo 26 | selector: 27 | app: mongodb 28 | --- 29 | apiVersion: apps/v1 30 | kind: Deployment 31 | metadata: 32 | name: mongodb-v1 33 | labels: 34 | app: mongodb 35 | version: v1 36 | spec: 37 | replicas: 1 38 | selector: 39 | matchLabels: 40 | app: mongodb 41 | version: v1 42 | template: 43 | metadata: 44 | labels: 45 | app: mongodb 46 | version: v1 47 | spec: 48 | containers: 49 | - name: mongodb 50 | image: docker.io/istio/examples-bookinfo-mongodb:1.16.2 51 | imagePullPolicy: IfNotPresent 52 | ports: 53 | - containerPort: 27017 54 | volumeMounts: 55 | - name: data-db 56 | mountPath: /data/db 57 | volumes: 58 | - name: data-db 59 | emptyDir: {} 60 | --- 61 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Details service v2 17 | ################################################################################################## 18 | apiVersion: apps/v1 19 | kind: Deployment 20 | metadata: 21 | name: details-v2 22 | labels: 23 | app: details 24 | version: v2 25 | spec: 26 | replicas: 1 27 | selector: 28 | matchLabels: 29 | app: details 30 | version: v2 31 | template: 32 | metadata: 33 | labels: 34 | app: details 35 | version: v2 36 | spec: 37 | containers: 38 | - name: details 39 | image: docker.io/istio/examples-bookinfo-details-v2:1.16.2 40 | imagePullPolicy: IfNotPresent 41 | ports: 42 | - containerPort: 9080 43 | env: 44 | - name: DO_NOT_ENCRYPT 45 | value: "true" 46 | securityContext: 47 | runAsUser: 1000 48 | --- 49 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-details.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Details service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: details 22 | labels: 23 | app: details 24 | service: details 25 | spec: 26 | ports: 27 | - port: 9080 28 | name: http 29 | selector: 30 | app: details 31 | --- 32 | apiVersion: apps/v1 33 | kind: Deployment 34 | metadata: 35 | name: details-v1 36 | labels: 37 | app: details 38 | version: v1 39 | spec: 40 | replicas: 1 41 | selector: 42 | matchLabels: 43 | app: details 44 | version: v1 45 | template: 46 | metadata: 47 | labels: 48 | app: details 49 | version: v1 50 | spec: 51 | containers: 52 | - name: details 53 | image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 54 | imagePullPolicy: IfNotPresent 55 | ports: 56 | - containerPort: 9080 57 | securityContext: 58 | runAsUser: 1000 59 | --- 60 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-ingress.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ########################################################################### 16 | # Ingress resource (gateway) 17 | ########################################################################## 18 | apiVersion: networking.k8s.io/v1beta1 19 | kind: Ingress 20 | metadata: 21 | name: gateway 22 | annotations: 23 | kubernetes.io/ingress.class: "istio" 24 | spec: 25 | rules: 26 | - http: 27 | paths: 28 | - path: /productpage 29 | backend: 30 | serviceName: productpage 31 | servicePort: 9080 32 | - path: /static/* 33 | backend: 34 | serviceName: productpage 35 | servicePort: 9080 36 | - path: /login 37 | backend: 38 | serviceName: productpage 39 | servicePort: 9080 40 | - path: /logout 41 | backend: 42 | serviceName: productpage 43 | servicePort: 9080 44 | - path: /api/v1/products.* 45 | backend: 46 | serviceName: productpage 47 | servicePort: 9080 48 | --- 49 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Ratings service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: ratings 22 | labels: 23 | app: ratings 24 | service: ratings 25 | spec: 26 | ports: 27 | - port: 9080 28 | name: http 29 | selector: 30 | app: ratings 31 | --- 32 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: ratings-v2-mysql-vm 19 | labels: 20 | app: ratings 21 | version: v2-mysql-vm 22 | spec: 23 | replicas: 1 24 | selector: 25 | matchLabels: 26 | app: ratings 27 | version: v2-mysql-vm 28 | template: 29 | metadata: 30 | labels: 31 | app: ratings 32 | version: v2-mysql-vm 33 | spec: 34 | containers: 35 | - name: ratings 36 | image: docker.io/istio/examples-bookinfo-ratings-v2:1.16.2 37 | imagePullPolicy: IfNotPresent 38 | env: 39 | # This assumes you registered your mysql vm as 40 | # istioctl register -n vm mysqldb 1.2.3.4 3306 41 | - name: DB_TYPE 42 | value: "mysql" 43 | - name: MYSQL_DB_HOST 44 | value: mysqldb.vm.svc.cluster.local 45 | - name: MYSQL_DB_PORT 46 | value: "3306" 47 | - name: MYSQL_DB_USER 48 | value: root 49 | - name: MYSQL_DB_PASSWORD 50 | value: password 51 | ports: 52 | - containerPort: 9080 53 | securityContext: 54 | runAsUser: 1000 55 | --- 56 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: ratings-v2-mysql 19 | labels: 20 | app: ratings 21 | version: v2-mysql 22 | spec: 23 | replicas: 1 24 | selector: 25 | matchLabels: 26 | app: ratings 27 | version: v2-mysql 28 | template: 29 | metadata: 30 | labels: 31 | app: ratings 32 | version: v2-mysql 33 | spec: 34 | containers: 35 | - name: ratings 36 | image: docker.io/istio/examples-bookinfo-ratings-v2:1.16.2 37 | imagePullPolicy: IfNotPresent 38 | env: 39 | # ratings-v2 will use mongodb as the default db backend. 40 | # if you would like to use mysqldb then you can use this file 41 | # which sets DB_TYPE = 'mysql' and the rest of the parameters shown 42 | # here and also create the # mysqldb service using bookinfo-mysql.yaml 43 | # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml 44 | - name: DB_TYPE 45 | value: "mysql" 46 | - name: MYSQL_DB_HOST 47 | value: mysqldb 48 | - name: MYSQL_DB_PORT 49 | value: "3306" 50 | - name: MYSQL_DB_USER 51 | value: root 52 | - name: MYSQL_DB_PASSWORD 53 | value: password 54 | ports: 55 | - containerPort: 9080 56 | securityContext: 57 | runAsUser: 1000 58 | --- 59 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-ratings.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Ratings service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: ratings 22 | labels: 23 | app: ratings 24 | service: ratings 25 | spec: 26 | ports: 27 | - port: 9080 28 | name: http 29 | selector: 30 | app: ratings 31 | --- 32 | apiVersion: apps/v1 33 | kind: Deployment 34 | metadata: 35 | name: ratings-v1 36 | labels: 37 | app: ratings 38 | version: v1 39 | spec: 40 | replicas: 1 41 | selector: 42 | matchLabels: 43 | app: ratings 44 | version: v1 45 | template: 46 | metadata: 47 | labels: 48 | app: ratings 49 | version: v1 50 | spec: 51 | containers: 52 | - name: ratings 53 | image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 54 | imagePullPolicy: IfNotPresent 55 | ports: 56 | - containerPort: 9080 57 | securityContext: 58 | runAsUser: 1000 59 | --- 60 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Reviews service v2 17 | ################################################################################################## 18 | apiVersion: apps/v1 19 | kind: Deployment 20 | metadata: 21 | name: reviews-v2 22 | labels: 23 | app: reviews 24 | version: v2 25 | spec: 26 | replicas: 1 27 | selector: 28 | matchLabels: 29 | app: reviews 30 | version: v2 31 | template: 32 | metadata: 33 | labels: 34 | app: reviews 35 | version: v2 36 | spec: 37 | containers: 38 | - name: reviews 39 | image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2 40 | imagePullPolicy: IfNotPresent 41 | env: 42 | - name: LOG_DIR 43 | value: "/tmp/logs" 44 | ports: 45 | - containerPort: 9080 46 | volumeMounts: 47 | - name: tmp 48 | mountPath: /tmp 49 | - name: wlp-output 50 | mountPath: /opt/ibm/wlp/output 51 | securityContext: 52 | runAsUser: 1000 53 | volumes: 54 | - name: wlp-output 55 | emptyDir: {} 56 | - name: tmp 57 | emptyDir: {} 58 | --- 59 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/platform/kube/productpage-nodeport.