diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8c003640..f4f36456 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -60,6 +60,7 @@ jobs: with: args: --timeout=10m --tests="false" version: v1.47.0 + go-version: '1.14' style-check: name: style-check runs-on: ubuntu-latest diff --git a/istio-1.18.2/LICENSE b/istio-1.18.2/LICENSE deleted file mode 100644 index bb7b19de..00000000 --- a/istio-1.18.2/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2016-2022 Istio Authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/istio-1.18.2/README.md b/istio-1.18.2/README.md deleted file mode 100644 index 8955af70..00000000 --- a/istio-1.18.2/README.md +++ /dev/null @@ -1,117 +0,0 @@ -# Istio - -[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1395/badge)](https://bestpractices.coreinfrastructure.org/projects/1395) -[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio) -[![GoDoc](https://godoc.org/istio.io/istio?status.svg)](https://godoc.org/istio.io/istio) - - - Istio logo - - ---- - -Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes. - -- For in-depth information about how to use Istio, visit [istio.io](https://istio.io) -- To ask questions and get assistance from our community, visit [discuss.istio.io](https://discuss.istio.io) -- To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) - -In this README: - -- [Introduction](#introduction) -- [Repositories](#repositories) -- [Issue management](#issue-management) - -In addition, here are some other documents you may wish to read: - -- [Istio Community](https://github.com/istio/community#istio-community) - describes how to get involved and contribute to the Istio project -- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Preparing-for-Development) - explains how to set up and use an Istio development environment -- [Project Conventions](https://github.com/istio/istio/wiki/Development-Conventions) - describes the conventions we use within the code base -- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base - -You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki). - -## Introduction - -[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate -microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies -and aggregate telemetry data. Istio's control plane provides an abstraction -layer over the underlying cluster management platform, such as Kubernetes. - -Istio is composed of these components: - -- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic - between services in the cluster and from a service to external - services. The proxies form a _secure microservice mesh_ providing a rich - set of functions like discovery, rich layer-7 routing, circuit breakers, - policy enforcement and telemetry recording/reporting - functions. - - > Note: The service mesh is not an overlay network. It - > simplifies and enhances how microservices in an application talk to each - > other over the network provided by the underlying platform. - -- **Istiod** - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components: - - - **Pilot** - Responsible for configuring the proxies at runtime. - - - **Citadel** - Responsible for certificate issuance and rotation. - - - **Galley** - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio. - -- **Operator** - The component provides user friendly options to operate the Istio service mesh. - -## Repositories - -The Istio project is divided across a few GitHub repositories: - -- [istio/api](https://github.com/istio/api). This repository defines -component-level APIs and common configuration formats for the Istio platform. - -- [istio/community](https://github.com/istio/community). This repository contains -information on the Istio community, including the various documents that govern -the Istio open source project. - -- [istio/istio](README.md). This is the main code repository. It hosts Istio's -core components, install artifacts, and sample programs. It includes: - - - [istioctl](istioctl/). This directory contains code for the -[_istioctl_](https://istio.io/latest/docs/reference/commands/istioctl/) command line utility. - - - [operator](operator/). This directory contains code for the -[Istio Operator](https://istio.io/latest/docs/setup/install/operator/). - - - [pilot](pilot/). This directory -contains platform-specific code to populate the -[abstract service model](https://istio.io/docs/concepts/traffic-management/#pilot), dynamically reconfigure the proxies -when the application topology changes, as well as translate -[routing rules](https://istio.io/latest/docs/reference/config/networking/) into proxy specific configuration. - - - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code, -including Citadel (acting as Certificate Authority), citadel agent, etc. - -- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains -extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of -Envoy filters) that support authentication, authorization, and telemetry collection. - -## Issue management - -We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata: - -- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. -Each issue is ultimately part of an epic. - -- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we -think the issue should get addressed. - -- **Priority**. Each issue has a priority which is represented by the column in the [Prioritization](https://github.com/orgs/istio/projects/6) project. Priority can be one of -P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the -milestone cannot be considered achieved if the issue isn't resolved. - ---- - -
- Cloud Native Computing Foundation logo -

Istio is a Cloud Native Computing Foundation project.

-
diff --git a/istio-1.18.2/manifest.yaml b/istio-1.18.2/manifest.yaml deleted file mode 100644 index d8a50816..00000000 --- a/istio-1.18.2/manifest.yaml +++ /dev/null @@ -1,33 +0,0 @@ -architectures: -- linux/amd64 -- linux/arm64 -dashboards: - istio-extension-dashboard: 13277 - istio-mesh-dashboard: 7639 - istio-performance-dashboard: 11829 - istio-service-dashboard: 7636 - istio-workload-dashboard: 7630 - pilot-dashboard: 7645 -dependencies: - api: - sha: 06047cce866f317d90b6ee58386aba7faa63ed9e - client-go: - sha: 2683ac554dc2cf65a0a78dfbe8335e593a207f42 - istio: - sha: 0183f2886bc078e8df4d6bbd21fa452a3a23481d - pkg: - sha: 1015535057be24595b88a2b39555716bb0d82bf6 - proxy: - sha: 3c27a1b0cf381ca854ccc3a2034e88c206928da2 - release-builder: - sha: bcf4277ff6c526761200652122bb4ea2d21f5747 - test-infra: - sha: 776c397ca9590b77c00b19d58f888805f3cb986f - tools: - sha: 60988e44238a79538c9d667a56b15895296f95a3 - ztunnel: - sha: 556e299c60ecba1fc2697810010a6a76c3ae6535 -docker: docker.io/istio -dockerOutput: tar -skipGenerateBillOfMaterials: false -version: 1.18.2 diff --git a/istio-1.18.2/manifests/charts/README.md b/istio-1.18.2/manifests/charts/README.md deleted file mode 100644 index 6575a50c..00000000 --- a/istio-1.18.2/manifests/charts/README.md +++ /dev/null @@ -1,136 +0,0 @@ -# Istio Installer - -Note: If making any changes to the charts or values.yaml in this dir, first read [UPDATING-CHARTS.md](UPDATING-CHARTS.md) - -Istio installer is a modular, 'a-la-carte' installer for Istio. It is based on a -fork of the Istio helm templates, refactored to increase modularity and isolation. - -Goals: -- Improve upgrade experience: users should be able to gradually roll upgrades, with proper -canary deployments for Istio components. It should be possible to deploy a new version while keeping the -stable version in place and gradually migrate apps to the new version. - -- More flexibility: the new installer allows multiple 'environments', allowing applications to select -a set of control plane settings and components. While the entire mesh respects the same APIs and config, -apps may target different 'environments' which contain different instances and variants of Istio. - -- Better security: separate Istio components reside in different namespaces, allowing different teams or -roles to manage different parts of Istio. For example, a security team would maintain the -root CA and policy, a telemetry team may only have access to Prometheus, -and a different team may maintain the control plane components (which are highly security sensitive). - -The install is organized in 'environments' - each environment consists of a set of components -in different namespaces that are configured to work together. Regardless of 'environment', -workloads can talk with each other and obey the Istio configuration resources, but each environment -can use different Istio versions and different configuration defaults. - -`istioctl kube-inject` or the automatic sidecar injector are used to select the environment. -In the case of the sidecar injector, the namespace label `istio-env: ` is used instead -of the conventional `istio-injected: true`. The name of the environment is defined as the namespace -where the corresponding control plane components (config, discovery, auto-injection) are running. -In the examples below, by default this is the `istio-control` namespace. Pod annotations can also -be used to select a different 'environment'. - -## Installing - -The new installer is intended to be modular and very explicit about what is installed. It has -far more steps than the Istio installer - but each step is smaller and focused on a specific -feature, and can be performed by different people/teams at different times. - -It is strongly recommended that different namespaces are used, with different service accounts. -In particular access to the security-critical production components (root CA, policy, control) -should be locked down and restricted. The new installer allows multiple instances of -policy/control/telemetry - so testing/staging of new settings and versions can be performed -by a different role than the prod version. - -The intended users of this repo are users running Istio in production who want to select, tune -and understand each binary that gets deployed, and select which combination to use. - -Note: each component can be installed in parallel with an existing Istio 1.0 or 1.1 install in -`istio-system`. The new components will not interfere with existing apps, but can interoperate -and it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and -across environments ( for example canary -> prod ) - -Note: there are still some cluster roles that may need to be fixed, most likely cluster permissions -will need to move to the security component. - -## Everything is Optional - -Each component in the new installer is optional. Users can install the component defined in the new installer, -use the equivalent component in `istio-system`, configured with the official installer, or use a different -version or implementation. - -For example you may use your own Prometheus and Grafana installs, or you may use a specialized/custom -certificate provisioning tool, or use components that are centrally managed and running in a different cluster. - -This is a work in progress - building on top of the multi-cluster installer. - -As an extreme, the goal is to be possible to run Istio workloads in a cluster without installing any Istio component -in that cluster. Currently the minimum we require is the security provider (node agent or citadel). - -### Install Istio CRDs - -This is the first step of the install. Please do not remove or edit any CRD - config currently requires -all CRDs to be present. On each upgrade it is recommended to reapply the file, to make sure -you get all CRDs. CRDs are separated by release and by component type in the CRD directory. - -Istio has strong integration with certmanager. Some operators may want to keep their current certmanager -CRDs in place and not have Istio modify them. In this case, it is necessary to apply CRD files individually. - -```bash -kubectl apply -k github.com/istio/installer/base -``` - -or - -```bash -kubectl apply -f base/files -``` - -### Install Istio-CNI - -This is an optional step - CNI must run in a dedicated namespace, it is a 'singleton' and extremely -security sensitive. Access to the CNI namespace must be highly restricted. - -**NOTE:** The environment variable `ISTIO_CLUSTER_ISGKE` is assumed to be set to `true` if the cluster -is a GKE cluster. - -```bash -ISTIO_CNI_ARGS= -# TODO: What k8s data can we use for this check for whether GKE? -if [[ "${ISTIO_CLUSTER_ISGKE}" == "true" ]]; then - ISTIO_CNI_ARGS="--set cni.cniBinDir=/home/kubernetes/bin" -fi -iop kube-system istio-cni $IBASE/istio-cni/ ${ISTIO_CNI_ARGS} -``` - -TODO. It is possible to add Istio-CNI later, and gradually migrate. - -### Install Control plane - -This can run in any cluster. A mesh should have at least one cluster should run Pilot or equivalent XDS server, -and it is recommended to have Pilot running in each region and in multiple availability zones for multi cluster. - -```bash -iop istio-control istio-discovery $IBASE/istio-control/istio-discovery \ - --set global.istioNamespace=istio-system - -# Second istio-discovery, using master version of istio -TAG=latest HUB=gcr.io/istio-testing iop istio-master istio-discovery-master $IBASE/istio-control/istio-discovery \ - --set policy.enable=false \ - --set global.istioNamespace=istio-master -``` - -### Gateways - -A cluster may use multiple Gateways, each with a different load balancer IP, domains and certificates. - -Since the domain certificates are stored in the gateway namespace, it is recommended to keep each -gateway in a dedicated namespace and restrict access. - -For large-scale gateways it is optionally possible to use a dedicated pilot in the gateway namespace. - -### Additional test templates - -A number of helm test setups are general-purpose and should be installable in any cluster, to confirm -Istio works properly and allow testing the specific install. diff --git a/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md b/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md deleted file mode 100644 index 88a89291..00000000 --- a/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md +++ /dev/null @@ -1,67 +0,0 @@ -# Updating charts and values.yaml - -## Acceptable Pull Requests - -Helm charts `values.yaml` represent a complex user facing API that tends to grow uncontrollably over time -due to design choices in Helm. -The underlying Kubernetes resources we configure have 1000s of fields; given enough users and bespoke use cases, -eventually someone will want to customize every one of those fields. -If all fields are exposed in `values.yaml`, we end up with an massive API that is also likely worse than just using the Kubernetes API directly. - -To avoid this, the project attempts to minimize additions to the `values.yaml` API where possible. - -If the change is a dynamic runtime configuration, it probably belongs in the [MeshConfig API](https://github.com/istio/api/blob/master/mesh/v1alpha1/config.proto). -This allows configuration without re-installing or restarting deployments. - -If the change is to a Kubernetes field (such as modifying a Deployment attribute), it will likely need to be install-time configuration. -However, that doesn't necessarily mean a PR to add a value will be accepted. -The `values.yaml` API is intended to maintain a *minimal core set of configuration* that most users will use. -For bespoke use cases, [Helm Chart Customization](https://istio.io/latest/docs/setup/additional-setup/customize-installation-helm/#advanced-helm-chart-customization) can be used -to allow arbitrary customizations. - -If the change truly is generally purpose, it is generally preferred to have broader APIs. For example, instead of providing -direct access to each of the complex fields in [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/), just providing -a single `affinity` field that is passed through as-is to the Kubernetes resource. -This provides maximum flexibility with minimal API surface overhead. - -## Making changes - -## Step 1. Make changes in charts and values.yaml in `manifests` directory - -Be sure to provide sufficient documentation and example usage in values.yaml. -If the chart has a `values.schema.json`, that should be updated as well. - -## Step 2. Update the istioctl/Operator values - -If you are modifying the `gateway` chart, you can stop here. -All other charts, however, are exposed by `istioctl` and need to follow the steps below. - -The charts in the `manifests` directory are used in istioctl to generate an installation manifest. - -If `values.yaml` is changed, be sure to update corresponding values changes in [../profiles/default.yaml](../profiles/default.yaml) - -## Step 3. Update istioctl schema - -Istioctl uses a [schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto) to validate the values. Any changes to -the schema must be added here, otherwise istioctl users will see errors. -Once the schema file is updated, run: - -```bash -$ make operator-proto -``` - -This will regenerate the Go structs used for schema validation. - -## Step 4. Update the generated manifests - -Tests of istioctl use the auto-generated manifests to ensure that the istioctl binary has the correct version of the charts. -These manifests can be found in [gen-istio.yaml](../charts/istio-control/istio-discovery/files/gen-istio.yaml). -To regenerate the manifests, run: - -```bash -$ make copy-templates update-golden -``` - -## Step 5. Create a PR using outputs from Steps 1 to 4 - -Your PR should pass all the checks if you followed these steps. diff --git a/istio-1.18.2/manifests/charts/base/Chart.yaml b/istio-1.18.2/manifests/charts/base/Chart.yaml deleted file mode 100644 index 8e2b4c5b..00000000 --- a/istio-1.18.2/manifests/charts/base/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -name: base -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio cluster resources and CRDs -keywords: - - istio -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/base/README.md b/istio-1.18.2/manifests/charts/base/README.md deleted file mode 100644 index 68bf667a..00000000 --- a/istio-1.18.2/manifests/charts/base/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` diff --git a/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml b/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml deleted file mode 100644 index 7c294856..00000000 --- a/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml +++ /dev/null @@ -1,7199 +0,0 @@ -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - imagePullPolicy: - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: Criteria for selecting traffic by their direction. - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - type: integer - type: object - type: array - type: object - type: array - phase: - description: Determines where in the filter chain this `WasmPlugin` - is to be injected. - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - nullable: true - type: integer - selector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - type: string - url: - description: URL of a Wasm module or OCI container. - type: string - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - type: string - value: - description: Value for the environment variable. - type: string - valueFrom: - enum: - - INLINE - - HOST - type: string - type: object - type: array - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - type: object - proxyVersion: - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - type: integer - vhost: - properties: - name: - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows provides the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - type: string - metric: - description: One of the well-known Istio Standard - Metrics. - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to - update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - type: string - type: object - header: - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - type: string - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - type: string - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - randomSamplingPercentage: - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- diff --git a/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml b/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml deleted file mode 100644 index 2a80f418..00000000 --- a/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- diff --git a/istio-1.18.2/manifests/charts/base/templates/NOTES.txt b/istio-1.18.2/manifests/charts/base/templates/NOTES.txt deleted file mode 100644 index 00645016..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml deleted file mode 100644 index e0cbea8f..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml +++ /dev/null @@ -1,181 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-{{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] -{{- if or .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} ---- diff --git a/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml deleted file mode 100644 index d61729b2..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-{{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} ---- diff --git a/istio-1.18.2/manifests/charts/base/templates/crds.yaml b/istio-1.18.2/manifests/charts/base/templates/crds.yaml deleted file mode 100644 index 871ee2a6..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/crds.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{- if .Values.base.enableCRDTemplates }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} -{{ .Files.Get "crds/crd-operator.yaml" }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/default.yaml b/istio-1.18.2/manifests/charts/base/templates/default.yaml deleted file mode 100644 index f7950de2..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/default.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml b/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml deleted file mode 100644 index 2675b47a..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod-remote - {{- else }} - name: istiod - {{- end }} - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml b/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index d9ce18c2..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/role.yaml b/istio-1.18.2/manifests/charts/base/templates/role.yaml deleted file mode 100644 index ca1a4243..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml deleted file mode 100644 index 2b591fb8..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml deleted file mode 100644 index ec25fd25..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/services.yaml b/istio-1.18.2/manifests/charts/base/templates/services.yaml deleted file mode 100644 index 2bc55e66..00000000 --- a/istio-1.18.2/manifests/charts/base/templates/services.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod - {{- end }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/values.yaml b/istio-1.18.2/manifests/charts/base/values.yaml deleted file mode 100644 index 96a74562..00000000 --- a/istio-1.18.2/manifests/charts/base/values.yaml +++ /dev/null @@ -1,29 +0,0 @@ -global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - istiod: - enableAnalysis: false - - configValidation: true - externalIstiod: false - remotePilotAddress: "" - -base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - -defaultRevision: "default" diff --git a/istio-1.18.2/manifests/charts/default/Chart.yaml b/istio-1.18.2/manifests/charts/default/Chart.yaml deleted file mode 100644 index 90ddf756..00000000 --- a/istio-1.18.2/manifests/charts/default/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: istio-default -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.0.0 -appVersion: 1.0.0 -description: Helm chart for istio default revision components. -keywords: - - istio -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml deleted file mode 100644 index 5fa635eb..00000000 --- a/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionURL" .Values.istiodRemote.injectionURL - "namespace" .Release.Namespace }} -{{- define "core" }} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: {{ .injectionURL }} - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "/inject" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} - -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-revision-tag-default - labels: - istio.io/tag: "default" - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "default" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "default" - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} diff --git a/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml b/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml deleted file mode 100644 index 8ffa277e..00000000 --- a/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - istio.io/tag: "default" - # Required to make sure this resource is removed - # when purging Istio resources - operator.istio.io/component: Pilot -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist ---- diff --git a/istio-1.18.2/manifests/charts/default/values.yaml b/istio-1.18.2/manifests/charts/default/values.yaml deleted file mode 100644 index f0b1c35d..00000000 --- a/istio-1.18.2/manifests/charts/default/values.yaml +++ /dev/null @@ -1,27 +0,0 @@ -global: - # Used to locate istiod. - istioNamespace: "istio-system" - -base: - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # If enabled, gateway-api types will be validated using the standard upstream validation logic. - # This is an alternative to deploying the standalone validation server the project provides. - # This is disabled by default, as the cluster may already have a validation server; while technically - # it works to have multiple redundant validations, this adds complexity and operational risks. - # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. - validateGateway: false - -istiodRemote: - # Sidecar injector mutating webhook configuration url - # For example: https://$remotePilotAddress:15017/inject - injectionURL: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -sidecarInjectorWebhook: - # This enables injection of sidecar in all namespaces, - enableNamespacesByDefault: false - diff --git a/istio-1.18.2/manifests/charts/gateway/Chart.yaml b/istio-1.18.2/manifests/charts/gateway/Chart.yaml deleted file mode 100644 index e16d97e6..00000000 --- a/istio-1.18.2/manifests/charts/gateway/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v2 -name: gateway -description: Helm chart for deploying Istio gateways -type: application - -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 - -sources: -- https://github.com/istio/istio -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/gateway/README.md b/istio-1.18.2/manifests/charts/gateway/README.md deleted file mode 100644 index 0e58c00f..00000000 --- a/istio-1.18.2/manifests/charts/gateway/README.md +++ /dev/null @@ -1,148 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt b/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt deleted file mode 100644 index 78451d33..00000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index a777d43b..00000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,61 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gateway.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{- define "gateway.labels" -}} -helm.sh/chart: {{ include "gateway.chart" . }} -{{ include "gateway.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ include "gateway.name" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.podLabels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -{{- if hasKey .Values.labels "app" }} -{{- with .Values.labels.app }}app: {{.|quote}} -{{- end}} -{{- else }}app: {{ include "gateway.name" . }} -{{- end }} -{{- if hasKey .Values.labels "istio" }} -{{- with .Values.labels.istio }} -istio: {{.|quote}} -{{- end}} -{{- else }} -istio: {{ include "gateway.name" . | trimPrefix "istio-" }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml deleted file mode 100644 index da0fa270..00000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,107 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - {{- include "gateway.podLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml b/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml deleted file mode 100644 index e287406c..00000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index 77f71e7f..00000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/role.yaml b/istio-1.18.2/manifests/charts/gateway/templates/role.yaml deleted file mode 100644 index c8a25cb7..00000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/service.yaml b/istio-1.18.2/manifests/charts/gateway/templates/service.yaml deleted file mode 100644 index b96a52b9..00000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index e5b2304d..00000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/values.schema.json b/istio-1.18.2/manifests/charts/gateway/values.schema.json deleted file mode 100644 index d0878a2c..00000000 --- a/istio-1.18.2/manifests/charts/gateway/values.schema.json +++ /dev/null @@ -1,219 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "additionalProperties": false, - "properties": { - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": ["object", "null"] - }, - "containerSecurityContext": { - "type": ["object", "null"] - }, - "kind":{ - "type": "string", - "enum": ["Deployment", "DaemonSet"] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": "integer" - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - }, - "revision": { - "type": "string" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": ["string", "boolean"], - "enum": [true, false, "auto"] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": ["", "Always", "IfNotPresent", "Never"] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": ["integer", "string"] - }, - "maxUnavailable": { - "type": ["integer", "string"] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": ["", "IfHealthyBudget", "AlwaysAllow"] - } - } - } - } -} diff --git a/istio-1.18.2/manifests/charts/gateway/values.yaml b/istio-1.18.2/manifests/charts/gateway/values.yaml deleted file mode 100644 index 81e757e9..00000000 --- a/istio-1.18.2/manifests/charts/gateway/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -# Name allows overriding the release name. Generally this should not be set -name: "" -# revision declares which revision this gateway is a part of -revision: "" - -replicaCount: 1 - -kind: Deployment - -rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - -serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - -podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - -# Define the security context for the pod. -# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. -# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. -securityContext: ~ -containerSecurityContext: ~ - -service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - -resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - -autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - -# Pod environment variables -env: {} - -# Labels to apply to all resources -labels: {} - -# Annotations to apply to all resources -annotations: {} - -nodeSelector: {} - -tolerations: [] - -topologySpreadConstraints: [] - -affinity: {} - -# If specified, the gateway will act as a network gateway for the given network. -networkGateway: "" - -# Specify image pull policy if default behavior isn't desired. -# Default behavior: latest images will be Always else IfNotPresent -imagePullPolicy: "" - -imagePullSecrets: [] - -# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. -# -# By default, the `podDisruptionBudget` is disabled (set to `{}`), -# which means that no PodDisruptionBudget resource will be created. -# -# To enable the PodDisruptionBudget, configure it by specifying the -# `minAvailable` or `maxUnavailable`. For example, to set the -# minimum number of available replicas to 1, you can update this value as follows: -# -# podDisruptionBudget: -# minAvailable: 1 -# -# Or, to allow a maximum of 1 unavailable replica, you can set: -# -# podDisruptionBudget: -# maxUnavailable: 1 -# -# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. -# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: -# -# podDisruptionBudget: -# minAvailable: 1 -# unhealthyPodEvictionPolicy: AlwaysAllow -# -# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: -# -# podDisruptionBudget: {} -# -podDisruptionBudget: {} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml deleted file mode 100644 index b42ee221..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -name: istio-egress -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -description: Helm chart for deploying Istio gateways -keywords: - - istio - - egressgateway - - gateways -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt b/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt deleted file mode 100644 index 9baacc0e..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt +++ /dev/null @@ -1,45 +0,0 @@ - -Changes: -- separate namespace allows: --- easier reconfig of just the gateway --- TLS secrets and domain name management is isolated, for better security --- simplified configuration --- multiple versions of the ingress can be used, to minize upgrade risks - -- the new chart uses the default namespace service account, and doesn't require -additional RBAC permissions. - -- simplified label structure. Label change is not supported on upgrade. - -- for 'internal load balancer' you should deploy a separate gateway, in a different -namespace. - -All ingress gateway have a "app:ingressgateway" label, used to identify it as an -ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection. - -The Gateways use "istio: ingressgateway$SUFFIX" selectors. - - -# Multiple gateway versions - - - -# Using different pilot versions - - - -# Migration from istio-system - -Istio 1.0 includes the gateways in istio-system. Since the external IP is associated -with the Service and bound to the namespace, it is recommended to: - -1. Install the new gateway in a new namespace. -2. Copy any TLS certificate to the new namespace, and configure the domains. -3. Checking the new gateway work - for example by overriding the IP in /etc/hosts -4. Modify the DNS server to add the A record of the new namespace -5. Check traffic -6. Delete the A record corresponding to the gateway in istio-system -7. Upgrade istio-system, disabling the ingressgateway -8. Delete the domain TLS certs from istio-system. - -If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl deleted file mode 100644 index fc1ec540..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl +++ /dev/null @@ -1,104 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{ define "nodeaffinity" }} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- if or .global.arch $nodeSelector }} - nodeSelectorTerms: - - matchExpressions: - {{- if .global.arch }} - - key: kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- if $item.namespaces }} - namespaces: - {{- $ns := split "," $item.namespaces }} - {{- range $i, $n := $ns }} - - {{ $n | quote }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml deleted file mode 100644 index aa901685..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} -{{- if not .Values.global.autoscalingv2API }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- else }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml deleted file mode 100644 index 60dec8b3..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml +++ /dev/null @@ -1,348 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if eq $gateway.injectionTemplate "" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - service.istio.io/canonical-name: {{ $gateway.name }} - {{- if not (eq .Values.revision "") }} - service.istio.io/canonical-revision: {{ .Values.revision }} - {{- else}} - service.istio.io/canonical-revision: latest - {{- end }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" - sidecar.istio.io/inject: "false" - annotations: - istio.io/rev: {{ .Values.revision | default "default" }} - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "false" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - securityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - privileged: true -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} - {{- end}} - {{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} - {{- if $.Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.meshID }}" - {{- else if .Values.meshConfig.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if .Values.meshConfig.trustDomain }} - - name: TRUST_DOMAIN - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} - {{- if and (not $network_set) .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert -{{- end }} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert -{{- end }} - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - secretName: istio.istio-egressgateway-service-account - optional: true - {{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - optional: true - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml deleted file mode 100644 index 150a5bd1..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml +++ /dev/null @@ -1,146 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if ne $gateway.injectionTemplate "" }} -{{/* This provides a minimal gateway, ready to be injected. - Any settings from values.gateways should be here - these are options specific to the gateway. - Global settings, like the image, various env vars and volumes, etc will be injected. - The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name | default "istio-egressgateway" }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "true" - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: istio-proxy - image: auto -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - volumeMounts: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml deleted file mode 100644 index ba3c6d24..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: -{{ $gateway.labels | toYaml | trim | indent 6 }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml deleted file mode 100644 index c472fcef..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml deleted file mode 100644 index fd1ffcd7..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $gateway.name }}-sds -subjects: -- kind: ServiceAccount - name: {{ $gateway.name }}-service-account ---- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml deleted file mode 100644 index 2f8ce959..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if not $gateway.customService }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := $gateway.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: -{{- if $gateway.loadBalancerIP }} - loadBalancerIP: "{{ $gateway.loadBalancerIP }}" -{{- end }} -{{- if $gateway.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $gateway.externalTrafficPolicy }} - externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} -{{- end }} - type: {{ $gateway.type }} - selector: -{{ $gateway.labels | toYaml | indent 4 }} - ports: - - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - - {{ range $app := $gateway.egressPorts }} - - - port: {{ $app.port }} - name: {{ $app.name }} - {{- end }} ---- -{{ end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml deleted file mode 100644 index b6a3eb40..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $gateway.name }}-service-account - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" - {{- with $gateway.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml deleted file mode 100644 index dd8588ef..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml +++ /dev/null @@ -1,299 +0,0 @@ -# Standalone istio egress gateway. -# Should be installed in a separate namespace, to minimize access to config -gateways: - istio-egressgateway: - name: istio-egressgateway - ports: - - port: 80 - targetPort: 8080 - name: http2 - protocol: TCP - - port: 443 - name: https - targetPort: 8443 - protocol: TCP - - labels: - app: istio-egressgateway - istio: egressgateway - - # Scalability tuning - # replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - cpu: - targetAverageUtilization: 80 - - serviceAnnotations: {} - podAnnotations: {} - type: ClusterIP # change to NodePort or LoadBalancer if need be - - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - - configVolumes: [] - additionalContainers: [] - - serviceAccount: - # Annotations to add to the service account - annotations: {} - - ### Advanced options ############ - # TODO: convert to real options, env should not be exposed - env: {} - # Set this to "external" if and only if you want the egress gateway to - # act as a transparent SNI gateway that routes mTLS/TLS traffic to - # external services defined using service entries, where the service - # entry has resolution set to DNS, has one or more endpoints with - # network field set to "external". By default its set to "" so that - # the egress gateway sees the same set of endpoints as the sidecars - # preserving backward compatibility - # ISTIO_META_REQUESTED_NETWORK_VIEW: "" - - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote "hard" vs. "soft" requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # "security" and value "S1". - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - # whether to run the gateway in a privileged container - runAsRoot: false - - # The injection template to use for the gateway. If not set, no injection will be performed. - injectionTemplate: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - defaultConfigVisibilitySettings: [] - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.18.2 - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: {} - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - -meshConfig: - enablePrometheusMerge: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - defaultConfig: - proxyMetadata: {} - tracing: - # tlsSettings: - # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem - # privateKey: # example: /etc/istio/tracer/key.pem - # caCertificates: # example: /etc/istio/tracer/root-cert.pem - # sni: # example: tracer.somedomain - # subjectAltNames: [] - # - tracer.somedomain diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml deleted file mode 100644 index fd1e5f88..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -name: istio-ingress -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio gateways -keywords: - - istio - - ingressgateway - - gateways -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt b/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt deleted file mode 100644 index 221ee560..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt +++ /dev/null @@ -1,43 +0,0 @@ - -Changes: -- separate namespace allows: --- easier reconfig of just the gateway --- TLS secrets and domain name management is isolated, for better security --- simplified configuration --- multiple versions of the ingress can be used, to minimize upgrade risks - -- the new chart uses the default namespace service account, and doesn't require -additional RBAC permissions. - -- simplified label and chart structure. -- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades -and allows a bit more flexibility. -- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. - -# Port and basic host configuration - -In order to configure the Service object, the install/upgrade needs to provide a list of all ports. -In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured -both in upgrade, Gateway and VirtualService. - -The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, -Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual -config for the rest. - -All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. - -# Migration from istio-system - -Istio 1.0 includes the gateways in istio-system. Since the external IP is associated -with the Service and bound to the namespace, it is recommended to: - -1. Install the new gateway in a new namespace. -2. Copy any TLS certificate to the new namespace, and configure the domains. -3. Checking the new gateway work - for example by overriding the IP in /etc/hosts -4. Modify the DNS server to add the A record of the new namespace -5. Check traffic -6. Delete the A record corresponding to the gateway in istio-system -7. Upgrade istio-system, disabling the ingressgateway -8. Delete the domain TLS certs from istio-system. - -If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl deleted file mode 100644 index fc1ec540..