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Productpage services 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: productpage 22 | labels: 23 | app: productpage 24 | service: productpage 25 | spec: 26 | type: NodePort 27 | ports: 28 | - port: 9080 29 | name: http 30 | selector: 31 | app: productpage 32 | --- 33 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/src/mongodb/ratings_data.json: -------------------------------------------------------------------------------- 1 | {rating: 5} 2 | {rating: 4} 3 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/src/mongodb/script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -e 18 | mongoimport --host localhost --db test --collection ratings --drop --file /app/data/ratings_data.json 19 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/src/productpage/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2019.3.9 2 | chardet==3.0.4 3 | Click==7.0 4 | contextlib2==0.5.5 5 | dominate==2.3.5 6 | Flask==1.0.2 7 | Flask-Bootstrap==3.3.7.1 8 | Flask-JSON==0.3.3 9 | future==0.17.1 10 | futures==3.1.1 11 | gevent==1.4.0 12 | greenlet==0.4.15 13 | idna==2.8 14 | itsdangerous==1.1.0 15 | jaeger-client==3.13.0 16 | Jinja2==2.11.3 17 | json2html==1.2.1 18 | MarkupSafe==0.23 19 | nose==1.3.7 20 | opentracing==1.2.2 21 | opentracing-instrumentation==2.4.3 22 | requests==2.21.0 23 | simplejson==3.16.0 24 | six==1.12.0 25 | threadloop==1.0.2 26 | thrift==0.11.0 27 | tornado==4.5.3 28 | urllib3==1.26.5 29 | visitor==0.1.3 30 | Werkzeug==0.15.5 31 | wrapt==1.11.1 32 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/src/productpage/test-requirements.txt: -------------------------------------------------------------------------------- 1 | requests-mock==1.5.2 2 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/bookinfo/src/ratings/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "scripts": { 3 | "start": "node ratings.js" 4 | }, 5 | "dependencies": { 6 | "httpdispatcher": "1.0.0", 7 | "mongodb": "^3.6.0", 8 | "mysql": "^2.15.0" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/README.md: -------------------------------------------------------------------------------- 1 | # Istio plugin CA sample certificates 2 | 3 | This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such 4 | a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. 5 | Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/). 6 | 7 | The included sample files are: 8 | 9 | - `root-cert.pem`: root CA certificate. 10 | - `root-cert-alt.pem`: alterative CA certificate. 11 | - `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. 12 | - `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key. 13 | - `cert-chain.pem`: certificate trust chain. 14 | - `cert-chain-alt.pem`: alternative certificate chain. 15 | - `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. 16 | - `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. 17 | 18 | The workload cert and key are generated by: 19 | 20 | ```shell script 21 | ./generate-workload.sh foo 22 | ./generate-workload.sh bar 23 | ``` 24 | 25 | To generate certs signed by the alternative root `root-cert-alt.pem` 26 | 27 | ```shell script 28 | ./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root 29 | ./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root 30 | ``` 31 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/ca-cert-alt.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFSjCCAzKgAwIBAgIJAJkMLmH6fFjlMA0GCSqGSIb3DQEBBQUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDIxNzIyNDA1OFoXDTIz 4 | MDIxNzIyNDA1OFowPDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk 5 | aWF0ZSBDQTEQMA4GA1UEBwwHY2x1c3RlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIP 6 | ADCCAgoCggIBAM1l51P3R1JTdCuxcvMJbcAMJAZno9GUSxFS5e+lcZKEZ1CXvQxW 7 | kR72ZwgzWEF2j1+mjZUZNRaAS7tJehTvHKdoyea2Ekq+R9X1kCyfSJt/nYCYSvsf 8 | oHKLL8B+Ez4RoTgX0UU92mejFJL8kPVHz4ZM9HhTyT4CUsj5xUEKjF6ORcyZ6jP/ 9 | nv5NRsjNiXgOAXjsApZE9h8fDb0YGbm/ee941FEglq4KlqKeakIISSqRu9UbI2UI 10 | aP6T8azd5gPSeaTm6T7JepoDXne+Xm8l8rrdbRT/PV9AZNi8pMLf7SP838zMb/X+ 11 | 8XoGV/agSKtIa0qQgItBflOXlVmftTfBxl8+UGXlsIj6rpYF+c+lavAEF4Fzj4lE 12 | I+HkUh/TRe2nzSbdjKYKAgjyVDPu3QjbDX03ICgFb3RnDCL//F6pKeE9Zi8gPS9E 13 | H9ZfHHhBJpKgOGsr0/1zbf1zLj0gf0ZQDWu+PK2AJPVoQbR+QdB7QsomnQWwWEa1 14 | 2yfQTze5TVY2tmVJFsqQOoK6wQtIUnEuISreiA5qoYOBGAJG9AikhNRbeWKiD0KV 15 | MwGgGyRj2C/0GgnBWScytyFjoNadixzjiXu2ndaJYmNE54251235TUEJ1k5XLzLT 16 | prvVx5bYodwemBXkEzZAlN8iVeh0gvZXY8ywkKwM1VkmOs4mFBcISGnrAgMBAAGj 17 | aTBnMB0GA1UdDgQWBBTS42W73B9SNZh27ZgDt6SdUGthJzASBgNVHRMBAf8ECDAG 18 | AQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdpc3Rpb2QuaXN0aW8t 19 | c3lzdGVtLnN2YzANBgkqhkiG9w0BAQUFAAOCAgEARYVy9jfWvEyJ1mhx0Xhf+cpO 20 | bEs3zzrddrdsid9OA64pNgvhQqHM2XKSoX8/hBxlyh2XEbsF0/sujmeoQ4ry+Q1B 21 | nhvpDlXJnEkNwgOLRKi7Qqx8E2nIFgyA2CmON/IcCmKY7A3aGyhuhVj3b7fdNaaj 22 | 7hXfz9hSZ+ZFyBnJ0zGN57ZAZbYQvYGpc+seUeBf9WEhL0wMbAxLAeoWJdgm5UTA 23 | KeswXL6+zmuuEuoZ1loiUqiJohMNwiLU9wrePxFiEserJdgdQPraBIBO6s4BapEb 24 | R1JEYhTjVkoLs9SZl/wyWDRt6Qn8uPjsN+5/cpaY7hKHE1IYQB9DeZ+X3rRUjd/g 25 | abzVkE7oiHGgFj4/MeXmn15iIaruMj0ZKYyc3KQU4ok2o3GJ6z2pilzZYnyIck37 26 | 3HrYyk7Y1O5BakmvEfDb3V84Ze3Ghgnjc+eeNi1wIUALFE8tQ/YWyJK+LDtVd2WS 27 | Q1CeQgUY5RfUiqTFkrnFFmapx9I7Anyb+gwOxa1ECu0L5odvMwaCWo5tjAPqTl1m 28 | lHknG3oLujcZr9ShVoK2JIrKMqdOHLfjSgTyPrCZfuFanKxjqG9guw5OBWA1EqTS 29 | IiKkyqQzqD5Y1mQghc1+KaG1x7Siubv8poAvQU7VzAfbtGttqkaY55bwk9Wwg9r5 30 | G+v+5tJpvLfGniCmbQg= 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/ca-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD 3 | VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl 4 | MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD 5 | QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx 6 | OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT 7 | CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x 8 | ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC 9 | AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 10 | iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z 11 | APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K 12 | M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom 13 | ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 14 | LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T 15 | BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC 16 | AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w 17 | A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 18 | PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y 19 | 05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN 20 | Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn 21 | aFKltOc+RAjzDklcUPeG4Y6eMA== 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/ca-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1 3 | 3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd 4 | Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd 5 | PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs 6 | ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ 7 | t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B 8 | C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN 9 | ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU 10 | 8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg 11 | oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf 12 | QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w 13 | J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp 14 | FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/ 15 | CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e 16 | DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE 17 | Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN 18 | cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt 19 | yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO 20 | wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY 21 | qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D 22 | Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5 23 | cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7 24 | mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa 25 | 8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+ 26 | lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/cert-chain.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD 3 | VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl 4 | MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD 5 | QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx 6 | OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT 7 | CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x 8 | ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC 9 | AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 10 | iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z 11 | APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K 12 | M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom 13 | ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 14 | LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T 15 | BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC 16 | AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w 17 | A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 18 | PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y 19 | 05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN 20 | Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn 21 | aFKltOc+RAjzDklcUPeG4Y6eMA== 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/root-cert-alt.