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl +++ /dev/null @@ -1,104 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{ define "nodeaffinity" }} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- if or .global.arch $nodeSelector }} - nodeSelectorTerms: - - matchExpressions: - {{- if .global.arch }} - - key: kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- if $item.namespaces }} - namespaces: - {{- $ns := split "," $item.namespaces }} - {{- range $i, $n := $ns }} - - {{ $n | quote }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml deleted file mode 100644 index 0a6299bf..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} -{{- if not .Values.global.autoscalingv2API }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- else }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml deleted file mode 100644 index 243545a5..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml +++ /dev/null @@ -1,348 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if eq $gateway.injectionTemplate "" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - service.istio.io/canonical-name: {{ $gateway.name }} - {{- if not (eq .Values.revision "") }} - service.istio.io/canonical-revision: {{ .Values.revision }} - {{- else}} - service.istio.io/canonical-revision: latest - {{- end }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "false" - annotations: - istio.io/rev: {{ .Values.revision | default "default" }} - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "false" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - securityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - privileged: true -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} - {{- end}} - {{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} - {{- if $.Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.meshID }}" - {{- else if .Values.meshConfig.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if .Values.meshConfig.trustDomain }} - - name: TRUST_DOMAIN - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} - {{- if and (not $network_set) .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert -{{- end }} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert -{{- end }} - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - secretName: istio.istio-ingressgateway-service-account - optional: true - {{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - optional: true - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml deleted file mode 100644 index bc666a8b..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml +++ /dev/null @@ -1,146 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if ne $gateway.injectionTemplate "" }} -{{/* This provides a minimal gateway, ready to be injected. - Any settings from values.gateways should be here - these are options specific to the gateway. - Global settings, like the image, various env vars and volumes, etc will be injected. - The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "true" - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: istio-proxy - image: auto -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - volumeMounts: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml deleted file mode 100644 index 8b368895..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: -{{ $gateway.labels | toYaml | trim | indent 6 }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml deleted file mode 100644 index 3e21bca5..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml deleted file mode 100644 index d4525579..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $gateway.name }}-sds -subjects: -- kind: ServiceAccount - name: {{ $gateway.name }}-service-account ---- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml deleted file mode 100644 index a3b97be1..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if not $gateway.customService }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := $gateway.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if $gateway.loadBalancerIP }} - loadBalancerIP: "{{ $gateway.loadBalancerIP }}" -{{- end }} -{{- if $gateway.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $gateway.externalTrafficPolicy }} - externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} -{{- end }} - type: {{ $gateway.type }} - selector: -{{ $gateway.labels | toYaml | indent 4 }} - ports: - - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - - {{ range $app := $gateway.ingressPorts }} - - - port: {{ $app.port }} - name: {{ $app.name }} - {{- end }} ---- -{{ end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml deleted file mode 100644 index 9cf3034c..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $gateway.name }}-service-account - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - {{- with $gateway.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml deleted file mode 100644 index 89c24a0c..00000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml +++ /dev/null @@ -1,319 +0,0 @@ -# A-la-carte istio ingress gateway. -# Must be installed in a separate namespace, to minimize access to secrets. - -gateways: - istio-ingressgateway: - name: istio-ingressgateway - labels: - app: istio-ingressgateway - istio: ingressgateway - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - protocol: TCP - - port: 80 - targetPort: 8080 - name: http2 - protocol: TCP - - port: 443 - targetPort: 8443 - name: https - protocol: TCP - - # Scalability tuning - # replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - - cpu: - targetAverageUtilization: 80 - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - serviceAnnotations: {} - - # To generate an internal load balancer: - # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal - #serviceAnnotations: - # cloud.google.com/load-balancer-type: "internal" - - podAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ############## - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - - customService: false - externalTrafficPolicy: "" - - ingressPorts: [] - additionalContainers: [] - configVolumes: [] - - serviceAccount: - # Annotations to add to the service account - annotations: {} - - ### Advanced options ############ - env: {} - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote "hard" vs. "soft" requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # "security" and value "S1". - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - # whether to run the gateway in a privileged container - runAsRoot: false - - # The injection template to use for the gateway. If not set, no injection will be performed. - injectionTemplate: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - defaultConfigVisibilitySettings: [] - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.18.2 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: {} - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # The suffix for global service names - globalDomainSuffix: "global" - # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication - includeEnvoyFilter: true - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - -meshConfig: - enablePrometheusMerge: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - defaultConfig: - proxyMetadata: {} - tracing: - # tlsSettings: - # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem - # privateKey: # example: /etc/istio/tracer/key.pem - # caCertificates: # example: /etc/istio/tracer/root-cert.pem - # sni: # example: tracer.somedomain - # subjectAltNames: [] - # - tracer.somedomain diff --git a/istio-1.18.2/manifests/charts/install-OpenShift.md b/istio-1.18.2/manifests/charts/install-OpenShift.md deleted file mode 100644 index 0417c07a..00000000 --- a/istio-1.18.2/manifests/charts/install-OpenShift.md +++ /dev/null @@ -1,43 +0,0 @@ -# Installing Istio on OpenShift using Helm - -> Note: Be aware of the [platform setup required for OpenShift](https://istio.io/latest/docs/setup/platform-setup/openshift/) when installing Istio. - -To install with Helm, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows: - -```console -kubectl create namespace istio-system -``` - -The installation process using the Helm charts is as follows: - -1) `base` chart creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended. - -```console -helm install istio-base -n istio-system manifests/charts/base -``` - -2) `istio-cni` chart installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod` chart. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage. - -```console -helm install istio-cni -n kube-system manifests/charts/istio-cni --set cni.cniBinDir="/var/lib/cni/bin" --set cni.cniConfDir="/etc/cni/multus/net.d" --set cni.chained=false --set cni.cniConfFileName="istio-cni.conf" --set cni.excludeNamespaces[0]="istio-system" --set cni.excludeNamespaces[1]="kube-system" --set cni.repair.enabled=false --set cni.logLevel=info -``` - -3) `istio-control/istio-discovery` chart installs a revision of istiod. - -```console - helm install -n istio-system istio-17 manifests/charts/istio-control/istio-discovery --set istio_cni.enabled=true --set global.jwtPolicy=first-party-jwt --set sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"="istio-cni" -``` - -4) `gateways` charts install a load balancer with `ingress` and `egress`. - -Ingress secrets and access should be separated from the control plane. - -```console -helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress --set global.jwtPolicy=first-party-jwt -``` - -Egress secrets and access should be separated from the control plane. - -```console -helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress --set global.jwtPolicy=first-party-jwt -``` diff --git a/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml b/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml deleted file mode 100644 index 2d61757c..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -name: cni -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -description: Helm chart for istio-cni components -keywords: - - istio-cni - - istio -sources: - - https://github.com/istio/istio/tree/master/cni -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-cni/README.md b/istio-1.18.2/manifests/charts/istio-cni/README.md deleted file mode 100644 index 215051ae..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/README.md +++ /dev/null @@ -1,43 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Ambient - -To enable ambient, you need to to add `--set cni.ambient.enabled=true`. - -### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -## GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt b/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt deleted file mode 100644 index 99462824..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml deleted file mode 100644 index 4f930e2e..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] ---- -{{- if .Values.cni.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni-repair-role - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "delete", "patch", "update" ] -- apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml deleted file mode 100644 index d7e4a861..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.cni.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni-repair-rolebinding - labels: - k8s-app: istio-cni-repair - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni-repair-role -{{- end }} ---- -{{- if ne .Values.cni.psp_cluster_role "" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-cni-psp - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.cni.psp_cluster_role }} -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml deleted file mode 100644 index de62a0c7..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: ConfigMap -apiVersion: v1 -metadata: - name: istio-cni-config - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -data: - # The CNI network configuration to add to the plugin chain on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "cniVersion": "0.3.1", - "name": "istio-cni", - "type": "istio-cni", - "log_level": {{ quote .Values.cni.logLevel }}, - "log_uds_address": "__LOG_UDS_ADDRESS__", - {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}} - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__", - "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, - "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] - } - } diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml deleted file mode 100644 index 6ce0e16a..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml +++ /dev/null @@ -1,202 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: istio-cni-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: istio-cni-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -spec: - selector: - matchLabels: - k8s-app: istio-cni-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} - template: - metadata: - labels: - k8s-app: istio-cni-node - sidecar.istio.io/inject: "false" - annotations: - sidecar.istio.io/inject: "false" - ambient.istio.io/redirection: disabled - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Custom annotations - {{- if .Values.cni.podAnnotations }} -{{ toYaml .Values.cni.podAnnotations | indent 8 }} - {{- end }} - spec: - {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes - {{- with .Values.cni.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: istio-cni - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.cni.image }} - image: "{{ .Values.cni.image }}" -{{- else }} - image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - privileged: {{ .Values.cni.privileged }} -{{- if .Values.cni.seccompProfile }} - seccompProfile: -{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - env: -{{- if .Values.cni.cniConfFileName }} - # Name of the CNI config file to create. - - name: CNI_CONF_NAME - value: "{{ .Values.cni.cniConfFileName }}" -{{- end }} - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: istio-cni-config - key: cni_network_config - - name: CNI_NET_DIR - value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Deploy as a standalone CNI plugin or as chained? - - name: CHAINED_CNI_PLUGIN - value: "{{ .Values.cni.chained }}" - - name: REPAIR_ENABLED - value: "{{ .Values.cni.repair.enabled }}" - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_LABEL_PODS - value: "{{.Values.cni.repair.labelPods}}" - # Set to true to enable pod deletion - - name: REPAIR_DELETE_PODS - value: "{{.Values.cni.repair.deletePods}}" - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - - name: REPAIR_INIT_CONTAINER_NAME - value: "{{ .Values.cni.repair.initContainerName }}" - - name: REPAIR_BROKEN_POD_LABEL_KEY - value: "{{.Values.cni.repair.brokenPodLabelKey}}" - - name: REPAIR_BROKEN_POD_LABEL_VALUE - value: "{{.Values.cni.repair.brokenPodLabelValue}}" - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: LOG_LEVEL - value: {{ .Values.cni.logLevel | quote }} - {{- if .Values.cni.ambient.enabled }} - - name: AMBIENT_ENABLED - value: "true" - {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} - - name: EBPF_ENABLED - value: "true" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-log-dir - {{- if .Values.cni.ambient.enabled }} - - mountPath: /etc/ambient-config - name: cni-ambientconfig - - mountPath: /var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} - - mountPath: /sys/fs/bpf - mountPropagation: Bidirectional - name: cni-bpffs-dir - {{- end }} - {{ end }} - resources: -{{- if .Values.cni.resources }} -{{ toYaml .Values.cni.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} - {{- if .Values.cni.ambient.enabled }} - - name: cni-ambientconfig - hostPath: - path: /etc/ambient-config - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Used for UDS log - - name: cni-log-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: /var/run/netns - {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} - - name: cni-bpffs-dir - hostPath: - path: /sys/fs/bpf - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml deleted file mode 100644 index 15946ae7..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.cni.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: istio-cni-resource-quota - namespace: {{ .Release.Namespace }} -spec: - hard: - pods: {{ .Values.cni.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml deleted file mode 100644 index 4645db63..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-cni - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" diff --git a/istio-1.18.2/manifests/charts/istio-cni/values.yaml b/istio-1.18.2/manifests/charts/istio-cni/values.yaml deleted file mode 100644 index 157a9ee6..00000000 --- a/istio-1.18.2/manifests/charts/istio-cni/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -cni: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Configuration log level of istio-cni binary - # by default istio-cni send all logs to UDS server - # if want to see them you need change global.logging.level with cni:debug - logLevel: debug - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI bin and conf dir override settings - # defaults: - cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - - excludeNamespaces: - - istio-system - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # If this value is set a RoleBinding will be created - # in the same namespace as the istio-cni DaemonSet is created. - # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount - # e.g. if you use PodSecurityPolicies - psp_cluster_role: "" - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) - privileged: false - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # Set ambient redirection mode: "iptables" or "ebpf" - redirectMode: "iptables" - - repair: - enabled: true - hub: "" - tag: "" - - labelPods: true - deletePods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # The number of pods that can be unavailable during rolling update (see - # `updateStrategy.rollingUpdate.maxUnavailable` here: - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - # May be specified as a number of pods or as a percent of the total number - # of pods at the start of the update. - rollingMaxUnavailable: 1 - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.18.2 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: default:info,cni:info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml deleted file mode 100644 index 321d0f12..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -name: istiod -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for istio control plane -keywords: - - istio - - istiod - - istio-discovery -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md deleted file mode 100644 index 9d4d07a4..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md +++ /dev/null @@ -1,59 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml deleted file mode 100644 index 5002c03f..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml +++ /dev/null @@ -1,237 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml deleted file mode 100644 index 2bd67367..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml +++ /dev/null @@ -1,320 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a4..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml deleted file mode 100644 index a05fd576..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml +++ /dev/null @@ -1,513 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml deleted file mode 100644 index ec80744c..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml +++ /dev/null @@ -1,312 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap .Labels | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - istio.io/gateway-name: {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .Labels - (strdict "istio.io/gateway-name" .Name) | nindent 8}} - spec: - {{- if .KubeVersion122 }} - {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - image: "{{ .ProxyImage }}" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - {{- if .KubeVersion122 }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .Labels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{ toJsonMap .Labels | nindent 4}} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - istio.io/gateway-name: {{.Name}} - {{- if .Spec.Addresses }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml deleted file mode 100644 index aa5374cd..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml +++ /dev/null @@ -1,238 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap .Labels | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - istio.io/gateway-name: "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "ambient.istio.io/redirection" "disabled" - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .Labels - (strdict - "istio.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 8}} - spec: - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - image: {{.ProxyImage}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - name: istio-proxy - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: true - runAsGroup: 1337 - runAsUser: 0 - capabilities: - add: - - NET_ADMIN - - NET_RAW - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{ toJsonMap .Labels | nindent 4}} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ports: - - name: https-hbone - port: 15008 - protocol: TCP - appProtocol: https - selector: - istio.io/gateway-name: "{{.Name}}" ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt deleted file mode 100644 index 03cb8192..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt +++ /dev/null @@ -1,56 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} - -Next steps: - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl deleted file mode 100644 index ccf8a077..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl +++ /dev/null @@ -1,35 +0,0 @@ -{{/* Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled - (not (or - .Values.telemetry.v2.prometheus.configOverride.gateway - .Values.telemetry.v2.prometheus.configOverride.inboundSidecar - .Values.telemetry.v2.prometheus.configOverride.outboundSidecar - )) }} -{{- end }} - -{{/* SD has metrics and logging split. Metrics are enabled if SD is enabled and there are no config overrides set */}} -{{ define "sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled - (not (or - .Values.telemetry.v2.stackdriver.configOverride - .Values.telemetry.v2.stackdriver.disableOutbound )) -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled - (not (or - .Values.telemetry.v2.stackdriver.configOverride - (has .Values.telemetry.v2.stackdriver.outboundAccessLogging (list "" "ERRORS_ONLY")) - (has .Values.telemetry.v2.stackdriver.inboundAccessLogging (list "" "ALL")) - .Values.telemetry.v2.stackdriver.disableOutbound )) -}} -{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml deleted file mode 100644 index 4069bbde..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} -{{- if not .Values.global.autoscalingv2API }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} ---- -{{- else }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml deleted file mode 100644 index e910a317..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml +++ /dev/null @@ -1,147 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml deleted file mode 100644 index f6e42521..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml deleted file mode 100644 index 7b719ac7..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.pilot.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -data: - extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml deleted file mode 100644 index d5504047..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "prometheus" . | eq "true" }} - {{ $sdMetrics := include "sd-metrics" . | eq "true" }} - {{ $sdLogs := include "sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if $sdMetrics }}- stackdriver{{ end }} - {{- end }} - {{- if $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - {{- if $.Values.global.tracer.stackdriver.debug }} - debug: {{ $.Values.global.tracer.stackdriver.debug }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- else }} - {} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.pilot.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml deleted file mode 100644 index 1aa80206..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml +++ /dev/null @@ -1,258 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} -{{- range $key, $val := .Values.pilot.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} -spec: -{{- if not .Values.pilot.autoscaleEnabled }} -{{- if .Values.pilot.replicaCount }} - replicas: {{ .Values.pilot.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.pilot.rollingMaxSurge }} - maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.pilot.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - {{- end }} - ambient.istio.io/redirection: disabled - sidecar.istio.io/inject: "false" - {{- if .Values.pilot.podAnnotations }} -{{ toYaml .Values.pilot.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.pilot.nodeSelector }} - nodeSelector: -{{ toYaml .Values.pilot.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.pilot.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.pilot.tolerations }} - tolerations: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - securityContext: - fsGroup: 1337 - containers: - - name: discovery -{{- if contains "/" .Values.pilot.image }} - image: "{{ .Values.pilot.image }}" -{{- else }} - image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.global.oneNamespace }} - - "-a" - - {{ .Release.Namespace }} -{{- end }} -{{- if .Values.pilot.plugins }} - - --plugins={{ .Values.pilot.plugins }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - {{- if .Values.pilot.env }} - {{- range $key, $val := .Values.pilot.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} -{{- if semverCompare "<1.19" .Capabilities.KubeVersion.GitVersion }} - - name: ENABLE_LEGACY_FSGROUP_INJECTION - value: "true" -{{- end }} -{{- if .Values.pilot.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.pilot.traceSampling }}" -{{- end }} - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" - - name: ISTIOD_ADDR - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - resources: -{{- if .Values.pilot.resources }} -{{ toYaml .Values.pilot.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.pilot.seccompProfile }} - seccompProfile: -{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - {{- end }} - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - {{- end }} - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert - defaultMode: 420 - optional: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 69522c67..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml deleted file mode 100644 index fbffdd65..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,152 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml deleted file mode 100644 index 454737a6..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml deleted file mode 100644 index 793b75e6..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 4f9925c9..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml deleted file mode 100644 index 8bef5464..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml +++ /dev/null @@ -1,140 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml deleted file mode 100644 index 195bdde4..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml deleted file mode 100644 index 0d700f00..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml deleted file mode 100644 index b5ddf5b6..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.pilot.serviceAnnotations }} - annotations: -{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml deleted file mode 100644 index ee6cbc32..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml deleted file mode 100644 index 8374fc05..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml +++ /dev/null @@ -1,616 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml deleted file mode 100644 index 990d817c..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml +++ /dev/null @@ -1,486 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml deleted file mode 100644 index 736ed586..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml +++ /dev/null @@ -1,486 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 88b9eb7c..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml deleted file mode 100644 index 2c05e3df..00000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml +++ /dev/null @@ -1,485 +0,0 @@ -#.Values.pilot for discovery and mesh wide config - -## Discovery Settings -pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - env: {} - - cpu: - targetAverageUtilization: 80 - - # if protocol sniffing is enabled for outbound - enableProtocolSniffingForOutbound: true - # if protocol sniffing is enabled for inbound - enableProtocolSniffingForInbound: true - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # This is used to set the source of configuration for - # the associated address in configSource, if nothing is specified - # the default MCP is assumed. - configSource: - subscribedResources: [] - - plugins: [] - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - -sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] -istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" -telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - metadataExchange: - # Indicates whether to enable WebAssembly runtime for metadata exchange filter. - wasmEnabled: false - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # Indicates whether to enable WebAssembly runtime for stats filter. - wasmEnabled: false - # overrides stats EnvoyFilter configuration. - configOverride: - gateway: {} - inboundSidecar: {} - outboundSidecar: {} - # stackdriver filter settings. - stackdriver: - enabled: false - logging: false - monitoring: false - topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. - disableOutbound: false - # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. - - configOverride: {} - # e.g. - # disable_server_access_logging: false - # disable_host_header_fallback: true - # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. - accessLogPolicy: - enabled: false - # To reduce the number of successful logs, default log window duration is - # set to 12 hours. - logWindowDuration: "43200s" -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# Revision tags are aliases to Istio control plane revisions -revisionTags: [] - -# For Helm compatibility. -ownerName: "" - -# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior -# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options -meshConfig: - enablePrometheusMerge: true - -global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - # Default tag for Istio images. - tag: 1.18.2 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Whether to restrict the applications namespace the controller manages; - # If not set, controller watches all namespaces - oneNamespace: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 30 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 1 - - # The period between readiness probes. - readinessPeriodSeconds: 2 - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "zipkin" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - -base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # If enabled, gateway-api types will be validated using the standard upstream validation logic. - # This is an alternative to deploying the standalone validation server the project provides. - # This is disabled by default, as the cluster may already have a validation server; while technically - # it works to have multiple redundant validations, this adds complexity and operational risks. - # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. - validateGateway: false diff --git a/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml b/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml deleted file mode 100644 index 3e630578..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -name: istio-operator -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio operator -keywords: - - istio - - operator -sources: - - https://github.com/istio/istio/tree/master/operator -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml b/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml deleted file mode 100644 index 93ac1de0..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# SYNC WITH manifests/charts/base/files -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml deleted file mode 100644 index c7101ab6..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -rules: -# istio groups -- apiGroups: - - authentication.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - config.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - install.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - security.istio.io - resources: - - '*' - verbs: - - '*' -# k8s groups -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions.apiextensions.k8s.io - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - apps - - extensions - resources: - - daemonsets - - deployments - - deployments/finalizers - - replicasets - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - update -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - roles - - rolebindings - verbs: - - '*' -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - create - - update -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - pods - - pods/proxy - - pods/portforward - - persistentvolumeclaims - - secrets - - services - - serviceaccounts - - resourcequotas - verbs: - - '*' ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml deleted file mode 100644 index a3df073a..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -subjects: -- kind: ServiceAccount - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{.Release.Namespace}} -roleRef: - kind: ClusterRole - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - apiGroup: rbac.authorization.k8s.io ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml deleted file mode 100644 index a3703650..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.enableCRDTemplates -}} -{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} ---- -{{ $.Files.Get $path }} -{{- end -}} -{{- end -}} diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml deleted file mode 100644 index 01830956..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: {{.Release.Namespace}} - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -spec: - replicas: 1 - revisionHistoryLimit: {{ .Values.deploymentHistory }} - selector: - matchLabels: - name: istio-operator - template: - metadata: - labels: - name: istio-operator - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - annotations: - prometheus.io/port: "{{ .Values.operator.monitoring.port }}" - prometheus.io/scrape: "true" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: - serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - containers: - - name: istio-operator - image: {{.Values.hub}}/operator:{{.Values.tag}} - command: - - operator - - server - - --monitoring-host={{ .Values.operator.monitoring.host }} - - --monitoring-port={{ .Values.operator.monitoring.port }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true -{{- if .Values.operator.seccompProfile }} - seccompProfile: -{{ toYaml .Values.operator.seccompProfile | trim | indent 14 }} -{{- end }} -{{- if .Values.imagePullPolicy }} - imagePullPolicy: {{ .Values.imagePullPolicy }} -{{- end }} - resources: -{{ toYaml .Values.operator.resources | trim | indent 12 }} - env: - - name: WATCH_NAMESPACE - value: {{.Values.watchedNamespaces | quote}} - - name: LEADER_ELECTION_NAMESPACE - value: {{.Release.Namespace | quote}} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: {{.Release.Namespace | quote}} - - name: WAIT_FOR_RESOURCES_TIMEOUT - value: {{.Values.waitForResourcesTimeout | quote}} - - name: REVISION - value: {{.Values.revision | quote}} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml deleted file mode 100644 index e32e8ea0..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: {{.Release.Namespace}} - labels: - name: istio-operator - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -spec: - ports: - - name: http-metrics - port: 8383 - targetPort: 8383 - protocol: TCP - selector: - name: istio-operator ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml deleted file mode 100644 index fe9d4cf2..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: {{.Release.Namespace}} - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{ . }} -{{- end }} -{{- end }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/values.yaml b/istio-1.18.2/manifests/charts/istio-operator/values.yaml deleted file mode 100644 index d344f093..00000000 --- a/istio-1.18.2/manifests/charts/istio-operator/values.yaml +++ /dev/null @@ -1,51 +0,0 @@ -hub: docker.io/istio -tag: 1.18.2 - -# ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace -# used to pull operator image. Must be set for any cluster configured with private docker registry. -imagePullSecrets: [] - -# Specify image pull policy if default behavior isn't desired. -# Default behavior: latest images will be Always else IfNotPresent. -imagePullPolicy: "" - -# Used to replace istioNamespace to support operator watch multiple namespaces. -watchedNamespaces: istio-system -waitForResourcesTimeout: 300s - -# Used for helm2 to add the CRDs to templates. -enableCRDTemplates: false - -# revision for the operator resources -revision: "" - -# The number of old ReplicaSets to retain in operator deployment -deploymentHistory: 10 - -# Operator resource defaults -operator: - monitoring: - host: 127.0.0.1 - port: 15014 - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 128Mi - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - -# Node labels for pod assignment -nodeSelector: {} - -# Tolerations for pod assignment -tolerations: [] - -# Affinity for pod assignment -affinity: {} - -# Additional labels and annotations to apply on the pod level for monitoring and logging configuration. -podLabels: {} -podAnnotations: {} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml b/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml deleted file mode 100644 index 616ce3fc..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -name: istiod-remote -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for a remote cluster using an external istio control plane -keywords: - - istio - - external-istiod -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt b/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt deleted file mode 100644 index 0230b6f8..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt +++ /dev/null @@ -1,4 +0,0 @@ -Install for a remote cluster using an external control plane. - -The templates in this directory are copies of base and istio-discovery templates. -DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml b/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml deleted file mode 100644 index 5002c03f..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml +++ /dev/null @@ -1,237 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml b/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml deleted file mode 100644 index a05fd576..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml +++ /dev/null @@ -1,513 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl deleted file mode 100644 index ccf8a077..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl +++ /dev/null @@ -1,35 +0,0 @@ -{{/* Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled - (not (or - .Values.telemetry.v2.prometheus.configOverride.gateway - .Values.telemetry.v2.prometheus.configOverride.inboundSidecar - .Values.telemetry.v2.prometheus.configOverride.outboundSidecar - )) }} -{{- end }} - -{{/* SD has metrics and logging split. Metrics are enabled if SD is enabled and there are no config overrides set */}} -{{ define "sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled - (not (or - .Values.telemetry.v2.stackdriver.configOverride - .Values.telemetry.v2.stackdriver.disableOutbound )) -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled - (not (or - .Values.telemetry.v2.stackdriver.configOverride - (has .Values.telemetry.v2.stackdriver.outboundAccessLogging (list "" "ERRORS_ONLY")) - (has .Values.telemetry.v2.stackdriver.inboundAccessLogging (list "" "ALL")) - .Values.telemetry.v2.stackdriver.disableOutbound )) -}} -{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml deleted file mode 100644 index 2550df5f..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml +++ /dev/null @@ -1,149 +0,0 @@ -{{- if .Values.global.configCluster }} -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml deleted file mode 100644 index 932cdce0..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml deleted file mode 100644 index d5504047..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "prometheus" . | eq "true" }} - {{ $sdMetrics := include "sd-metrics" . | eq "true" }} - {{ $sdLogs := include "sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if $sdMetrics }}- stackdriver{{ end }} - {{- end }} - {{- if $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - {{- if $.Values.global.tracer.stackdriver.debug }} - debug: {{ $.Values.global.tracer.stackdriver.debug }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- else }} - {} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.pilot.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml deleted file mode 100644 index 27259265..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml +++ /dev/null @@ -1,7201 +0,0 @@ -{{- if .Values.global.configCluster }} -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - imagePullPolicy: - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: Criteria for selecting traffic by their direction. - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - type: integer - type: object - type: array - type: object - type: array - phase: - description: Determines where in the filter chain this `WasmPlugin` - is to be injected. - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - nullable: true - type: integer - selector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - type: string - url: - description: URL of a Wasm module or OCI container. - type: string - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - type: string - value: - description: Value for the environment variable. - type: string - valueFrom: - enum: - - INLINE - - HOST - type: string - type: object - type: array - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - type: object - proxyVersion: - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - type: integer - vhost: - properties: - name: - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows provides the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - type: string - metric: - description: One of the well-known Istio Standard - Metrics. - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to - update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - type: string - type: object - header: - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - type: string - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - type: string - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - randomSamplingPercentage: - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml deleted file mode 100644 index 42e95ee8..