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFCTCCAvGgAwIBAgIJAL4uxHfykeWSMA0GCSqGSIb3DQEBBQUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDIxNzIyNDA1N1oXDTMx 4 | MDIxNTIyNDA1N1owIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew 5 | ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCkESA1E1psP/v9wkdimcqZ 6 | X832eMRKomDxFFwbk9ayMF/XrGMAUmsvqeN9a73m5UD3MpArBiRc97XXzW1K1hnW 7 | sCtcN42C25NDXgHGjzyhplNogR6/SsKYg2oZx2iBRJUxwroi3/iTv7KPousQwGpF 8 | a/leoNxfr0+twbA5Y9nS17zO8CfJLlJz+c8MIbSdCTckcRxvVSXWsUlH1BJS/Bfh 9 | TnlaVqk/YGWBxhtm8BowB0hzaxFrQnwuxsRXgnFmlAV0iZ35jvrhM6vmU2RqvUUo 10 | BEgTTPuToC/2VRmyhFw/9cWcjzxgkvkjLsmVg5icuNvKQ4PgJL07zguRjk0XFchz 11 | SZuqimjDYSRQv3I0TOn+eT0b2KX8neg1pqh7w81YotyqFcJ7SdpQaau7CeMbus92 12 | P7XsCpCSVe82Y8BRcdtPgDEzn7AOA2IlgxDC1hex80+10aL8naWGdxxUEom8wQwS 13 | gvRHrdDsRigVvcygvVhfcoMak4RUxFeaQK5c1ruMlNvuuwZ20C4mUvZTvlaz7RmN 14 | yazzjqQYT4GHbR2e1kwBqe6YtlOrHY1Fpg5V6+S1rQkbbZrfQVQOXz7VQ7jOsmEr 15 | kNkrtgS8ZjAwgnOrf878Rr1g8Ac+I4q7Mpei2humdAydO3cEaGskcoozsxjPAKvd 16 | 8be76nUjjkBv6eURp1ziEQIDAQABo0IwQDAdBgNVHQ4EFgQUPyNoAnWNHwP+2NFi 17 | zWLW0hz3Cw0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI 18 | hvcNAQEFBQADggIBAIQx3aCt5GFuWxLLYlL2wbrO8tFoQnN4Poa/uli65YF47abb 19 | zZkDm6OomYIsWVce4tdoJZy1TLlyKZPb+MDDnelOzNhpljjpw2ZdhEtnv703513q 20 | o1zCgVrO1YWvk6Xv1gt3wVhQvJhq87BqrYFcCo899k09haXU4ddtP+YMPjyIngVb 21 | ucxML2xqjzS1Cfs+CD/OpwntISzWOEi5r/3IkbPlMT15hFa2oAVKBhOkyk0QQP8t 22 | bV9i4AC32gvshwIiGjbXUmnlRwBxUi8GBq5ZyR66nqoV9wBHPoqJZ3z+j6DNZSYm 23 | QGaO0wwWgSePRNPodzPAw6vofDjBe/hcyCk2d2uRrOLJICWbAdx76+j6h3zX2sPS 24 | FVSK1eVZaPUylL9rE+AyVGgl8/FqLNTwOHdSSovgIVVID7eXSpebnFtQEtlCSnik 25 | naaVSrG+sTH77WD9mQO9LmYS8JVceLE+ErSEAXkFKim131317sS5Z310U/L021M4 26 | xGH6zZHK9W9dx1X4gZKfoqGwSAHhs4rjEZCU7CKR1ouJBPWQ/cGrrk8n8ZdmKxmz 27 | OHNB4GteIEKJKrJTKQil8hsdSIqSUX4H4tw4GXlpyBSmZNt9iOjo4tWUGoUlQRIp 28 | QDpfEx1ep9pVDwQNGXVf+m9iqbc3DAiSN+1CGSZI5Kv0RzZSih5zIaxB2gJ7 29 | -----END CERTIFICATE----- 30 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/root-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD 3 | VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl 4 | MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD 5 | QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx 6 | OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI 7 | DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv 8 | MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB 9 | FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB 10 | CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN 11 | 8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu 12 | IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw 13 | uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv 14 | YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw 15 | zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh 16 | euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw 17 | DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ 18 | ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W 19 | tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK 20 | WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy 21 | AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx 22 | xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a 23 | 3g== 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/workload-bar-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAwPXy79TWi4vBzZVuXIVAIM3td0Y4OgtXZ5gDc1CvMy/TzvfN 3 | LnBu+17Z5Fz4xf2OfCDytb5aifspRoTMPrZr1Bm/mKU7XXfthQFmtOBAiQ5uE6ea 4 | klGZHcLFyTxlMQEwWwz7HIYAZzym10YmMS7GJ8UkdPcgHSJteydi4efOmPW2i2re 5 | wg9NFKSOxI6cqnJo58EWIDINDRGebj47fZwnrniXQKjqJEAFOc728irVOOd9Cbr4 6 | X33Dda+/0iTwfEHgcEtnf6qBdAgk4P53n7Pzw6eyIQxgo7hcfLYP84CH00PuL2XO 7 | v7BcthvkfX5NwQm4cVMdByyblgKX/MW3hgeBfQIDAQABAoIBAQCKn6bZ2YQQWGTw 8 | tsvEOA5sAsT4jT/To1Y1nCXOcEaNdWyrIacMF8YDXI8Y2hn200PLtTfojUoqGn/6 9 | o2jAHPm2NJFKrlnJumCuzuTkSL7UN8Oo5x3KxEhF8yl4eqUP4ZTFtLuqMDKV+CK8 10 | QS8q4jmFVMHuLaOqipMwiIknVgs8IvmQSZf3LBPOLRX9vcTtT0YnOAhFQjb3048s 11 | Da+pDSsKesVkcsTx9aw4pUHWcLFuDHxZ1f0hAXcOfkzjzuBkQ0uoUxSIE+kcA2i0 12 | 9vZB7fSqL/5zKrKooDSjW189WHd8wMEtmGZW6VDeH0fMuC+KWEVZnyjMrrlCMesJ 13 | MismTSABAoGBAPD2XAf01iMy4Y84XtI4vku0uO+pseyhZ2nyqLJW2q3M0bXKFMiD 14 | jiE7GlxBjynZFfU5R/H7QJ3rDwH4PpKyd13mgnlUImyLTUVaSbC3Bu0rJ+NFLtsQ 15 | 7OCxi4F3pOvOAWUL5WJc0gyqmSBywoGFuCT1x0wch2si1/XGUH973EwBAoGBAM0A 16 | te01yywQ+X17fApIh/R+LLPkORecpDJgC3vTcMvuvC9Rq1HEC4S4b7X0SfrUzvCw 17 | BO+J3KUMBJXHC2S4VsWBn/jHA8vJ1RD11gDVUV776WLxhXiBekwneFyFlNUukkTa 18 | 2bcnM3vtXZBl8z8Fhddfo5i9MR0Wh6jXF3HpemV9AoGAW1k6CHYkHBH0+sOnBtEm 19 | KzMnDQxq/EcwGjU5COruWgcU1XL3sBBXeHecha8A5B99OIrvoGfc1kE/XkLLDfgE 20 | Up/JhM+FgVrJ/2m8F/c68/xxUbJvkfL3qjMErR87cX2Wf8Ujv8dqhgzCok9/N3UH 21 | G1PlqxABsnbyIiV9bOb63AECgYEAqbsd5YF1b026k3dK8uSsk/RnpKWf03ngxMia 22 | mXIt4NsPugnfU3qCoudlrnvNSL0rfUHvRDibk5dIsI21VDX/udUiEwMLlI3OOBWi 23 | ktwLXB4sVLxtaqGhFS5UzB3ZZUwC1LlyKt9tE/0qS2Ttqc8zymcn900lPdUqitNT 24 | WQAbU60CgYBsR9gyXA4SXFjKmk5WKFhHlvTf87UfaOrPeeDE7zeEo2iVgjq9gSHw 25 | 7zBaiVvrwcSn3COszrPgtOUM+Vl/T7Z2QmPTteP2R8mKxOJk4BWQ5q/bhoc3sEH7 26 | EjR9twDPRg3V9xEKtcTiJhzm4TitKGYBH8FQ22B4X6mouVE8KfXkyA== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/certs/workload-foo-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAzfLnFU/WpgOzLgNIQbt5eFAQYv9dRtc5HWRMRdMCECT9ajRh 3 | yWjDFFC4jJ5eksz6dE3bPTEO22QxGkjSbpBvW8rjde0+QGJ5Wb+0FJTKKz6IFXoo 4 | E6HDuKiegCXKrq06TAvZXeyIwrku+Sl54LuUk8lqZpE3X0slydZLbXhty6uWrqDr 5 | 6jBAZvgFLhJOp+JGQhyLDswdM3m9ZBw2ZY1PcwTX0o1AYotc+QkYmg2Wrg/3yki4 6 | 7nyTSajDzERKmasnXM60y1RQOJxdXrubwFXbGSftgsN6F8DIqyowmOx1YHctSWT+ 7 | QWJr2f8DAXP7eYxI9Z7g6dFAZ23BQy5qeSd9JQIDAQABAoIBAQDLs7PpGnze284A 8 | dvKjQYFWBSsQIDDsfrhZX/kpHxptSYj14TXPdzVtBKJlQ8ebP++B1fhBwCJH0gPX 9 | UawB/A6JJlZxL+Vg3YXVxY2ixcBpoYIMbDTzpg7muLF9YuPkfiapTRcElY53u57A 10 | h8urAx5kRtZc+MliEfwgdTtJ3dILnbXxGanKfi+nz9P5YuLkKzqIolbqu9ZxlJFD 11 | /V4DKITA0IootE0OhCKP0GfeA6L9z3tH2OuEn/LXl2S8FbbFCeY4ji8FQBr2icSB 12 | pXdee0gYIrvrU8G0eoE0ZV9bAGXkRhA3057HF9RqlAqhRc012s4ojbl/q4uINdWp 13 | R+UiUecJAoGBAP4Pzo+NwS054kOgSYu+NMSi63j2OJD9aeHYJT6QwVYZurTMChxx 14 | x283Da4qsCBGI37YjU5Ygd6DYc0T57GXfeka8tZQb5+v/ZvV1oIY+pVN5cp0xben 15 | Ttm0qskF2H57TmPcH5atWkW7b5CjrSo7DYFtd6jKzzoAJ9uPH4DCM5ufAoGBAM+F 16 | IRkSmzAPpiyPA1P7OlWy0vQLsNrFwZ59HOmovpQTgDLVW5Xbq+etEiAXmSvuxBU0 17 | OKiHMgGK2Pmg/vsM3mUVskrx+bDk+6GGM52feqa8N1rtxDTjamI5EHx29896jX/U 18 | HGSW+8YYVZ/jbSSneY71AO1E2INsNEi1Ei5qWTC7AoGABOdnNEwnK2lPncCNSt48 19 | BIOkiewuwVWy4oIaje+bW78ZZH3/v/bOQ65LXE5EogrYio1BhP6eWx4sGBpHQZ1L 20 | 9+DmSQ66aNmryoNBJbe3toQPaG4Clv3qvrcHCORM/nwA0lqgXXcxI+FvUNpn8EW9 21 | h/8F7UMk5tiz7EAB+qlE978CgYAJBj8UOgzpoCSX13hLlKdKxsYJuuBsAyGSZNp3 22 | BtGS2u4+R6z97Vmib5JUNvKASJfaXDUCjy6LhqA86tVr0XlyZ+ki/TbgjHSs54sj 23 | FaZdzd2SZLidnC4qK1UeNIY+TZQNtQmvDinQyYofs+IxL99HajwqFU5dGL2FU+qA 24 | fjt2tQKBgQDrnpSRmAhhGcazmNVnzF8PVJGPwY4clGKB2jo6ru57tL0QRc/N+5pJ 25 | 8boLB7CqRpC0mHpijJLKkLoJ0oVoC9jsn3e8tfVuVqbO3AfwdB+nkABQVHRxRRGt 26 | AlUeHXbjlY7OpemfK3smhLGBoOZKJVL7cKwyJc5MTPjcUgMwlwbW5w== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/custom-bootstrap/README.md: -------------------------------------------------------------------------------- 1 | # Custom Envoy Bootstrap Configuration 2 | 3 | This sample creates a simple helloworld service that bootstraps the Envoy proxy with a custom configuration file. 4 | 5 | ## Starting the service 6 | 7 | First, we need to create a `ConfigMap` resource with our bootstrap configuration. 8 | 9 | ```bash 10 | kubectl apply -f custom-bootstrap.yaml 11 | ``` 12 | 13 | Next, we can create a service that uses this bootstrap configuration. 14 | 15 | To do this, we need to add an annotation, `sidecar.istio.io/bootstrapOverride`, with the name of our ConfigMap as the value. 16 | 17 | We can create our helloworld app, using the custom config, with: 18 | 19 | ```bash 20 | kubectl apply -f example-app.yaml 21 | ``` 22 | 23 | If you don't have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) 24 | set in your cluster you will need to manually inject it to the services instead: 25 | 26 | ```bash 27 | istioctl kube-inject -f example-app.yaml -o example-app-istio.yaml 28 | kubectl apply -f example-app-istio.yaml 29 | ``` 30 | 31 | ## Checking the Bootstrap Configuration 32 | 33 | To see what bootstrap configuration a pod is using: 34 | 35 | ```bash 36 | istioctl proxy-config bootstrap 37 | ``` 38 | 39 | ## Customizing the Bootstrap 40 | 41 | The configuration provided will be passed to envoy using the [`--config-yaml`](https://www.envoyproxy.io/docs/envoy/v1.7.1/operations/cli#cmdoption-config-yaml) flag. 42 | 43 | This will merge the passed in configuration with the default configuration. Singular values will replace the default values, while repeated values will be appended. 