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if .Values.global.configCluster }} -# SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml deleted file mode 100644 index 6b1d6633..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml deleted file mode 100644 index 2675b47a..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod-remote - {{- else }} - name: istiod - {{- end }} - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 69522c67..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml deleted file mode 100644 index fbffdd65..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,152 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml deleted file mode 100644 index 793b75e6..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 4f9925c9..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml deleted file mode 100644 index d9ce18c2..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml deleted file mode 100644 index c3af8c07..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml deleted file mode 100644 index f65b3b12..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml deleted file mode 100644 index 4f8d20f6..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml deleted file mode 100644 index 2bc55e66..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod - {{- end }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml deleted file mode 100644 index 8374fc05..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml +++ /dev/null @@ -1,616 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml deleted file mode 100644 index 990d817c..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml +++ /dev/null @@ -1,486 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml deleted file mode 100644 index 736ed586..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml +++ /dev/null @@ -1,486 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 96c2e68f..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/values.yaml b/istio-1.18.2/manifests/charts/istiod-remote/values.yaml deleted file mode 100644 index aba10e2a..00000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/values.yaml +++ /dev/null @@ -1,416 +0,0 @@ -#.Values.pilot for discovery and mesh wide config - -## Discovery Settings -pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - hub: "" - tag: "" - variant: "" - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - env: {} - cpu: - targetAverageUtilization: 80 - # if protocol sniffing is enabled for outbound - enableProtocolSniffingForOutbound: true - # if protocol sniffing is enabled for inbound - enableProtocolSniffingForInbound: true - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - # This is used to set the source of configuration for - # the associated address in configSource, if nothing is specified - # the default MCP is assumed. - configSource: - subscribedResources: [] - plugins: [] - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - # Additional labels to apply to the deployment. - deploymentLabels: {} - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: false - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} -sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - rewriteAppHTTPProbe: true - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] -istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" -telemetry: - enabled: false - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - metadataExchange: - # Indicates whether to enable WebAssembly runtime for metadata exchange filter. - wasmEnabled: false - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # Indicates whether to enable WebAssembly runtime for stats filter. - wasmEnabled: false - # overrides stats EnvoyFilter configuration. - configOverride: - gateway: {} - inboundSidecar: {} - outboundSidecar: {} - # stackdriver filter settings. - stackdriver: - enabled: false - logging: false - monitoring: false - topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. - disableOutbound: false - # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. - - configOverride: {} - # e.g. - # disable_server_access_logging: false - # disable_host_header_fallback: true - # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. - accessLogPolicy: - enabled: false - # To reduce the number of successful logs, default log window duration is - # set to 12 hours. - logWindowDuration: "43200s" -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" -# Revision tags are aliases to Istio control plane revisions -revisionTags: [] -# For Helm compatibility. -ownerName: "" -# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior -# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options -meshConfig: - enablePrometheusMerge: true -global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - # Default tag for Istio images. - tag: 1.18.2 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - omitSidecarInjectorConfigMap: true - # Whether to restrict the applications namespace the controller manages; - # If not set, controller watches all namespaces - oneNamespace: false - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - proxy: - image: proxyv2 - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 30 - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 1 - # The period between readiness probes. - readinessPeriodSeconds: 2 - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "zipkin" - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: true - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true -base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - # If enabled, gateway-api types will be validated using the standard upstream validation logic. - # This is an alternative to deploying the standalone validation server the project provides. - # This is disabled by default, as the cluster may already have a validation server; while technically - # it works to have multiple redundant validations, this adds complexity and operational risks. - # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. - validateGateway: false diff --git a/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml b/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml deleted file mode 100644 index 1396a7b1..00000000 --- a/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -name: ztunnel -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -description: Helm chart for istio ztunnel components -keywords: - - istio-ztunnel - - istio -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/ztunnel/README.md b/istio-1.18.2/manifests/charts/ztunnel/README.md deleted file mode 100644 index f8887a12..00000000 --- a/istio-1.18.2/manifests/charts/ztunnel/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt b/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 93297520..00000000 --- a/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml b/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index d86deb00..00000000 --- a/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,121 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - {{- .Values.labels | toYaml | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - updateStrategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - app: ztunnel -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - cni.projectcalico.org/allowedSourcePrefixes: "[\"0.0.0.0/0\"]" - ambient.istio.io/redirection: disabled - sidecar.istio.io/inject: "false" -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - serviceAccountName: ztunnel - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - privileged: false - capabilities: - drop: - - ALL - add: - - NET_ADMIN - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml b/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 5a569b64..00000000 --- a/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - {{- .Values.labels | toYaml | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} ---- diff --git a/istio-1.18.2/manifests/charts/ztunnel/values.yaml b/istio-1.18.2/manifests/charts/ztunnel/values.yaml deleted file mode 100644 index 67967d01..00000000 --- a/istio-1.18.2/manifests/charts/ztunnel/values.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# Hub to pull from. Image will be `Hub/Image:Tag-Variant` -hub: docker.io/istio -# Tag to pull from. Image will be `Hub/Image:Tag-Variant` -tag: 1.18.2 -# Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. -variant: "" - -# Image name to pull from. Image will be `Hub/Image:Tag-Variant` -# If Image contains a "/", it will replace the entire `image` in the pod. -image: ztunnel - -# Labels to apply to all top level resources -labels: {} -# Annotations to apply to all top level resources -annotations: {} - -# Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). -podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - -# Additional labels to apply on the pod level -podLabels: {} - -# Pod resource configuration -resources: - requests: - cpu: 500m - memory: 2048Mi - -# List of secret names to add to the service account as image pull secrets -imagePullSecrets: [] - -# A `key: value` mapping of environment variables to add to the pod -env: {} - -# Override for the pod imagePullPolicy -imagePullPolicy: "" - -# Settings for multicluster -multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - -# meshConfig defines runtime configuration of components. -# For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other -# components. -# TODO: https://github.com/istio/istio/issues/43248 -meshConfig: - defaultConfig: - proxyMetadata: {} - -# Ambient redirection mode: "iptables" or "ebpf" -redirectMode: "iptables" diff --git a/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml b/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml deleted file mode 100644 index 48303976..00000000 --- a/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: example-istiocontrolplane -spec: - profile: demo -... diff --git a/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml b/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml deleted file mode 100644 index c37e85b0..00000000 --- a/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - profile: empty - components: - ingressGateways: - - enabled: true - namespace: my-namespace diff --git a/istio-1.18.2/manifests/profiles/ambient.yaml b/istio-1.18.2/manifests/profiles/ambient.yaml deleted file mode 100644 index 9900f375..00000000 --- a/istio-1.18.2/manifests/profiles/ambient.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - # You may override parts of meshconfig by uncommenting the following lines. - meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - # Telemetry API is used with ambient instead of EnvoyFilters - defaultProviders: - metrics: - - prometheus - extensionProviders: - - name: prometheus - prometheus: {} - - components: - cni: - enabled: true - ztunnel: - enabled: true - ingressGateways: - - name: istio-ingressgateway - enabled: false - - values: - pilot: - env: - # Setup more secure default that is off in 'default' only for backwards compatibility - VERIFY_CERTIFICATE_AT_CLIENT: "true" - ENABLE_AUTO_SNI: "true" - - PILOT_ENABLE_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" - PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" - cni: - logLevel: info - privileged: true - ambient: - enabled: true - - # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni - excludeNamespaces: - - kube-system - - # TODO: https://github.com/istio/istio/issues/43243 - # variant: distroless - telemetry: - # Telemetry handled with Telemetry API only - enabled: false - v2: - enabled: false diff --git a/istio-1.18.2/manifests/profiles/default.yaml b/istio-1.18.2/manifests/profiles/default.yaml deleted file mode 100644 index 6e443923..00000000 --- a/istio-1.18.2/manifests/profiles/default.yaml +++ /dev/null @@ -1,177 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system -spec: - hub: docker.io/istio - tag: 1.18.2 - - # You may override parts of meshconfig by uncommenting the following lines. - meshConfig: - defaultConfig: - proxyMetadata: {} - enablePrometheusMerge: true - # Opt-out of global http2 upgrades. - # Destination rule is used to opt-in. - # h2_upgrade_policy: DO_NOT_UPGRADE - - # Traffic management feature - components: - base: - enabled: true - pilot: - enabled: true - - # Istio Gateway feature - ingressGateways: - - name: istio-ingressgateway - enabled: true - egressGateways: - - name: istio-egressgateway - enabled: false - - # Istio CNI feature - cni: - enabled: false - - # Remote and config cluster configuration for an external istiod - istiodRemote: - enabled: false - - # Global values passed through to helm global.yaml. - # Please keep this in sync with manifests/charts/global.yaml - values: - defaultRevision: "" - global: - istioNamespace: istio-system - istiod: - enableAnalysis: false - logging: - level: "default:info" - logAsJson: false - pilotCertProvider: istiod - jwtPolicy: third-party-jwt - proxy: - image: proxyv2 - clusterDomain: "cluster.local" - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - logLevel: warning - componentLogLevel: "misc:error" - privileged: false - enableCoreDump: false - statusPort: 15020 - readinessInitialDelaySeconds: 1 - readinessPeriodSeconds: 2 - readinessFailureThreshold: 30 - includeIPRanges: "*" - excludeIPRanges: "" - excludeOutboundPorts: "" - excludeInboundPorts: "" - autoInject: enabled - tracer: "zipkin" - proxy_init: - image: proxyv2 - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - operatorManageWebhooks: false - tracer: - lightstep: {} - zipkin: {} - datadog: {} - stackdriver: {} - imagePullSecrets: [] - oneNamespace: false - defaultNodeSelector: {} - configValidation: true - multiCluster: - enabled: false - clusterName: "" - omitSidecarInjectorConfigMap: false - network: "" - defaultResources: - requests: - cpu: 10m - defaultPodDisruptionBudget: - enabled: true - priorityClassName: "" - useMCP: false - sds: - token: - aud: istio-ca - sts: - servicePort: 0 - meshNetworks: {} - mountMtlsCerts: false - base: - enableCRDTemplates: false - validationURL: "" - pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - replicaCount: 1 - image: pilot - traceSampling: 1.0 - env: {} - cpu: - targetAverageUtilization: 80 - nodeSelector: {} - keepaliveMaxServerConnectionAge: 30m - enableProtocolSniffingForOutbound: true - enableProtocolSniffingForInbound: true - deploymentLabels: - podLabels: {} - configMap: true - - telemetry: - enabled: true - v2: - enabled: true - metadataExchange: - wasmEnabled: false - prometheus: - wasmEnabled: false - enabled: true - stackdriver: - enabled: false - logging: false - monitoring: false - topology: false - configOverride: {} - - istiodRemote: - injectionURL: "" - - gateways: - istio-egressgateway: - env: {} - autoscaleEnabled: true - type: ClusterIP - name: istio-egressgateway - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - - istio-ingressgateway: - autoscaleEnabled: true - type: LoadBalancer - name: istio-ingressgateway - env: {} - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs diff --git a/istio-1.18.2/manifests/profiles/demo.yaml b/istio-1.18.2/manifests/profiles/demo.yaml deleted file mode 100644 index 42661553..00000000 --- a/istio-1.18.2/manifests/profiles/demo.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.istio-system.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local - components: - egressGateways: - - name: istio-egressgateway - enabled: true - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - - ingressGateways: - - name: istio-ingressgateway - enabled: true - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - service: - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - - pilot: - k8s: - env: - - name: PILOT_TRACE_SAMPLING - value: "100" - resources: - requests: - cpu: 10m - memory: 100Mi - - values: - global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - - pilot: - autoscaleEnabled: false - - gateways: - istio-egressgateway: - autoscaleEnabled: false - istio-ingressgateway: - autoscaleEnabled: false diff --git a/istio-1.18.2/manifests/profiles/empty.yaml b/istio-1.18.2/manifests/profiles/empty.yaml deleted file mode 100644 index 07de5b1e..00000000 --- a/istio-1.18.2/manifests/profiles/empty.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: false - pilot: - enabled: false - ingressGateways: - - name: istio-ingressgateway - enabled: false diff --git a/istio-1.18.2/manifests/profiles/external.yaml b/istio-1.18.2/manifests/profiles/external.yaml deleted file mode 100644 index 6a1c65fb..00000000 --- a/istio-1.18.2/manifests/profiles/external.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Deprecated. Use the "remote" profile instead. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: false - pilot: - enabled: false - ingressGateways: - - name: istio-ingressgateway - enabled: false - istiodRemote: - enabled: true - values: - global: - externalIstiod: true - omitSidecarInjectorConfigMap: true - configCluster: false - pilot: - configMap: false - telemetry: - enabled: false diff --git a/istio-1.18.2/manifests/profiles/minimal.yaml b/istio-1.18.2/manifests/profiles/minimal.yaml deleted file mode 100644 index 075881ee..00000000 --- a/istio-1.18.2/manifests/profiles/minimal.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The minimal profile will install just the core control plane -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - ingressGateways: - - name: istio-ingressgateway - enabled: false diff --git a/istio-1.18.2/manifests/profiles/openshift.yaml b/istio-1.18.2/manifests/profiles/openshift.yaml deleted file mode 100644 index e483e346..00000000 --- a/istio-1.18.2/manifests/profiles/openshift.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - cni: - enabled: true - namespace: kube-system - values: - cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - excludeNamespaces: - - istio-system - - kube-system - logLevel: info - privileged: true - sidecarInjectorWebhook: - injectedAnnotations: - k8s.v1.cni.cncf.io/networks: istio-cni diff --git a/istio-1.18.2/manifests/profiles/preview.yaml b/istio-1.18.2/manifests/profiles/preview.yaml deleted file mode 100644 index e0d9b636..00000000 --- a/istio-1.18.2/manifests/profiles/preview.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" - # Enable dynamic bootstrap generation. - BOOTSTRAP_XDS_AGENT: "true" - values: - telemetry: - v2: - metadataExchange: - wasmEnabled: true - prometheus: - wasmEnabled: true diff --git a/istio-1.18.2/manifests/profiles/remote.yaml b/istio-1.18.2/manifests/profiles/remote.yaml deleted file mode 100644 index 28d024c2..00000000 --- a/istio-1.18.2/manifests/profiles/remote.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# The remote profile is used to configure a mesh cluster without a locally deployed control plane. -# Only the injector mutating webhook configuration is installed. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: false - pilot: - enabled: false - ingressGateways: - - name: istio-ingressgateway - enabled: false - istiodRemote: - enabled: true - values: - global: - externalIstiod: true - omitSidecarInjectorConfigMap: true - configCluster: false - pilot: - configMap: false - telemetry: - enabled: false diff --git a/istio-1.18.2/samples/README.md b/istio-1.18.2/samples/README.md deleted file mode 100644 index a1a140f8..00000000 --- a/istio-1.18.2/samples/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Istio Samples - -This directory contains sample applications highlighting various Istio features. diff --git a/istio-1.18.2/samples/addons/README.md b/istio-1.18.2/samples/addons/README.md deleted file mode 100644 index 71da0a3c..00000000 --- a/istio-1.18.2/samples/addons/README.md +++ /dev/null @@ -1,102 +0,0 @@ -# Telemetry Addons - -This directory contains sample deployments of various addons that integrate with Istio. While these applications -are not a part of Istio, they are essential to making the most of Istio's observability features. - -The deployments here are meant to quickly get up and running, and are optimized for this case. As a result, -they may not be suitable for production. See below for more info on integrating a production grade version of each -addon. - -## Getting started - -To quickly deploy all addons: - -```shell script -kubectl apply -f samples/addons -``` - -Alternatively, you can deploy individual addons: - -```shell script -kubectl apply -f samples/addons/prometheus.yaml -``` - -## Addons - -### Prometheus - -[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database. -You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh. -You can visualize metrics using tools like [Grafana](#grafana) and [Kiali](#kiali). - -For more information about integrating with Prometheus, please see the [Prometheus integration page](https://istio.io/docs/ops/integrations/prometheus/). - -### Grafana - -[Grafana](http://grafana.com/) is an open source monitoring solution that can be used to configure dashboards for Istio. -You can use Grafana to monitor the health of Istio and of applications within the service mesh. - -This sample provides the following dashboards: - -* [Mesh Dashboard](https://grafana.com/grafana/dashboards/7639) provides an overview of all services in the mesh. -* [Service Dashboard](https://grafana.com/grafana/dashboards/7636) provides a detailed breakdown of metrics for a service. -* [Workload Dashboard](https://grafana.com/grafana/dashboards/7630) provides a detailed breakdown of metrics for a workload. -* [Performance Dashboard](https://grafana.com/grafana/dashboards/11829) monitors the resource usage of the mesh. -* [Control Plane Dashboard](https://grafana.com/grafana/dashboards/7645) monitors the health and performance of the control plane. -* [WASM Extension Dashboard](https://grafana.com/grafana/dashboards/13277) provides an overview of mesh wide WebAssembly extension runtime and loading state. - -For more information about integrating with Grafana, please see the [Grafana integration page](https://istio.io/docs/ops/integrations/grafana/). - -### Kiali - -[Kiali](https://kiali.io/) is an observability console for Istio with service mesh configuration capabilities. -It helps you to understand the structure of your service mesh by inferring the topology, and also provides the health of your mesh. -Kiali provides detailed metrics, and a basic [Grafana](#grafana) integration is available for advanced queries. -Distributed tracing is provided by integrating [Jaeger](#jaeger). - -For more information about using Kiali, see the [Visualizing Your Mesh](https://istio.io/docs/tasks/observability/kiali/) task. - -### Jaeger - -[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems. - -Jaeger helps in a variety of tasks including: - -* Distributed context propagation -* Distributed transaction monitoring -* Root cause analysis -* Service dependency analysis -* Performance / latency optimization - -For more information about integrating with Jaeger, please see the [Jaeger integration page](https://istio.io/docs/tasks/observability/distributed-tracing/jaeger/). - -### Zipkin - -[Zipkin](https://zipkin.io/) is a distributed tracing system. It helps gather timing data needed to troubleshoot latency problems in service architectures. Features include both the collection and lookup of this data. - -Zipkin is an alternative to Jaeger and is not deployed by default. To replace Jaeger with Zipkin, run `kubectl apply -f samples/addons/extras/zipkin.yaml`. -You may also want to remove the Jaeger deployment, which will not be used, with `kubectl delete deployment jaeger`, or avoid installing it -to begin with by following the selective install steps in [Getting Started](#getting-started). - -For more information about integrating with Zipkin, please see the [Zipkin integration page](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/). - -### Prometheus Operator - -The [Prometheus Operator](https://github.com/coreos/prometheus-operator) manages and operators a Prometheus instance. - -As an alternative to the standard Prometheus deployment, we provide a `ServiceMonitor` to monitor the Istio control plane and `PodMonitor` -Envoy proxies. To use these, make sure you have the Prometheus operator deployed, then run `kubectl apply -f samples/addons/extras/prometheus-operator.yaml`. - -> **Note** -> -> The example `PodMonitor` requires [metrics merging](https://istio.io/latest/docs/ops/integrations/prometheus/#option-1-metrics-merging) to be enabled. This is enabled by default. -> -> **Note** -> -> The configurations here are only for Istio deployments, and do not scrape metrics from the Kubernetes components. -> See the [Cluster Monitoring](https://coreos.com/operators/prometheus/docs/latest/user-guides/cluster-monitoring.html) documentation for configuring this. -> -> **Warning** -> -> When the example `PodMonitor` is used with OpenShift Monitoring, it must be created in all namespaces where istio-proxies exist. -> This is because `namespaceSelector` is ignored for tenancy isolation. diff --git a/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml b/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml deleted file mode 100644 index 73a926ef..00000000 --- a/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: envoy-stats-monitor - namespace: istio-system - labels: - monitoring: istio-proxies - release: istio -spec: - selector: - matchExpressions: - - {key: istio-prometheus-ignore, operator: DoesNotExist} - namespaceSelector: - any: true - jobLabel: envoy-stats - podMetricsEndpoints: - - path: /stats/prometheus - interval: 15s - relabelings: - - action: keep - sourceLabels: [__meta_kubernetes_pod_container_name] - regex: "istio-proxy" - - action: keep - sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape] - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - sourceLabels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - targetLabel: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - sourceLabels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - targetLabel: __address__ - - action: labeldrop - regex: "__meta_kubernetes_pod_label_(.+)" - - sourceLabels: [__meta_kubernetes_namespace] - action: replace - targetLabel: namespace - - sourceLabels: [__meta_kubernetes_pod_name] - action: replace - targetLabel: pod_name ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: istio-component-monitor - namespace: istio-system - labels: - monitoring: istio-components - release: istio -spec: - jobLabel: istio - targetLabels: [app] - selector: - matchExpressions: - - {key: istio, operator: In, values: [pilot]} - namespaceSelector: - any: true - endpoints: - - port: http-monitoring - interval: 15s diff --git a/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml b/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml deleted file mode 100644 index cf4039d8..00000000 --- a/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml +++ /dev/null @@ -1,530 +0,0 @@ ---- -# Source: prometheus/templates/server/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system - annotations: - {} ---- -# Source: prometheus/templates/server/cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -data: - alerting_rules.yml: | - {} - alerts: | - {} - prometheus.yml: | - global: - evaluation_interval: 1m - scrape_interval: 15s - scrape_timeout: 10s - rule_files: - - /etc/config/recording_rules.yml - - /etc/config/alerting_rules.yml - - /etc/config/rules - - /etc/config/alerts - scrape_configs: - - job_name: prometheus - static_configs: - - targets: - - localhost:9090 - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-apiservers - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: default;kubernetes;https - source_labels: - - __meta_kubernetes_namespace - - __meta_kubernetes_service_name - - __meta_kubernetes_endpoint_port_name - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes-cadvisor - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - job_name: kubernetes-service-endpoints - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: kubernetes_node - - job_name: kubernetes-service-endpoints-slow - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: kubernetes_node - scrape_interval: 5m - scrape_timeout: 30s - - honor_labels: true - job_name: prometheus-pushgateway - kubernetes_sd_configs: - - role: service - relabel_configs: - - action: keep - regex: pushgateway - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - job_name: kubernetes-services - kubernetes_sd_configs: - - role: service - metrics_path: /probe - params: - module: - - http_2xx - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - source_labels: - - __address__ - target_label: __param_target - - replacement: blackbox - target_label: __address__ - - source_labels: - - __param_target - target_label: instance - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - job_name: kubernetes-pods - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_pod_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: kubernetes_pod_name - - action: drop - regex: Pending|Succeeded|Failed - source_labels: - - __meta_kubernetes_pod_phase - - job_name: kubernetes-pods-slow - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_pod_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: kubernetes_pod_name - - action: drop - regex: Pending|Succeeded|Failed - source_labels: - - __meta_kubernetes_pod_phase - scrape_interval: 5m - scrape_timeout: 30s - - job_name: kubernetes-file-sd-endpoints - kubernetes_sd_configs: - - role: endpoints - file_sd_configs: - - files: - - /etc/file_sd/*.json - relabel_configs: - - action: keep - regex: (.+) - source_labels: - - __meta_filepath - - replacement: /stats/prometheus - target_label: __metrics_path__ - - recording_rules.yml: | - {} - rules: | - {} ---- -# Source: prometheus/templates/server/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - pods - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - nonResourceURLs: - - "/metrics" - verbs: - - get - - apiGroups: - - "networking.istio.io" - verbs: - - get - - watch - - list - resources: - - workloadentries - - apiGroups: - - "" - verbs: - - get - - watch - - list - - create - - update - - patch - - delete - resources: - - configmaps ---- -# Source: prometheus/templates/server/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus -subjects: - - kind: ServiceAccount - name: prometheus - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus ---- -# Source: prometheus/templates/server/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - ports: - - name: http - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - component: "server" - app: prometheus - release: prometheus - sessionAffinity: None - type: "ClusterIP" ---- -# Source: prometheus/templates/server/deploy.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - selector: - matchLabels: - component: "server" - app: prometheus - release: prometheus - replicas: 1 - template: - metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: prometheus - containers: - - name: prometheus-server-configmap-reload - image: "jimmidyson/configmap-reload:v0.5.0" - imagePullPolicy: "IfNotPresent" - args: - - --volume-dir=/etc/config - - --webhook-url=http://127.0.0.1:9090/-/reload - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: file-sd-volume - mountPath: /etc/file_sd - readOnly: true - - - name: prometheus-server - image: "prom/prometheus:v2.24.0" - imagePullPolicy: "IfNotPresent" - args: - - --storage.tsdb.retention.time=15d - - --config.file=/etc/config/prometheus.yml - - --storage.tsdb.path=/data - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 4 - failureThreshold: 3 - successThreshold: 1 - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: /data - subPath: "" - - name: file-sd-volume - mountPath: /etc/file_sd - - name: vm-discovery - image: "istioecosystem/vm-discovery:latest" - imagePullPolicy: "IfNotPresent" - hostNetwork: false - dnsPolicy: ClusterFirst - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - terminationGracePeriodSeconds: 300 - volumes: - - name: config-volume - configMap: - name: prometheus - - name: file-sd-volume - configMap: - name: file-sd-config - optional: true - - name: storage-volume - emptyDir: - {} \ No newline at end of file diff --git a/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml b/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml deleted file mode 100644 index 3d571b98..00000000 --- a/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml +++ /dev/null @@ -1,548 +0,0 @@ ---- -# Source: prometheus/templates/server/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system - annotations: - {} ---- -# Source: prometheus/templates/server/cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -data: - alerting_rules.yml: | - {} - alerts: | - {} - prometheus.yml: | - global: - evaluation_interval: 1m - scrape_interval: 15s - scrape_timeout: 10s - rule_files: - - /etc/config/recording_rules.yml - - /etc/config/alerting_rules.yml - - /etc/config/rules - - /etc/config/alerts - scrape_configs: - - job_name: prometheus - static_configs: - - targets: - - localhost:9090 - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-apiservers - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: default;kubernetes;https - source_labels: - - __meta_kubernetes_namespace - - __meta_kubernetes_service_name - - __meta_kubernetes_endpoint_port_name - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes-cadvisor - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - job_name: kubernetes-service-endpoints - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: kubernetes_node - - job_name: kubernetes-service-endpoints-slow - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: kubernetes_node - scrape_interval: 5m - scrape_timeout: 30s - - honor_labels: true - job_name: prometheus-pushgateway - kubernetes_sd_configs: - - role: service - relabel_configs: - - action: keep - regex: pushgateway - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - job_name: kubernetes-services - kubernetes_sd_configs: - - role: service - metrics_path: /probe - params: - module: - - http_2xx - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - source_labels: - - __address__ - target_label: __param_target - - replacement: blackbox - target_label: __address__ - - source_labels: - - __param_target - target_label: instance - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - job_name: kubernetes-pods - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_pod_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: kubernetes_pod_name - - action: drop - regex: Pending|Succeeded|Failed - source_labels: - - __meta_kubernetes_pod_phase - - job_name: kubernetes-pods-slow - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_pod_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: kubernetes_pod_name - - action: drop - regex: Pending|Succeeded|Failed - source_labels: - - __meta_kubernetes_pod_phase - scrape_interval: 5m - scrape_timeout: 30s - - job_name: kubernetes-file-sd-endpoints - kubernetes_sd_configs: - - role: endpoints - file_sd_configs: - - files: - - /etc/file_sd/*.json - scheme: https - tls_config: - ca_file: /etc/prom-certs/root-cert.pem - cert_file: /etc/prom-certs/cert-chain.pem - key_file: /etc/prom-certs/key.pem - insecure_skip_verify: true # Prometheus does not support Istio security naming, thus skip verifying target pod ceritifcate - relabel_configs: - - action: keep - regex: (.+) - source_labels: - - __meta_filepath - - replacement: /stats/prometheus - target_label: __metrics_path__ - - recording_rules.yml: | - {} - rules: | - {} ---- -# Source: prometheus/templates/server/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - pods - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - nonResourceURLs: - - "/metrics" - verbs: - - get - - apiGroups: - - "networking.istio.io" - verbs: - - get - - watch - - list - resources: - - workloadentries - - apiGroups: - - "" - verbs: - - get - - watch - - list - - create - - update - - patch - - delete - resources: - - configmaps ---- -# Source: prometheus/templates/server/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus -subjects: - - kind: ServiceAccount - name: prometheus - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus ---- -# Source: prometheus/templates/server/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - ports: - - name: http - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - component: "server" - app: prometheus - release: prometheus - sessionAffinity: None - type: "ClusterIP" ---- -# Source: prometheus/templates/server/deploy.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - selector: - matchLabels: - component: "server" - app: prometheus - release: prometheus - replicas: 1 - template: - metadata: - annotations: - traffic.sidecar.istio.io/includeInboundPorts: "" # do not intercept any inbound ports - traffic.sidecar.istio.io/includeOutboundIPRanges: "" # do not intercept any outbound traffic - proxy.istio.io/config: | # configure an env variable `OUTPUT_CERTS` to write certificates to the given folder - proxyMetadata: - OUTPUT_CERTS: /etc/istio-output-certs - sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]' # mount the shared volume at sidecar proxy - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - sidecar.istio.io/inject: "true" - spec: - serviceAccountName: prometheus - containers: - - name: prometheus-server-configmap-reload - image: "jimmidyson/configmap-reload:v0.5.0" - imagePullPolicy: "IfNotPresent" - args: - - --volume-dir=/etc/config - - --webhook-url=http://127.0.0.1:9090/-/reload - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: file-sd-volume - mountPath: /etc/file_sd - readOnly: true - - - name: prometheus-server - image: "prom/prometheus:v2.24.0" - imagePullPolicy: "IfNotPresent" - args: - - --storage.tsdb.retention.time=15d - - --config.file=/etc/config/prometheus.yml - - --storage.tsdb.path=/data - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 4 - failureThreshold: 3 - successThreshold: 1 - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: /data - subPath: "" - - name: file-sd-volume - mountPath: /etc/file_sd - - name: istio-certs - mountPath: /etc/prom-certs/ - - name: vm-discovery - image: "istioecosystem/vm-discovery:latest" - imagePullPolicy: "IfNotPresent" - hostNetwork: false - dnsPolicy: ClusterFirst - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - terminationGracePeriodSeconds: 300 - volumes: - - name: config-volume - configMap: - name: prometheus - - name: file-sd-volume - configMap: - name: file-sd-config - optional: true - - name: istio-certs - emptyDir: - medium: Memory - - name: storage-volume - emptyDir: - {} \ No newline at end of file diff --git a/istio-1.18.2/samples/addons/extras/skywalking.yaml b/istio-1.18.2/samples/addons/extras/skywalking.yaml deleted file mode 100644 index 0633b74d..00000000 --- a/istio-1.18.2/samples/addons/extras/skywalking.yaml +++ /dev/null @@ -1,133 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: skywalking-oap - namespace: istio-system - labels: - app: skywalking-oap -spec: - selector: - matchLabels: - app: skywalking-oap - template: - metadata: - labels: - app: skywalking-oap - sidecar.istio.io/inject: "false" - spec: - containers: - - name: skywalking-oap - image: apache/skywalking-oap-server:9.1.0 - env: - - name: SW_HEALTH_CHECKER - value: default - readinessProbe: - exec: - command: - - /skywalking/bin/swctl - - health - initialDelaySeconds: 30 - periodSeconds: 5 - ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: skywalking-oap -spec: - type: ClusterIP - ports: - - name: grpc - port: 11800 - protocol: TCP - targetPort: 11800 - - name: http-query - port: 12800 - protocol: TCP - targetPort: 12800 - selector: - app: skywalking-oap ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: skywalking-oap - name: skywalking-oap - namespace: istio-system -spec: - ports: - - port: 11800 - targetPort: 11800 - name: grpc - - port: 12800 - targetPort: 12800 - name: http-query - selector: - app: skywalking-oap ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: skywalking-ui - namespace: istio-system - labels: - app: skywalking-ui -spec: - selector: - matchLabels: - app: skywalking-ui - template: - metadata: - labels: - app: skywalking-ui - annotations: - sidecar.istio.io/inject: "false" - spec: - containers: - - name: skywalking-ui - image: apache/skywalking-ui:9.1.0 - env: - - name: SW_OAP_ADDRESS - value: http://skywalking-oap:12800 - readinessProbe: - httpGet: - path: / - port: 8080 - initialDelaySeconds: 30 - periodSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing-ui - namespace: istio-system - labels: - app: skywalking-ui -spec: - type: ClusterIP - ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: skywalking-ui ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: skywalking-ui - name: skywalking-ui - namespace: istio-system -spec: - ports: - - port: 8080 - targetPort: 8080 - name: http - selector: - app: skywalking-ui diff --git a/istio-1.18.2/samples/addons/extras/zipkin.yaml b/istio-1.18.2/samples/addons/extras/zipkin.yaml deleted file mode 100644 index b9bced3d..00000000 --- a/istio-1.18.2/samples/addons/extras/zipkin.