44 | 45 | For reference, [the default bootstrap configuration](../../tools/packaging/common/envoy_bootstrap.json) and Envoy's [configuration reference](https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration#config) may be useful 46 | 47 | ## Cleanup 48 | 49 | ```bash 50 | kubectl delete -f custom-bootstrap.yaml 51 | kubectl delete -f example-app.yaml 52 | ``` 53 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/custom-bootstrap/custom-bootstrap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: istio-custom-bootstrap-config 5 | namespace: default 6 | data: 7 | custom_bootstrap.json: | 8 | { 9 | "tracing": { 10 | "http": { 11 | "name": "envoy.zipkin", 12 | "config": { 13 | "collector_cluster": "zipkin", 14 | "collector_endpoint": "/api/v1/spans/custom", 15 | "trace_id_128bit": "true" 16 | } 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/custom-bootstrap/example-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: helloworld-v1 5 | labels: 6 | app: helloworld 7 | version: v1 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: helloworld 13 | version: v1 14 | template: 15 | metadata: 16 | annotations: 17 | sidecar.istio.io/bootstrapOverride: "istio-custom-bootstrap-config" 18 | labels: 19 | app: helloworld 20 | version: v1 21 | spec: 22 | containers: 23 | - name: helloworld 24 | image: docker.io/istio/examples-helloworld-v1 25 | resources: 26 | requests: 27 | cpu: "100m" 28 | imagePullPolicy: IfNotPresent 29 | ports: 30 | - containerPort: 5000 31 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/extauthz/ext-authz.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Example configurations for deploying ext-authz server separately in the mesh. 16 | 17 | apiVersion: v1 18 | kind: Service 19 | metadata: 20 | name: ext-authz 21 | labels: 22 | app: ext-authz 23 | spec: 24 | ports: 25 | - name: http 26 | port: 8000 27 | targetPort: 8000 28 | - name: grpc 29 | port: 9000 30 | targetPort: 9000 31 | selector: 32 | app: ext-authz 33 | --- 34 | apiVersion: apps/v1 35 | kind: Deployment 36 | metadata: 37 | name: ext-authz 38 | spec: 39 | replicas: 1 40 | selector: 41 | matchLabels: 42 | app: ext-authz 43 | template: 44 | metadata: 45 | labels: 46 | app: ext-authz 47 | spec: 48 | containers: 49 | - image: gcr.io/istio-testing/ext-authz:0.7 50 | imagePullPolicy: IfNotPresent 51 | name: ext-authz 52 | ports: 53 | - containerPort: 8000 54 | - containerPort: 9000 55 | --- 56 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/extauthz/src/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | HUB ?= gcr.io/istio-testing/ext-authz 16 | TAG ?= 0.7 17 | 18 | build: main.go go.mod go.sum Dockerfile 19 | docker build . -t $(HUB):$(TAG) 20 | 21 | push: build 22 | docker push $(HUB):$(TAG) 23 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/external/README.md: -------------------------------------------------------------------------------- 1 | # External Services 2 | 3 | By default Istio-enabled services are unable to access services and URLs outside of the cluster. Pods use iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations. 4 | 5 | See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for 6 | information on configuring Istio to contact external services. 7 | 8 | This directory contains samples showing how to enable pods to contact a few well 9 | known services. 10 | 11 | If Istio is not configured to allow pods to contact external services, the pods will 12 | see errors such as 404s, HTTPS connection problems, and TCP connection problems. If 13 | ServiceEntries are misconfigured pods may see problems with server names. 14 | 15 | ## Try it out 16 | 17 | After an operator runs `kubectl create -f aptget.yaml` pods will be able to 18 | succeed with `apt-get update` and `apt-get install`. 19 | 20 | After an operator runs `kubectl create -f github.yaml` pods will be able to 21 | succeed with `git clone https://github.com/fortio/fortio.git`. 22 | 23 | Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`. 24 | 25 | It is not a best practice to enable pods to update libraries dynamically. 26 | We are providing these samples 27 | because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud 28 | services. 29 | 30 | ### Enable communication by default 31 | 32 | Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique 33 | discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will 34 | allow external communication for ports 80 and 22. 35 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/external/aptget.yaml: -------------------------------------------------------------------------------- 1 | # This ServiceEntry exposes the hosts needed for installing packages with apt-get. 2 | # After applying this file, Istio-enabled pods (configured apt-get) be able to execute 3 | # `apt-get upgrade` and `apt-get install`. If this is not installed you may get 4 | # "404 Not Found" 5 | 6 | apiVersion: networking.istio.io/v1alpha3 7 | kind: ServiceEntry 8 | metadata: 9 | name: make-aptget-work 10 | spec: 11 | hosts: 12 | - deb.debian.org 13 | - cdn-fastly.deb.debian.org 14 | - security.debian.org 15 | - archive.ubuntu.com 16 | - security.ubuntu.com 17 | ports: 18 | - number: 80 19 | name: http 20 | protocol: HTTP 21 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/external/github.yaml: -------------------------------------------------------------------------------- 1 | # This ServiceEntry exposes the hosts needed for github.com. 2 | # After applying this file, Istio-enabled pods will be able to execute 3 | # `git clone https://github.com/istio/api.git` and (with local identification 4 | # config and certificate) `git clone git@github.com:istio/api.git` 5 | 6 | # HTTP and TLS, the host must be specified 7 | # See https://istio.io/docs/tasks/traffic-management/egress/ 8 | apiVersion: networking.istio.io/v1alpha3 9 | kind: ServiceEntry 10 | metadata: 11 | name: github-https 12 | spec: 13 | hosts: 14 | - github.com 15 | ports: 16 | - number: 443 17 | name: https 18 | protocol: HTTPS 19 | --- 20 | # For TCP services the IP ranges SHOULD be specified to avoid problems 21 | # if multiple SEs use the same port number. 22 | # See https://istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance 23 | apiVersion: networking.istio.io/v1alpha3 24 | kind: ServiceEntry 25 | metadata: 26 | name: github-tcp 27 | spec: 28 | hosts: 29 | - dummy.github.com # not used 30 | addresses: # from https://help.github.com/articles/about-github-s-ip-addresses/ 31 | - "13.229.188.59/32" 32 | - "13.250.177.223/32" 33 | - "140.82.112.0/20" 34 | - "18.194.104.89/32" 35 | - "18.195.85.27/32" 36 | - "185.199.108.0/22" 37 | - "185.199.108.153/32" 38 | - "185.199.109.153/32" 39 | - "185.199.110.153/32" 40 | - "185.199.111.153/32" 41 | - "192.30.252.0/22" 42 | - "192.30.252.153/32" 43 | - "192.30.252.154/32" 44 | - "23.20.92.3/32" 45 | - "35.159.8.160/32" 46 | - "52.74.223.119/32" 47 | - "54.166.52.62/32" 48 | - "54.87.5.173/32" 49 | ports: 50 | - name: tcp 51 | number: 22 52 | protocol: tcp 53 | location: MESH_EXTERNAL 54 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/external/pypi.yaml: -------------------------------------------------------------------------------- 1 | # This ServiceEntry exposes the hosts needed for Python `pip`. 2 | # After applying this file, Istio-enabled pods will be able to execute 3 | # `pip search istio`. 4 | 5 | # HTTP and TLS, the host must be specified 6 | # See https://istio.io/docs/tasks/traffic-management/egress/ 7 | 8 | apiVersion: networking.istio.io/v1alpha3 9 | kind: ServiceEntry 10 | metadata: 11 | name: python-https 12 | spec: 13 | hosts: 14 | - pypi.python.org 15 | ports: 16 | - number: 443 17 | name: https 18 | protocol: HTTPS 19 | --- 20 | # pypi.python.org may 301 redirect to pypi.org, so we need this too. 21 | apiVersion: networking.istio.io/v1alpha3 22 | kind: ServiceEntry 23 | metadata: 24 | name: pypi-https 25 | spec: 26 | hosts: 27 | - pypi.org 28 | ports: 29 | - number: 443 30 | name: https 31 | protocol: HTTPS 32 | --- 33 | # pip install may fetch files from files.pythonhosted.org 34 | apiVersion: networking.istio.io/v1alpha3 35 | kind: ServiceEntry 36 | metadata: 37 | name: pythonhosted-https 38 | spec: 39 | hosts: 40 | - files.pythonhosted.org 41 | ports: 42 | - number: 443 43 | name: https 44 | protocol: HTTPS 45 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/grpc-echo/README.md: -------------------------------------------------------------------------------- 1 | # grpc-echo 2 | 3 | This sample demonstrates Istio's Proxyless gRPC support with a special injection template `grpc-agent`. 4 | The template injects the `istio-proxy` sidecar, but the sidecar will only run `pilot-agent` and not envoy. 5 | 6 | See the [gRPC xDS feature status](https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md) for more 7 | information. 8 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/health-check/liveness-command.