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: zipkin - namespace: istio-system - labels: - app: zipkin -spec: - selector: - matchLabels: - app: zipkin - template: - metadata: - labels: - app: zipkin - sidecar.istio.io/inject: "false" - spec: - containers: - - name: zipkin - image: openzipkin/zipkin-slim:2.23.14 - env: - - name: STORAGE_METHOD - value: "mem" - readinessProbe: - httpGet: - path: /health - port: 9411 - initialDelaySeconds: 5 - periodSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: zipkin -spec: - type: ClusterIP - ports: - - name: http-query - port: 80 - protocol: TCP - targetPort: 9411 - selector: - app: zipkin ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: zipkin - name: zipkin - namespace: istio-system -spec: - ports: - - port: 9411 - targetPort: 9411 - name: http-query - selector: - app: zipkin diff --git a/istio-1.18.2/samples/addons/grafana.yaml b/istio-1.18.2/samples/addons/grafana.yaml deleted file mode 100644 index 0cebcf49..00000000 --- a/istio-1.18.2/samples/addons/grafana.yaml +++ /dev/null @@ -1,1129 +0,0 @@ ---- -# Source: grafana/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - helm.sh/chart: grafana-6.31.1 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "9.0.1" - app.kubernetes.io/managed-by: Helm - name: grafana - namespace: istio-system ---- -# Source: grafana/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-6.31.1 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "9.0.1" - app.kubernetes.io/managed-by: Helm -data: - allow-snippet-annotations: "false" - grafana.ini: | - [analytics] - check_for_updates = true - [grafana_net] - url = https://grafana.net - [log] - mode = console - [paths] - data = /var/lib/grafana/ - logs = /var/log/grafana - plugins = /var/lib/grafana/plugins - provisioning = /etc/grafana/provisioning - - datasources.yaml: | - apiVersion: 1 - datasources: - - access: proxy - editable: true - isDefault: true - jsonData: - timeInterval: 5s - name: Prometheus - orgId: 1 - type: prometheus - url: http://prometheus:9090 - - access: proxy - editable: true - isDefault: false - jsonData: - timeInterval: 5s - name: Loki - orgId: 1 - type: loki - url: http://loki:3100 - dashboardproviders.yaml: | - apiVersion: 1 - providers: - - disableDeletion: false - folder: istio - name: istio - options: - path: /var/lib/grafana/dashboards/istio - orgId: 1 - type: file - - disableDeletion: false - folder: istio - name: istio-services - options: - path: /var/lib/grafana/dashboards/istio-services - orgId: 1 - type: file ---- -# Source: grafana/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-6.31.1 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "9.0.1" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: service - port: 3000 - protocol: TCP - targetPort: 3000 - - selector: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana ---- -# Source: grafana/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-6.31.1 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "9.0.1" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - strategy: - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app: grafana - sidecar.istio.io/inject: "false" - annotations: - checksum/config: 21013edd24d239f48f0228579d13d44411baf698367879ae68290467749f6dcf - checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - spec: - - serviceAccountName: grafana - automountServiceAccountToken: true - securityContext: - fsGroup: 472 - runAsGroup: 472 - runAsUser: 472 - enableServiceLinks: true - containers: - - name: grafana - image: "grafana/grafana:9.0.1" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: config - mountPath: "/etc/grafana/grafana.ini" - subPath: grafana.ini - - name: storage - mountPath: "/var/lib/grafana" - - name: dashboards-istio - mountPath: "/var/lib/grafana/dashboards/istio" - - name: dashboards-istio-services - mountPath: "/var/lib/grafana/dashboards/istio-services" - - name: config - mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" - subPath: "datasources.yaml" - - name: config - mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" - subPath: "dashboardproviders.yaml" - ports: - - name: service - containerPort: 3000 - protocol: TCP - - name: grafana - containerPort: 3000 - protocol: TCP - env: - - name: GF_PATHS_DATA - value: /var/lib/grafana/ - - name: GF_PATHS_LOGS - value: /var/log/grafana - - name: GF_PATHS_PLUGINS - value: /var/lib/grafana/plugins - - name: GF_PATHS_PROVISIONING - value: /etc/grafana/provisioning - - name: "GF_AUTH_ANONYMOUS_ENABLED" - value: "true" - - name: "GF_AUTH_ANONYMOUS_ORG_ROLE" - value: "Admin" - - name: "GF_AUTH_BASIC_ENABLED" - value: "false" - - name: "GF_SECURITY_ADMIN_PASSWORD" - value: "-" - - name: "GF_SECURITY_ADMIN_USER" - value: "-" - livenessProbe: - failureThreshold: 10 - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 60 - timeoutSeconds: 30 - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - {} - volumes: - - name: config - configMap: - name: grafana - - - name: dashboards-istio - configMap: - name: istio-grafana-dashboards - - name: dashboards-istio-services - configMap: - name: istio-services-grafana-dashboards - - name: storage - emptyDir: {} - ---- - -apiVersion: v1 -data: - istio-performance-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":true,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":21,"panels":[{"content":"The charts on this dashboard are intended to show Istio main components cost in terms of resources utilization under steady load.\n\n- **vCPU / 1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred / sec:** shows the number of bytes flowing through each Istio component.\n\n\n","gridPos":{"h":6,"w":24,"x":0,"y":1},"id":19,"links":[],"mode":"markdown","timeFrom":null,"timeShift":null,"title":"Performance Dashboard README","transparent":true,"type":"text"}],"title":"Performance Dashboard Notes","type":"row"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":1},"id":6,"panels":[],"title":"vCPU Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":2},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU / 1k rps","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":2},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":10},"id":13,"panels":[],"title":"Memory and Data Rates","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":11},"id":902,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio-ingressgateway","refId":"A"},{"expr":"sum(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"}) / count(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory Usage","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":11},"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Bytes transferred / sec","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":19},"id":17,"panels":[],"title":"Istio Component Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":24,"x":0,"y":20},"id":15,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":32},"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":32},"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":32},"id":702,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_fs_usage_bytes{container=\"istio-proxy\"})","format":"time_series","intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":39},"id":69,"panels":[],"title":"Istiod Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":40},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"sum(container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"C","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":40},"id":602,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2},{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m])) by (container)","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"pilot (self-reported)","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":40},"id":74,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_open_fds{app=\"istiod\"}","format":"time_series","hide":true,"instant":false,"interval":"","intervalFactor":2,"legendFormat":"Open FDs (pilot)","refId":"A"},{"expr":"container_fs_usage_bytes{ container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"{{ container }}","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":40},"id":402,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"10s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Istio Performance Dashboard","uid":"vu8e0VWZk","version":22} - pilot-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":1,"links":[],"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":60,"panels":[],"title":"Deployed Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":5,"w":24,"x":0,"y":1},"id":56,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build{component=\"pilot\"}) by (tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Versions","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":6},"id":62,"panels":[],"title":"Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":7},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (container)","refId":"B","step":2},{"expr":"container_memory_working_set_bytes{container=~\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar (container)","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":7},"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Discovery (container)","refId":"A"},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (process)","refId":"C","step":2},{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Sidecar (container)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"CPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":7},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"container_fs_usage_bytes{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"Discovery","refId":"B","step":2},{"expr":"container_fs_usage_bytes{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":7},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":14},"id":58,"panels":[],"title":"Pilot Push Information","type":"row"},{"aliasColors":{},"bars":true,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the rate of pilot pushes","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":15},"id":622,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":false,"linewidth":1,"links":[],"nullPointMode":"null as zero","paceLength":10,"percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":true,"steppedLine":false,"targets":[{"expr":"sum(irate(pilot_xds_pushes{type=\"cds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Cluster","refId":"C"},{"expr":"sum(irate(pilot_xds_pushes{type=\"eds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Endpoints","refId":"D"},{"expr":"sum(irate(pilot_xds_pushes{type=\"lds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Listeners","refId":"A"},{"expr":"sum(irate(pilot_xds_pushes{type=\"rds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Routes","refId":"E"},{"expr":"sum(irate(pilot_xds_pushes{type=\"sds\"}[1m]))","interval":"","legendFormat":"Secrets","refId":"B"},{"expr":"sum(irate(pilot_xds_pushes{type=\"nds\"}[1m]))","interval":"","legendFormat":"Nametables","refId":"F"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Pushes","tooltip":{"shared":false,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":["total"]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":"0","show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Captures a variety of pilot errors","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":15},"id":67,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(pilot_xds_cds_reject{app=\"istiod\"}) or (absent(pilot_xds_cds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected CDS Configs","refId":"C"},{"expr":"sum(pilot_xds_eds_reject{app=\"istiod\"}) or (absent(pilot_xds_eds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected EDS Configs","refId":"D"},{"expr":"sum(pilot_xds_rds_reject{app=\"istiod\"}) or (absent(pilot_xds_rds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected RDS Configs","refId":"A"},{"expr":"sum(pilot_xds_lds_reject{app=\"istiod\"}) or (absent(pilot_xds_lds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected LDS Configs","refId":"B"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Write Timeouts","refId":"F"},{"expr":"sum(rate(pilot_total_xds_internal_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Internal Errors","refId":"H"},{"expr":"sum(rate(pilot_total_xds_rejects{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Config Rejection Rate","refId":"E"},{"expr":"sum(rate(pilot_xds_push_context_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Push Context Errors","refId":"K"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Push Timeouts","refId":"G"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Errors","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the total time it takes to push a config update to a proxy","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":15},"id":624,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"histogram_quantile(0.5, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p50 ","refId":"A"},{"expr":"histogram_quantile(0.9, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p90","refId":"B"},{"expr":"histogram_quantile(0.99, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99","refId":"C"},{"expr":"histogram_quantile(0.999, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99.9","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Proxy Push Time","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"s","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":23},"id":45,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null as zero","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"pilot_conflict_inbound_listener{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Inbound Listeners","refId":"B"},{"expr":"pilot_conflict_outbound_listener_http_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (http over current tcp)","refId":"A"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current tcp)","refId":"C"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_http{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current http)","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Conflicts","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":23},"id":47,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(pilot_virt_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Virtual Services","refId":"A"},{"expr":"avg(pilot_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Services","refId":"B"},{"expr":"sum(pilot_xds{app=\"istiod\"}) by (pod)","format":"time_series","intervalFactor":1,"legendFormat":"Connected Endpoints {{pod}}","refId":"E"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"ADS Monitoring","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":64,"panels":[],"title":"Envoy Information","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows details about Envoy proxies in the mesh","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":32},"id":40,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(envoy_cluster_upstream_cx_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connections","refId":"C"},{"expr":"sum(irate(envoy_cluster_upstream_cx_connect_fail{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connection Failures","refId":"A"},{"expr":"sum(increase(envoy_server_hot_restart_epoch[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Envoy Restarts","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Envoy Details","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":32},"id":41,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})","format":"time_series","intervalFactor":2,"legendFormat":"XDS Active Connections","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Active Connections","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the size of XDS requests and responses","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":32},"id":42,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"max(rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Max","refId":"D"},{"expr":"quantile(0.5, rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Average","refId":"B"},{"expr":"max(rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Max","refId":"A"},{"expr":"quantile(.5, rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Average","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Requests Size","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":null,"gridPos":{"h":1,"w":24,"x":0,"y":40},"id":626,"panels":[],"title":"Webhooks","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":41},"hiddenSeries":false,"id":629,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(galley_validation_passed[1m]))","interval":"","legendFormat":"Validations (Success)","refId":"A"},{"expr":"sum(rate(galley_validation_failed[1m]))","interval":"","legendFormat":"Validation (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Configuration Validation","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"description":"","fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":41},"hiddenSeries":false,"id":630,"legend":{"avg":false,"current":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(sidecar_injection_success_total[1m]))","interval":"","legendFormat":"Injections (Success)","refId":"A"},{"expr":"sum(rate(sidecar_injection_failure_total[1m]))","interval":"","legendFormat":"Injections (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Sidecar Injection","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Control Plane Dashboard","uid":"3--MLVZZk","version":11} -kind: ConfigMap -metadata: - creationTimestamp: null - name: istio-grafana-dashboards - namespace: istio-system - ---- - -apiVersion: v1 -data: - istio-extension-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":0},"id":3,"panels":[],"title":"Wasm VMs","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"","fieldConfig":{"defaults":{"custom":{"align":null},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":1},"hiddenSeries":false,"id":2,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_active)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_active)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Active","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:123","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:124","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":1},"hiddenSeries":false,"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_created)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_created)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Created","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:68","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:69","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":9},"id":7,"panels":[],"title":"Wasm Module Remote Load","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":0,"y":10},"hiddenSeries":false,"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_entries)","interval":"","legendFormat":"entries","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Entry","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:178","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:179","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":8,"y":10},"hiddenSeries":false,"id":8,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_hits)","interval":"","legendFormat":"hits","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_cache_misses)","interval":"","legendFormat":"misses","refId":"B"},{"expr":"avg(envoy_wasm_remote_load_cache_negative_hits)","interval":"","legendFormat":"negative hits","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Visit","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:233","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:234","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":16,"y":10},"hiddenSeries":false,"id":10,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_fetch_failures)","interval":"","legendFormat":"failures","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_fetch_successes)","interval":"","legendFormat":"successes","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Remote Fetch","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:288","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:289","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":18},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":19},"hiddenSeries":false,"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:396","format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:397","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":19},"hiddenSeries":false,"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:447","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:448","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":false,"schemaVersion":26,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["10s","30s","1m","5m","15m","30m","1h","2h","1d"]},"timezone":"","title":"Istio Wasm Extension Dashboard","uid":"7PAV7ctGz","version":17} - istio-mesh-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[{"content":"
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to secure,\n connect, and \n monitor microservices.\n
\n Need help? Join the Istio community.\n
\n
","gridPos":{"h":3,"w":24,"x":0,"y":0},"height":"50px","id":13,"links":[],"mode":"html","style":{"font-size":"18pt"},"title":"","transparent":true,"type":"text"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":3},"id":20,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"round(sum(irate(istio_requests_total{reporter=\"source\"}[1m])), 0.001)","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"Global Request Volume","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"percentunit","gauge":{"maxValue":100,"minValue":80,"show":false,"thresholdLabels":false,"thresholdMarkers":false},"gridPos":{"h":3,"w":6,"x":6,"y":3},"id":21,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"95, 99, 99.5","title":"Global Success Rate (non-5xx responses)","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":3},"id":22,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"4.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"4xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":3},"id":23,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"5.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"5xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":113,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Virtual Services","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":114,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Destination Rules","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":115,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Gateways","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":116,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Workload Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":117,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Service Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":90,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"PeerAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":91,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"RequestAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":92,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Authorization Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":21,"w":24,"x":0,"y":9},"hideTimeOverride":false,"id":73,"links":[],"pageSize":null,"repeat":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"Workload dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Requests","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[],"type":"number","unit":"ops"},{"alias":"P50 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"s"},{"alias":"P90 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #C","thresholds":[],"type":"number","unit":"s"},{"alias":"P99 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #D","thresholds":[],"type":"number","unit":"s"},{"alias":"Success Rate","colorMode":"cell","colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #E","thresholds":[".95"," 1.00"],"type":"number","unit":"percentunit"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-workload=${__cell_2:raw}&var-namespace=${__cell_3:raw}","pattern":"destination_workload_var","thresholds":[],"type":"number","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_requests_total{reporter=\"source\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"A"},{"expr":"label_join((histogram_quantile(0.50, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"B"},{"expr":"label_join((histogram_quantile(0.90, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"C"},{"expr":"label_join((histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"D"},{"expr":"label_join((sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"interval":"","intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"E"}],"timeFrom":null,"title":"HTTP/GRPC Workloads","transform":"table","type":"table"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":18,"w":24,"x":0,"y":30},"hideTimeOverride":false,"id":109,"links":[],"pageSize":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"Bytes Sent","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[""],"type":"number","unit":"Bps"},{"alias":"Bytes Received","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"Bps"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload_var","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"number","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"A"},{"expr":"label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"B"}],"timeFrom":null,"title":"TCP Workloads","transform":"table","type":"table"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":9,"w":24,"x":0,"y":48},"id":111,"legend":{"alignAsTable":false,"avg":false,"current":false,"max":false,"min":false,"rightSide":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Mesh Dashboard","uid":"G8wLrJIZk","version":5} - istio-service-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- - Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations - & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1595591291797,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":106,\"panels\":[{\"content\":\"