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Liveness service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: liveness 22 | labels: 23 | app: liveness 24 | service: liveness 25 | spec: 26 | ports: 27 | - port: 80 28 | name: http 29 | selector: 30 | app: liveness 31 | --- 32 | apiVersion: apps/v1 33 | kind: Deployment 34 | metadata: 35 | name: liveness 36 | spec: 37 | selector: 38 | matchLabels: 39 | app: liveness 40 | template: 41 | metadata: 42 | labels: 43 | app: liveness 44 | spec: 45 | containers: 46 | - name: liveness 47 | image: k8s.gcr.io/busybox 48 | args: 49 | - /bin/sh 50 | - -c 51 | - touch /tmp/healthy; sleep 3600 52 | livenessProbe: 53 | exec: 54 | command: 55 | - cat 56 | - /tmp/healthy 57 | initialDelaySeconds: 5 58 | periodSeconds: 5 59 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/health-check/liveness-http-same-port.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: liveness-http 5 | labels: 6 | app: liveness-http 7 | service: liveness-http 8 | spec: 9 | ports: 10 | - name: http 11 | port: 8001 12 | selector: 13 | app: liveness-http 14 | --- 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: liveness-http 19 | spec: 20 | selector: 21 | matchLabels: 22 | app: liveness-http 23 | version: v1 24 | template: 25 | metadata: 26 | labels: 27 | app: liveness-http 28 | version: v1 29 | spec: 30 | containers: 31 | - name: liveness-http 32 | image: docker.io/istio/health:example 33 | ports: 34 | - containerPort: 8001 35 | livenessProbe: 36 | httpGet: 37 | path: /foo 38 | port: 8001 39 | initialDelaySeconds: 5 40 | periodSeconds: 5 41 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/helloworld/helloworld-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: helloworld-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway # use istio default controller 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "*" 15 | --- 16 | apiVersion: networking.istio.io/v1alpha3 17 | kind: VirtualService 18 | metadata: 19 | name: helloworld 20 | spec: 21 | hosts: 22 | - "*" 23 | gateways: 24 | - helloworld-gateway 25 | http: 26 | - match: 27 | - uri: 28 | exact: /hello 29 | route: 30 | - destination: 31 | host: helloworld 32 | port: 33 | number: 5000 34 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/helloworld/helloworld.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: helloworld 5 | labels: 6 | app: helloworld 7 | service: helloworld 8 | spec: 9 | ports: 10 | - port: 5000 11 | name: http 12 | selector: 13 | app: helloworld 14 | --- 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: helloworld-v1 19 | labels: 20 | app: helloworld 21 | version: v1 22 | spec: 23 | replicas: 1 24 | selector: 25 | matchLabels: 26 | app: helloworld 27 | version: v1 28 | template: 29 | metadata: 30 | labels: 31 | app: helloworld 32 | version: v1 33 | spec: 34 | containers: 35 | - name: helloworld 36 | image: docker.io/istio/examples-helloworld-v1 37 | resources: 38 | requests: 39 | cpu: "100m" 40 | imagePullPolicy: IfNotPresent #Always 41 | ports: 42 | - containerPort: 5000 43 | --- 44 | apiVersion: apps/v1 45 | kind: Deployment 46 | metadata: 47 | name: helloworld-v2 48 | labels: 49 | app: helloworld 50 | version: v2 51 | spec: 52 | replicas: 1 53 | selector: 54 | matchLabels: 55 | app: helloworld 56 | version: v2 57 | template: 58 | metadata: 59 | labels: 60 | app: helloworld 61 | version: v2 62 | spec: 63 | containers: 64 | - name: helloworld 65 | image: docker.io/istio/examples-helloworld-v2 66 | resources: 67 | requests: 68 | cpu: "100m" 69 | imagePullPolicy: IfNotPresent #Always 70 | ports: 71 | - containerPort: 5000 72 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/helloworld/loadgen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | while true; do curl -s -o /dev/null "http://$GATEWAY_URL/hello"; done 18 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/helloworld/src/build_service.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | 19 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 20 | 21 | docker build -t istio/examples-helloworld-v1 --build-arg service_version=v1 "${SCRIPTDIR}" 22 | docker build -t istio/examples-helloworld-v2 --build-arg service_version=v2 "${SCRIPTDIR}" 23 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/helloworld/src/requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | flask 3 | flask_json 4 | flask_bootstrap 5 | json2html 6 | simplejson 7 | gevent 8 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/httpbin/README.md: -------------------------------------------------------------------------------- 1 | # Httpbin service 2 | 3 | This sample runs [httpbin](https://httpbin.org) as an Istio service. 4 | Httpbin is a well known HTTP testing service that can be used for experimenting 5 | with all kinds of Istio features. 6 | 7 | To use it: 8 | 9 | 1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/). 10 | 11 | 1. Start the httpbin service inside the Istio service mesh: 12 | 13 | If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: 14 | 15 | ```bash 16 | kubectl apply -f httpbin.yaml 17 | ``` 18 | 19 | Otherwise manually inject the sidecars before applying: 20 | 21 | ```bash 22 | kubectl apply -f <(istioctl kube-inject -f httpbin.yaml) 23 | ``` 24 | 25 | Because the httpbin service is not exposed outside of the cluster 26 | you cannot _curl_ it directly, however you can verify that it is working correctly using 27 | a _curl_ command against `httpbin:8000` *from inside the cluster* using the public _dockerqa/curl_ 28 | image from Docker hub: 29 | 30 | ```bash 31 | kubectl run -i --rm --restart=Never dummy --image=dockerqa/curl:ubuntu-trusty --command -- curl --silent httpbin:8000/html 32 | kubectl run -i --rm --restart=Never dummy --image=dockerqa/curl:ubuntu-trusty --command -- curl --silent --head httpbin:8000/status/500 33 | time kubectl run -i --rm --restart=Never dummy --image=dockerqa/curl:ubuntu-trusty --command -- curl --silent httpbin:8000/delay/5 34 | ``` 35 | 36 | You can also test the httpbin service by starting the [sleep service](../sleep) and calling httpbin from it. 37 | 38 | A third option is to access the service from outside of the mesh through an Ingress Gateway. 39 | The [Ingress Gateways](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/) task explains how to do it. 40 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/httpbin/httpbin-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: httpbin-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "*" 15 | --- 16 | apiVersion: networking.istio.io/v1alpha3 17 | kind: VirtualService 18 | metadata: 19 | name: httpbin 20 | spec: 21 | hosts: 22 | - "*" 23 | gateways: 24 | - httpbin-gateway 25 | http: 26 | - route: 27 | - destination: 28 | host: httpbin 29 | port: 30 | number: 8000 31 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/httpbin/httpbin-nodeport.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # httpbin service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: httpbin 22 | labels: 23 | app: httpbin 24 | service: httpbin 25 | spec: 26 | type: NodePort 27 | ports: 28 | - name: http 29 | port: 8000 30 | targetPort: 80 31 | selector: 32 | app: httpbin 33 | --- 34 | apiVersion: apps/v1 35 | kind: Deployment 36 | metadata: 37 | name: httpbin 38 | spec: 39 | replicas: 1 40 | selector: 41 | matchLabels: 42 | app: httpbin 43 | version: v1 44 | template: 45 | metadata: 46 | labels: 47 | app: httpbin 48 | version: v1 49 | spec: 50 | containers: 51 | - image: docker.io/kennethreitz/httpbin 52 | imagePullPolicy: IfNotPresent 53 | name: httpbin 54 | ports: 55 | - containerPort: 80 56 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/httpbin/httpbin-vault.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # httpbin service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: httpbin 22 | labels: 23 | app: httpbin 24 | service: httpbin 25 | spec: 26 | ports: 27 | - name: http 28 | port: 8000 29 | targetPort: 80 30 | selector: 31 | app: httpbin 32 | --- 33 | apiVersion: apps/v1 34 | kind: Deployment 35 | metadata: 36 | name: httpbin 37 | spec: 38 | replicas: 1 39 | selector: 40 | matchLabels: 41 | app: httpbin 42 | version: v1 43 | template: 44 | metadata: 45 | labels: 46 | app: httpbin 47 | version: v1 48 | spec: 49 | serviceAccountName: vault-citadel-sa 50 | containers: 51 | - image: docker.io/kennethreitz/httpbin 52 | imagePullPolicy: IfNotPresent 53 | name: httpbin 54 | ports: 55 | - containerPort: 80 56 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/httpbin/httpbin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # httpbin service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: ServiceAccount 20 | metadata: 21 | name: httpbin 22 | --- 23 | apiVersion: v1 24 | kind: Service 25 | metadata: 26 | name: httpbin 27 | labels: 28 | app: httpbin 29 | service: httpbin 30 | spec: 31 | ports: 32 | - name: http 33 | port: 8000 34 | targetPort: 80 35 | selector: 36 | app: httpbin 37 | --- 38 | apiVersion: apps/v1 39 | kind: Deployment 40 | metadata: 41 | name: httpbin 42 | spec: 43 | replicas: 1 44 | selector: 45 | matchLabels: 46 | app: httpbin 47 | version: v1 48 | template: 49 | metadata: 50 | labels: 51 | app: httpbin 52 | version: v1 53 | spec: 54 | serviceAccountName: httpbin 55 | containers: 56 | - image: docker.io/kennethreitz/httpbin 57 | imagePullPolicy: IfNotPresent 58 | name: httpbin 59 | ports: 60 | - containerPort: 80 61 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/httpbin/sample-client/fortio-deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: fortio 5 | labels: 6 | app: fortio 7 | service: fortio 8 | spec: 9 | ports: 10 | - port: 8080 11 | name: http 12 | selector: 13 | app: fortio 14 | --- 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: fortio-deploy 19 | spec: 20 | replicas: 1 21 | selector: 22 | matchLabels: 23 | app: fortio 24 | template: 25 | metadata: 26 | annotations: 27 | # This annotation causes Envoy to serve cluster.outbound statistics via 15000/stats 28 | # in addition to the stats normally served by Istio. The Circuit Breaking example task 29 | # gives an example of inspecting Envoy stats via proxy config. 30 | proxy.istio.io/config: |- 31 | proxyStatsMatcher: 32 | inclusionPrefixes: 33 | - "cluster.outbound" 34 | - "cluster_manager" 35 | - "listener_manager" 36 | - "server" 37 | - "cluster.xds-grpc" 38 | labels: 39 | app: fortio 40 | spec: 41 | containers: 42 | - name: fortio 43 | image: fortio/fortio:latest_release 44 | imagePullPolicy: Always 45 | ports: 46 | - containerPort: 8080 47 | name: http-fortio 48 | - containerPort: 8079 49 | name: grpc-ping 50 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/jwt-server/jwt-server.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Example configurations for deploying a jwt-server server separately in the mesh. 16 | 17 | apiVersion: v1 18 | kind: Service 19 | metadata: 20 | name: jwt-server 21 | labels: 22 | app: jwt-server 23 | spec: 24 | ports: 25 | - name: http 26 | port: 8000 27 | targetPort: 8000 28 | selector: 29 | app: jwt-server 30 | --- 31 | apiVersion: apps/v1 32 | kind: Deployment 33 | metadata: 34 | name: jwt-server 35 | spec: 36 | replicas: 1 37 | selector: 38 | matchLabels: 39 | app: jwt-server 40 | template: 41 | metadata: 42 | labels: 43 | app: jwt-server 44 | spec: 45 | containers: 46 | - image: docker.io/istio/jwt-server:0.5 47 | imagePullPolicy: IfNotPresent 48 | name: jwt-server 49 | ports: 50 | - containerPort: 8000 51 | --- 52 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/jwt-server/src/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | HUB ?= docker.io/istio/jwt-server 16 | TAG ?= 0.5 17 | 18 | build: main.go Dockerfile 19 | docker build . -t $(HUB):$(TAG) 20 | 21 | push: build 22 | docker push $(HUB):$(TAG) 23 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/kubernetes-blog/bookinfo-ratings.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Ratings service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: ratings 22 | labels: 23 | app: ratings 24 | service: ratings 25 | spec: 26 | ports: 27 | - port: 9080 28 | name: http 29 | selector: 30 | app: ratings 31 | --- 32 | apiVersion: apps/v1 33 | kind: Deployment 34 | metadata: 35 | name: ratings-v1 36 | labels: 37 | app: ratings 38 | version: v1 39 | spec: 40 | replicas: 1 41 | template: 42 | metadata: 43 | labels: 44 | app: ratings 45 | version: v1 46 | spec: 47 | containers: 48 | - name: ratings 49 | image: docker.io/istio/examples-bookinfo-ratings-v1:0.2.3 50 | imagePullPolicy: IfNotPresent 51 | ports: 52 | - containerPort: 9080 53 | --- 54 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/kubernetes-blog/bookinfo-reviews-v2.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Reviews service v2 17 | ################################################################################################## 18 | apiVersion: apps/v1 19 | kind: Deployment 20 | metadata: 21 | name: reviews-v2 22 | labels: 23 | app: reviews 24 | version: v2 25 | spec: 26 | replicas: 1 27 | selector: 28 | matchLabels: 29 | app: reviews 30 | version: v2 31 | template: 32 | metadata: 33 | labels: 34 | app: reviews 35 | version: v2 36 | spec: 37 | containers: 38 | - name: reviews 39 | image: docker.io/istio/examples-bookinfo-reviews-v2:0.2.3 40 | imagePullPolicy: IfNotPresent 41 | ports: 42 | - containerPort: 9080 43 | --- 44 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/multicluster/README.md: -------------------------------------------------------------------------------- 1 | # Multicluster Samples 2 | 3 | The samples in this directory help to support multicluster use cases for the 4 | following configurations: 5 | 6 | * Primary-Remote 7 | * Multinetwork 8 | 9 | All of these instructions here assume that Istio has already been deployed to your primary clusters. 10 | 11 | ## Creating East-West Gateway 12 | 13 | All configurations rely on a separate gateway deployment that is dedicated to 14 | east-west traffic. This is done to avoid having east-west traffic flooding 15 | the default north-south ingress gateway. 16 | 17 | Run the following command to deploy the east-west gateway to a primary cluster: 18 | 19 | ```bash 20 | export MESH=mesh1 21 | export CLUSTER=cluster1 22 | export NETWORK=network1 23 | ./samples/multicluster/gen-eastwest-gateway.sh | \ 24 | istioctl manifest generate -f - | \ 25 | kubectl apply -f - 26 | ``` 27 | 28 | The `CLUSTER` and `NETWORK` environment variables should match the values used to deploy the control plane 29 | in that cluster. 30 | 31 | ## Primary-Remote Configuration 32 | 33 | In order to give a remote cluster access to the control plane (istiod) in a primary cluster, 34 | we need to expose the istiod service through the east-west gateway: 35 | 36 | ```bash 37 | kubectl apply -f samples/multicluster/expose-istiod.yaml -n istio-system 38 | ``` 39 | 40 | ## Multi-network Configuration 41 | 42 | In order to enable cross-cluster load balancing between clusters that are in different 43 | networks, we need to expose the services through the east-west gateway in each cluster: 44 | 45 | ```bash 46 | kubectl apply -f samples/multicluster/expose-services.yaml -n istio-system 47 | ``` 48 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/multicluster/expose-istiod-https.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: istiod-gateway 5 | spec: 6 | selector: 7 | istio: eastwestgateway 8 | servers: 9 | - port: 10 | name: https-istiod 11 | number: 15012 12 | protocol: https 13 | tls: 14 | mode: SIMPLE 15 | # use a valid credential here 16 | credentialName: "$CREDENTIAL_NAME" 17 | hosts: 18 | # use a valid gateway host and domain for istiod 19 | - "ISTIOD-HOST.DOMAIN" 20 | - port: 21 | name: https-istiodwebhook 22 | number: 15017 23 | protocol: https 24 | tls: 25 | mode: SIMPLE 26 | # use a valid credential here 27 | credentialName: "$CREDENTIAL_NAME" 28 | hosts: 29 | # use a valid gateway host and domain for istiod 30 | - "ISTIOD-HOST.DOMAIN" 31 | --- 32 | apiVersion: networking.istio.io/v1alpha3 33 | kind: VirtualService 34 | metadata: 35 | name: istiod-vs 36 | spec: 37 | hosts: 38 | # use a valid gateway host and domain for istiod 39 | - "ISTIOD-HOST.DOMAIN" 40 | gateways: 41 | - istiod-gateway 42 | http: 43 | - match: 44 | - port: 15012 45 | route: 46 | - destination: 47 | host: istiod.istio-system.svc.cluster.local 48 | port: 49 | number: 15012 50 | - match: 51 | - port: 15017 52 | route: 53 | - destination: 54 | host: istiod.istio-system.svc.cluster.local 55 | port: 56 | number: 443 57 | --- 58 | apiVersion: networking.istio.io/v1alpha3 59 | kind: DestinationRule 60 | metadata: 61 | name: istiod-dr 62 | spec: 63 | host: istiod.istio-system.svc.cluster.local 64 | trafficPolicy: 65 | portLevelSettings: 66 | - port: 67 | number: 15012 68 | tls: 69 | mode: SIMPLE 70 | connectionPool: 71 | http: 72 | h2UpgradePolicy: UPGRADE 73 | - port: 74 | number: 443 75 | tls: 76 | mode: SIMPLE 77 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/multicluster/expose-istiod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: istiod-gateway 5 | spec: 6 | selector: 7 | istio: eastwestgateway 8 | servers: 9 | - port: 10 | name: tls-istiod 11 | number: 15012 12 | protocol: tls 13 | tls: 14 | mode: PASSTHROUGH 15 | hosts: 16 | - "*" 17 | - port: 18 | name: tls-istiodwebhook 19 | number: 15017 20 | protocol: tls 21 | tls: 22 | mode: PASSTHROUGH 23 | hosts: 24 | - "*" 25 | --- 26 | apiVersion: networking.istio.io/v1alpha3 27 | kind: VirtualService 28 | metadata: 29 | name: istiod-vs 30 | spec: 31 | hosts: 32 | - "*" 33 | gateways: 34 | - istiod-gateway 35 | tls: 36 | - match: 37 | - port: 15012 38 | sniHosts: 39 | - "*" 40 | route: 41 | - destination: 42 | host: istiod.istio-system.svc.cluster.local 43 | port: 44 | number: 15012 45 | - match: 46 | - port: 15017 47 | sniHosts: 48 | - "*" 49 | route: 50 | - destination: 51 | host: istiod.istio-system.svc.cluster.local 52 | port: 53 | number: 443 54 | 55 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/multicluster/expose-services.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: cross-network-gateway 5 | spec: 6 | selector: 7 | istio: eastwestgateway 8 | servers: 9 | - port: 10 | number: 15443 11 | name: tls 12 | protocol: TLS 13 | tls: 14 | mode: AUTO_PASSTHROUGH 15 | hosts: 16 | - "*.local" 17 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/operator/cni-on.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | components: 5 | cni: 6 | enabled: true 7 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/operator/default-install.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | namespace: istio-system 5 | name: istio-operator 6 | spec: 7 | profile: default 8 | 9 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/operator/pilot-advanced-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | components: 5 | pilot: 6 | k8s: 7 | overlays: 8 | - kind: Deployment 9 | name: istiod 10 | patches: 11 | - path: spec.template.spec.containers.[name:discovery].args.[30m] 12 | value: "60m" # OVERRIDDEN 13 | - path: spec.template.spec.containers.[name:discovery].ports.[containerPort:8080].containerPort 14 | value: 8090 # OVERRIDDEN 15 | - kind: Service 16 | name: istiod 17 | patches: 18 | - path: spec.ports.[name:grpc-xds].port 19 | value: 15099 # OVERRIDDEN 20 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/operator/pilot-k8s.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | components: 5 | pilot: 6 | k8s: 7 | resources: 8 | requests: 9 | cpu: 1000m # override from default 500m 10 | memory: 4096Mi # ... default 2048Mi 11 | hpaSpec: 12 | maxReplicas: 10 # ... default 5 13 | minReplicas: 2 # ... default 1 14 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/operator/values-global.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | values: 5 | global: 6 | logging: 7 | level: "default:warning" # override from info 8 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/operator/values-pilot.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | values: 5 | pilot: 6 | traceSampling: 0.1 # override from 1.0 7 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/security/psp/sidecar-psp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1beta1 2 | kind: PodSecurityPolicy 3 | metadata: 4 | name: istio-sidecar 5 | spec: 6 | # Allow the istio sidecar injector to work 7 | allowedCapabilities: 8 | - NET_ADMIN 9 | - NET_RAW 10 | seLinux: 11 | rule: RunAsAny 12 | supplementalGroups: 13 | rule: RunAsAny 14 | runAsUser: 15 | rule: RunAsAny 16 | fsGroup: 17 | rule: RunAsAny 18 | volumes: 19 | - '*' 20 | --- 21 | kind: ClusterRole 22 | apiVersion: rbac.authorization.k8s.io/v1 23 | metadata: 24 | name: istio-sidecar-psp 25 | rules: 26 | - apiGroups: 27 | - extensions 28 | resources: 29 | - podsecuritypolicies 30 | resourceNames: 31 | - istio-sidecar 32 | verbs: 33 | - use 34 | --- 35 | apiVersion: rbac.authorization.k8s.io/v1 36 | kind: ClusterRoleBinding 37 | metadata: 38 | name: istio-sidecar-psp 39 | roleRef: 40 | apiGroup: rbac.authorization.k8s.io 41 | kind: ClusterRole 42 | name: istio-sidecar-psp 43 | subjects: 44 | - apiGroup: rbac.authorization.k8s.io 45 | kind: Group 46 | name: system:serviceaccounts 47 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/sleep/README.md: -------------------------------------------------------------------------------- 1 | # Simple sleep service 2 | 3 | This sample consists of a simple service that does nothing but sleep. 4 | It's a ubuntu container with curl installed that can be used as a request source for invoking other services 5 | to experiment with Istio networking. 6 | 7 | To use it: 8 | 9 | 1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/). 10 | 11 | 1. Start the sleep service: 12 | 13 | If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: 14 | 15 | ```bash 16 | kubectl apply -f sleep.yaml 17 | ``` 18 | 19 | Otherwise manually inject the sidecars before applying: 20 | 21 | ```bash 22 | kubectl apply -f <(istioctl kube-inject -f sleep.yaml) 23 | ``` 24 | 25 | 1. Start some other services, for example, the [Bookinfo sample](https://istio.io/docs/examples/bookinfo/). 26 | 27 | Now you can `kubectl exec` into the sleep service to experiment with Istio networking. 28 | For example, the following commands can be used to call the Bookinfo `ratings` service: 29 | 30 | ```bash 31 | export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) 32 | kubectl exec -it $SLEEP_POD -c sleep -- curl http://ratings.default.svc.cluster.local:9080/ratings/1 33 | {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}} 34 | ``` 35 | 36 | You can also use the sleep service to test accessing services outside of the mesh. 37 | See [configuring egress](https://istio.io/docs/tasks/traffic-management/egress/) for details. 38 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/sleep/sleep-vault.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Sleep service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: ServiceAccount 20 | metadata: 21 | name: sleep 22 | --- 23 | apiVersion: v1 24 | kind: Service 25 | metadata: 26 | name: sleep 27 | labels: 28 | app: sleep 29 | service: sleep 30 | spec: 31 | ports: 32 | - port: 80 33 | name: http 34 | selector: 35 | app: sleep 36 | --- 37 | apiVersion: apps/v1 38 | kind: Deployment 39 | metadata: 40 | name: sleep 41 | spec: 42 | replicas: 1 43 | selector: 44 | matchLabels: 45 | app: sleep 46 | template: 47 | metadata: 48 | labels: 49 | app: sleep 50 | spec: 51 | serviceAccountName: vault-citadel-sa 52 | containers: 53 | - name: sleep 54 | image: curlimages/curl 55 | command: ["/bin/sleep", "3650d"] 56 | imagePullPolicy: IfNotPresent 57 | --- 58 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/sleep/sleep.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # Sleep service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: ServiceAccount 20 | metadata: 21 | name: sleep 22 | --- 23 | apiVersion: v1 24 | kind: Service 25 | metadata: 26 | name: sleep 27 | labels: 28 | app: sleep 29 | service: sleep 30 | spec: 31 | ports: 32 | - port: 80 33 | name: http 34 | selector: 35 | app: sleep 36 | --- 37 | apiVersion: apps/v1 38 | kind: Deployment 39 | metadata: 40 | name: sleep 41 | spec: 42 | replicas: 1 43 | selector: 44 | matchLabels: 45 | app: sleep 46 | template: 47 | metadata: 48 | labels: 49 | app: sleep 50 | spec: 51 | terminationGracePeriodSeconds: 0 52 | serviceAccountName: sleep 53 | containers: 54 | - name: sleep 55 | image: curlimages/curl 56 | command: ["/bin/sleep", "3650d"] 57 | imagePullPolicy: IfNotPresent 58 | volumeMounts: 59 | - mountPath: /etc/sleep/tls 60 | name: secret-volume 61 | volumes: 62 | - name: secret-volume 63 | secret: 64 | secretName: sleep-secret 65 | optional: true 66 | --- 67 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/tcp-echo/README.md: -------------------------------------------------------------------------------- 1 | # TCP Echo Service 2 | 3 | This sample runs [TCP Echo Server](src/) as an Istio service. TCP Echo Server 4 | allows you to connect to it over TCP and echoes back data sent to it along with 5 | a preconfigured prefix. 6 | 7 | ## Usage 8 | 9 | To run the TCP Echo Service sample: 10 | 11 | 1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html). 12 | 13 | 1. Start the `tcp-echo-server` service inside the Istio service mesh: 14 | 15 | ```console 16 | $ kubectl apply -f <(istioctl kube-inject -f tcp-echo.yaml) 17 | service/tcp-echo created 18 | deployment.extensions/tcp-echo created 19 | ``` 20 | 21 | 1. Test by running the `nc` command from a `busybox` container from within the cluster. 22 | 23 | ```console 24 | $ kubectl run -i --rm --restart=Never dummy --image=busybox -- sh -c "echo world | nc tcp-echo 9000" 25 | hello world 26 | pod "dummy" deleted 27 | ``` 28 | 29 | As you observe, sending _world_ on a TCP connection to the server results in 30 | the server prepending _hello_ and echoing back with _hello world_. 31 | 32 | 1. To clean up, execute the following command: 33 | 34 | ```console 35 | $ kubectl delete -f tcp-echo.yaml 36 | service "tcp-echo" deleted 37 | deployment.extensions "tcp-echo" deleted 38 | ``` 39 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/tcp-echo/tcp-echo-20-v2.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: networking.istio.io/v1alpha3 16 | kind: VirtualService 17 | metadata: 18 | name: tcp-echo 19 | spec: 20 | hosts: 21 | - "*" 22 | gateways: 23 | - tcp-echo-gateway 24 | tcp: 25 | - match: 26 | - port: 31400 27 | route: 28 | - destination: 29 | host: tcp-echo 30 | port: 31 | number: 9000 32 | subset: v1 33 | weight: 80 34 | - destination: 35 | host: tcp-echo 36 | port: 37 | number: 9000 38 | subset: v2 39 | weight: 20 40 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/tcp-echo/tcp-echo-all-v1.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: networking.istio.io/v1alpha3 16 | kind: Gateway 17 | metadata: 18 | name: tcp-echo-gateway 19 | spec: 20 | selector: 21 | istio: ingressgateway 22 | servers: 23 | - port: 24 | number: 31400 25 | name: tcp 26 | protocol: TCP 27 | hosts: 28 | - "*" 29 | --- 30 | apiVersion: networking.istio.io/v1alpha3 31 | kind: DestinationRule 32 | metadata: 33 | name: tcp-echo-destination 34 | spec: 35 | host: tcp-echo 36 | subsets: 37 | - name: v1 38 | labels: 39 | version: v1 40 | - name: v2 41 | labels: 42 | version: v2 43 | --- 44 | apiVersion: networking.istio.io/v1alpha3 45 | kind: VirtualService 46 | metadata: 47 | name: tcp-echo 48 | spec: 49 | hosts: 50 | - "*" 51 | gateways: 52 | - tcp-echo-gateway 53 | tcp: 54 | - match: 55 | - port: 31400 56 | route: 57 | - destination: 58 | host: tcp-echo 59 | port: 60 | number: 9000 61 | subset: v1 62 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/tcp-echo/tcp-echo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################ 16 | # tcp-echo service 17 | ################################################################################ 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: tcp-echo 22 | labels: 23 | app: tcp-echo 24 | service: tcp-echo 25 | spec: 26 | ports: 27 | - name: tcp 28 | port: 9000 29 | - name: tcp-other 30 | port: 9001 31 | # Port 9002 is omitted intentionally for testing the pass through filter chain. 32 | selector: 33 | app: tcp-echo 34 | --- 35 | apiVersion: apps/v1 36 | kind: Deployment 37 | metadata: 38 | name: tcp-echo 39 | spec: 40 | replicas: 1 41 | selector: 42 | matchLabels: 43 | app: tcp-echo 44 | version: v1 45 | template: 46 | metadata: 47 | labels: 48 | app: tcp-echo 49 | version: v1 50 | spec: 51 | containers: 52 | - name: tcp-echo 53 | image: docker.io/istio/tcp-echo-server:1.2 54 | imagePullPolicy: IfNotPresent 55 | args: [ "9000,9001,9002", "hello" ] 56 | ports: 57 | - containerPort: 9000 58 | - containerPort: 9001 59 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/websockets/README.md: -------------------------------------------------------------------------------- 1 | # Tornado - Demo Websockets App 2 | 3 | This is a sample application that demonstrates the use of an upgraded websockets connection on an ingress traffic when using Istio `VirtualService`. 4 | The `app.yaml` creates a Kubernetes `Service` and a `Deployment` that is based on an existing Docker image for [Hiroakis's Tornado Websocket Example](https://github.com/hiroakis/tornado-websocket-example). 5 | 6 | __Notice:__ The addition of websockets upgrade support in v1alpha3 routing rules has only been added after the release of `Istio v0.8.0`. 7 | 8 | ## Prerequisites 9 | 10 | Install Istio by following the [Istio Quick Start](https://istio.io/docs/setup/kubernetes/quick-start.html). 11 | 12 | ## Installation 13 | 14 | 1. First install the application service: 15 | 16 | - With manual sidecar injection: 17 | 18 | ```command 19 | kubectl create -f <(istioctl kube-inject -f samples/websockets/app.yaml) 20 | ``` 21 | 22 | - With automatic sidecar injection 23 | 24 | ```command 25 | kubectl create -f samples/websockets/app.yaml 26 | ``` 27 | 28 | 1. Create the Ingress `Gateway` and `VirtualService` that enables the upgrade to Websocket for incoming traffic: 29 | 30 | ```command 31 | kubectl create -f samples/websockets/route.yaml 32 | ``` 33 | 34 | ## Test 35 | 36 | - [Find your ingress gateway IP](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports) 37 | 38 | - Access with your browser 39 | 40 | - The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established. 41 | To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing). 42 | 43 | ## Cleanup 44 | 45 | ```command 46 | kubectl delete -f samples/websockets/route.yaml 47 | kubectl delete -f samples/websockets/app.yaml 48 | ``` 49 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/websockets/app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: tornado 5 | labels: 6 | app: tornado 7 | service: tornado 8 | spec: 9 | ports: 10 | - port: 8888 11 | name: http 12 | selector: 13 | app: tornado 14 | --- 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: tornado 19 | spec: 20 | replicas: 1 21 | selector: 22 | matchLabels: 23 | app: tornado 24 | version: v1 25 | template: 26 | metadata: 27 | labels: 28 | app: tornado 29 | version: v1 30 | spec: 31 | containers: 32 | - name: tornado 33 | image: hiroakis/tornado-websocket-example 34 | imagePullPolicy: IfNotPresent 35 | ports: 36 | - containerPort: 8888 37 | --- 38 | -------------------------------------------------------------------------------- /istio-1.12.1/samples/websockets/route.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: tornado-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "*" 15 | --- 16 | apiVersion: networking.istio.io/v1alpha3 17 | kind: VirtualService 18 | metadata: 19 | name: tornado 20 | spec: 21 | hosts: 22 | - "*" 23 | gateways: 24 | - tornado-gateway 25 | http: 26 | - match: 27 | - uri: 28 | prefix: / 29 | route: 30 | - destination: 31 | host: tornado 32 | weight: 100 33 | -------------------------------------------------------------------------------- /istio-1.12.1/tools/certs/README.md: -------------------------------------------------------------------------------- 1 | # Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust 2 | 3 | The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: 4 | - `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default 5 | `kubeconfig` is used for accessing the cluster. 6 | - `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. 7 | 8 | The table below describes the targets supported by both Makefiles. 9 | 10 | Make Target | Makefile | Description 11 | ------ | -------- | ----------- 12 | `root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. 13 | `fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. 14 | `$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. 15 | `$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. 16 | `clean` | Both | Removes any generated root certificates, keys, and intermediate files. 17 | 18 | For example: 19 | 20 | ```bash 21 | make -f Makefile.selfsigned.mk root-ca 22 | ``` 23 | 24 | Note that the Makefile generates long-lived intermediate certificates. While this might be 25 | acceptable for demonstration purposes, a more realistic and secure deployment would use 26 | short-lived and automatically renewed certificates for the intermediate CAs. 27 | -------------------------------------------------------------------------------- /namespaces.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: demo 5 | labels: 6 | istio-injection: enabled 7 | --- 8 | apiVersion: v1 9 | kind: Namespace 10 | metadata: 11 | name: oauth2-proxy 12 | labels: 13 | istio-injection: enabled 14 | 15 | --- 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: cert-manager 20 | labels: 21 | istio-injection: enabled 22 | 23 | --- 24 | apiVersion: v1 25 | kind: Namespace 26 | metadata: 27 | name: istio-system -------------------------------------------------------------------------------- /oauth2-proxy-values.yaml: -------------------------------------------------------------------------------- 1 | # Oauth client configuration specifics 2 | config: 3 | # OAuth client ID 4 | 5 | clientID: "oauth2-proxy" 6 | # OAuth client secret 7 | clientSecret: "proxy" 8 | 9 | cookieSecure: true 10 | cookieSecret: "b311562c684c75e497b4fb3f08c3deea" 11 | # The name of the cookie that oauth2-proxy will create 12 | # If left empty, it will default to the release name 13 | cookieName: "_oauth2_proxy" 14 | 15 | configFile: |- 16 | email_domains = [ "*" ] 17 | upstreams = [ "static://200" ] 18 | provider = "oidc" 19 | cookie_refresh = "5m" 20 | cookie_expire = "4h" 21 | cookie_domains = [ "*.example.com" ] 22 | cookie_samesite = "lax" 23 | set_xauthrequest = true 24 | set_authorization_header = true 25 | pass_authorization_header = true 26 | pass_host_header = true 27 | pass_access_token = true 28 | skip_jwt_bearer_tokens = true 29 | reverse_proxy = true 30 | skip_provider_button = true 31 | http_address = "0.0.0.0:4180" 32 | silence_ping_logging = true 33 | oidc_issuer_url = "https://dex.example.com" 34 | scope = "openid" 35 | oidc_email_claim = "sub" 36 | real_client_ip_header = "X-Forwarded-For" --------------------------------------------------------------------------------