\\nSERVICE: $service\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE: $service\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, - 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Client - Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, - 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, - 99, 99.5\",\"title\":\"Client Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Client - Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, - 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":4},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP - Received Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, - 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":8},\"id\":97,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Server - Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, - 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":8},\"id\":98,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) - / sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, - 99, 99.5\",\"title\":\"Server Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":8},\"hiddenSeries\":false,\"id\":99,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Server - Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, - 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":8},\"id\":100,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP - Sent Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":104,\"panels\":[{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":2},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":5},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null - as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=~\\\"$qrep\\\",source_workload=~\\\"$srcwl\\\",source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace, - response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":5},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":11},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":11},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":11},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response - Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Client - Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":102,\"panels\":[{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":3},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":6},\"hiddenSeries\":false,\"id\":90,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null - as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=\\\"destination\\\",destination_workload=~\\\"$dstwl\\\",destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} : {{ response_code - }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", reporter=\\\"destination\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[5m])) by (destination_workload, - destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} : {{ response_code - }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Requests By Destination Workload And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":6},\"hiddenSeries\":false,\"id\":91,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Success Rate (non-5xx responses) By Destination Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":12},\"hiddenSeries\":false,\"id\":94,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Duration By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":12},\"hiddenSeries\":false,\"id\":95,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":12},\"hiddenSeries\":false,\"id\":96,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response - Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":18},\"hiddenSeries\":false,\"id\":92,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":18},\"hiddenSeries\":false,\"id\":93,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, - destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, - destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Service - Workloads\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Service\",\"multi\":false,\"name\":\"service\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{}) - by (destination_service) or sum(istio_tcp_sent_bytes_total{}) by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Cluster\",\"multi\":true,\"name\":\"srccluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=\\\"$service\\\"}) by (source_cluster) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}) by (source_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=\\\"$service\\\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}) by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) - by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) - by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload Cluster\",\"multi\":true,\"name\":\"dstcluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", - destination_service=\\\"$service\\\"}) by (destination_cluster) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", - destination_service=~\\\"$service\\\"}) by (destination_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload Namespace\",\"multi\":true,\"name\":\"dstns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", - destination_service=\\\"$service\\\"}) by (destination_workload_namespace) or - sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\"}) - by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload\",\"multi\":true,\"name\":\"dstwl\",\"options\":[],\"query\":\"query_result( - sum(istio_requests_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", - destination_cluster=~\\\"$dstcluster\\\", destination_workload_namespace=~\\\"$dstns\\\"}) - by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", - destination_service=~\\\"$service\\\", destination_cluster=~\\\"$dstcluster\\\", - destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio - Service Dashboard\",\"uid\":\"LJ_uJAvmk\",\"version\":1}\n" - istio-workload-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- - Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations - & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1531345461465,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":95,\"panels\":[{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, - 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":8,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Incoming - Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, - 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":8,\"x\":8,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\"}[5m])) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, - 99, 99.5\",\"title\":\"Incoming Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":8,\"x\":16,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Request - Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, - 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":0,\"y\":8},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\"}[1m])) - + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP - Server Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, - 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":12,\"y\":8},\"id\":85,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\"}[1m])) - + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP - Client Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":93,\"panels\":[{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null - as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response - Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Inbound - Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":91,\"panels\":[{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":14},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":70,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null - as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal=~\\\"spiffe.*\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, - response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal!~\\\"spiffe.*\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, - response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing - Requests By Destination And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":71,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing - Success Rate (non-5xx responses) By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":23},\"hiddenSeries\":false,\"id\":72,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing - Request Duration By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":23},\"hiddenSeries\":false,\"id\":73,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing - Request Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":23},\"hiddenSeries\":false,\"id\":74,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response - Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":29},\"hiddenSeries\":false,\"id\":76,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Sent on Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":29},\"hiddenSeries\":false,\"id\":78,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Received from Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Outbound - Services\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Namespace\",\"multi\":false,\"name\":\"namespace\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total) - by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*_namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Workload\",\"multi\":false,\"name\":\"workload\",\"options\":[],\"query\":\"query_result((sum(istio_requests_total{destination_workload_namespace=~\\\"$namespace\\\"}) - by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\\\"$namespace\\\"}) - by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload)))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound - Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound - Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Destination - Service\",\"multi\":true,\"name\":\"dstsvc\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"source\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) - by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) - by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio - Workload Dashboard\",\"uid\":\"UbsSZTDik\",\"version\":1}\n" -kind: ConfigMap -metadata: - creationTimestamp: null - name: istio-services-grafana-dashboards - namespace: istio-system diff --git a/istio-1.18.2/samples/addons/jaeger.yaml b/istio-1.18.2/samples/addons/jaeger.yaml deleted file mode 100644 index 41896ee1..00000000 --- a/istio-1.18.2/samples/addons/jaeger.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jaeger - namespace: istio-system - labels: - app: jaeger -spec: - selector: - matchLabels: - app: jaeger - template: - metadata: - labels: - app: jaeger - sidecar.istio.io/inject: "false" - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "14269" - spec: - containers: - - name: jaeger - image: "docker.io/jaegertracing/all-in-one:1.35" - env: - - name: BADGER_EPHEMERAL - value: "false" - - name: SPAN_STORAGE_TYPE - value: "badger" - - name: BADGER_DIRECTORY_VALUE - value: "/badger/data" - - name: BADGER_DIRECTORY_KEY - value: "/badger/key" - - name: COLLECTOR_ZIPKIN_HOST_PORT - value: ":9411" - - name: MEMORY_MAX_TRACES - value: "50000" - - name: QUERY_BASE_PATH - value: /jaeger - livenessProbe: - httpGet: - path: / - port: 14269 - readinessProbe: - httpGet: - path: / - port: 14269 - volumeMounts: - - name: data - mountPath: /badger - resources: - requests: - cpu: 10m - volumes: - - name: data - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: jaeger -spec: - type: ClusterIP - ports: - - name: http-query - port: 80 - protocol: TCP - targetPort: 16686 - # Note: Change port name if you add '--query.grpc.tls.enabled=true' - - name: grpc-query - port: 16685 - protocol: TCP - targetPort: 16685 - selector: - app: jaeger ---- -# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. -apiVersion: v1 -kind: Service -metadata: - labels: - name: zipkin - name: zipkin - namespace: istio-system -spec: - ports: - - port: 9411 - targetPort: 9411 - name: http-query - selector: - app: jaeger ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-collector - namespace: istio-system - labels: - app: jaeger -spec: - type: ClusterIP - ports: - - name: jaeger-collector-http - port: 14268 - targetPort: 14268 - protocol: TCP - - name: jaeger-collector-grpc - port: 14250 - targetPort: 14250 - protocol: TCP - - port: 9411 - targetPort: 9411 - name: http-zipkin - selector: - app: jaeger diff --git a/istio-1.18.2/samples/addons/kiali.yaml b/istio-1.18.2/samples/addons/kiali.yaml deleted file mode 100644 index 41ab9672..00000000 --- a/istio-1.18.2/samples/addons/kiali.yaml +++ /dev/null @@ -1,551 +0,0 @@ ---- -# Source: kiali-server/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kiali - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -... ---- -# Source: kiali-server/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kiali - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -data: - config.yaml: | - auth: - openid: {} - openshift: - client_id_prefix: kiali - strategy: anonymous - deployment: - accessible_namespaces: - - '**' - additional_service_yaml: {} - affinity: - node: {} - pod: {} - pod_anti: {} - configmap_annotations: {} - custom_secrets: [] - host_aliases: [] - hpa: - api_version: autoscaling/v2beta2 - spec: {} - image_digest: "" - image_name: quay.io/kiali/kiali - image_pull_policy: Always - image_pull_secrets: [] - image_version: v1.67 - ingress: - additional_labels: {} - class_name: nginx - override_yaml: - metadata: {} - ingress_enabled: false - instance_name: kiali - logger: - log_format: text - log_level: info - sampler_rate: "1" - time_field_format: 2006-01-02T15:04:05Z07:00 - namespace: istio-system - node_selector: {} - pod_annotations: {} - pod_labels: - sidecar.istio.io/inject: "false" - priority_class_name: "" - replicas: 1 - resources: - limits: - memory: 1Gi - requests: - cpu: 10m - memory: 64Mi - secret_name: kiali - security_context: {} - service_annotations: {} - service_type: "" - tolerations: [] - version_label: v1.67.0 - view_only_mode: false - external_services: - custom_dashboards: - enabled: true - istio: - root_namespace: istio-system - identity: - cert_file: "" - private_key_file: "" - istio_namespace: istio-system - kiali_feature_flags: - certificates_information_indicators: - enabled: true - secrets: - - cacerts - - istio-ca-secret - clustering: - autodetect_secrets: - enabled: true - label: kiali.io/multiCluster=true - clusters: [] - disabled_features: [] - validations: - ignore: - - KIA1201 - login_token: - signing_key: CHANGEME00000000 - server: - metrics_enabled: true - metrics_port: 9090 - port: 20001 - web_root: /kiali -... ---- -# Source: kiali-server/templates/role-viewer.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali-viewer - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -rules: -- apiGroups: [""] - resources: - - configmaps - - endpoints - - pods/log - verbs: - - get - - list - - watch -- apiGroups: [""] - resources: - - namespaces - - pods - - replicationcontrollers - - services - verbs: - - get - - list - - watch -- apiGroups: [""] - resources: - - pods/portforward - verbs: - - create - - post -- apiGroups: ["extensions", "apps"] - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch -- apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch -- apiGroups: - - networking.istio.io - - security.istio.io - - extensions.istio.io - - telemetry.istio.io - - gateway.networking.k8s.io - resources: ["*"] - verbs: - - get - - list - - watch -- apiGroups: ["apps.openshift.io"] - resources: - - deploymentconfigs - verbs: - - get - - list - - watch -- apiGroups: ["project.openshift.io"] - resources: - - projects - verbs: - - get -- apiGroups: ["route.openshift.io"] - resources: - - routes - verbs: - - get -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: - - create -... ---- -# Source: kiali-server/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -rules: -- apiGroups: [""] - resources: - - configmaps - - endpoints - - pods/log - verbs: - - get - - list - - watch -- apiGroups: [""] - resources: - - namespaces - - pods - - replicationcontrollers - - services - verbs: - - get - - list - - watch - - patch -- apiGroups: [""] - resources: - - pods/portforward - verbs: - - create - - post -- apiGroups: ["extensions", "apps"] - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch - - patch -- apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch - - patch -- apiGroups: - - networking.istio.io - - security.istio.io - - extensions.istio.io - - telemetry.istio.io - - gateway.networking.k8s.io - resources: ["*"] - verbs: - - get - - list - - watch - - create - - delete - - patch -- apiGroups: ["apps.openshift.io"] - resources: - - deploymentconfigs - verbs: - - get - - list - - watch - - patch -- apiGroups: ["project.openshift.io"] - resources: - - projects - verbs: - - get -- apiGroups: ["route.openshift.io"] - resources: - - routes - verbs: - - get -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: - - create -... ---- -# Source: kiali-server/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kiali -subjects: -- kind: ServiceAccount - name: kiali - namespace: istio-system -... ---- -# Source: kiali-server/templates/role-controlplane.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kiali-controlplane - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -rules: -- apiGroups: [""] - resourceNames: - - cacerts - - istio-ca-secret - resources: - - secrets - verbs: - - get - - list - - watch -... ---- -# Source: kiali-server/templates/rolebinding-controlplane.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kiali-controlplane - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kiali-controlplane -subjects: -- kind: ServiceAccount - name: kiali - namespace: istio-system -... ---- -# Source: kiali-server/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kiali - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" - annotations: -spec: - ports: - - name: http - appProtocol: http - protocol: TCP - port: 20001 - - name: http-metrics - appProtocol: http - protocol: TCP - port: 9090 - selector: - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali -... ---- -# Source: kiali-server/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kiali - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" - sidecar.istio.io/inject: "false" - annotations: - checksum/config: 88419f205248a3fdba75ba592ce095a39000318ed6056baaa08ea19d716e94c1 - prometheus.io/scrape: "true" - prometheus.io/port: "9090" - kiali.io/dashboards: go,kiali - spec: - serviceAccountName: kiali - containers: - - image: "quay.io/kiali/kiali:v1.67" - imagePullPolicy: Always - name: kiali - command: - - "/opt/kiali/kiali" - - "-config" - - "/kiali-configuration/config.yaml" - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - ports: - - name: api-port - containerPort: 20001 - - name: http-metrics - containerPort: 9090 - readinessProbe: - httpGet: - path: /kiali/healthz - port: api-port - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 30 - livenessProbe: - httpGet: - path: /kiali/healthz - port: api-port - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 30 - env: - - name: ACTIVE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LOG_LEVEL - value: "info" - - name: LOG_FORMAT - value: "text" - - name: LOG_TIME_FIELD_FORMAT - value: "2006-01-02T15:04:05Z07:00" - - name: LOG_SAMPLER_RATE - value: "1" - volumeMounts: - - name: kiali-configuration - mountPath: "/kiali-configuration" - - name: kiali-cert - mountPath: "/kiali-cert" - - name: kiali-secret - mountPath: "/kiali-secret" - - name: kiali-cabundle - mountPath: "/kiali-cabundle" - resources: - limits: - memory: 1Gi - requests: - cpu: 10m - memory: 64Mi - volumes: - - name: kiali-configuration - configMap: - name: kiali - - name: kiali-cert - secret: - secretName: istio.kiali-service-account - optional: true - - name: kiali-secret - secret: - secretName: kiali - optional: true - - name: kiali-cabundle - configMap: - name: kiali-cabundle - optional: true -... diff --git a/istio-1.18.2/samples/addons/loki.yaml b/istio-1.18.2/samples/addons/loki.yaml deleted file mode 100644 index edabc36a..00000000 --- a/istio-1.18.2/samples/addons/loki.yaml +++ /dev/null @@ -1,283 +0,0 @@ ---- -# Source: loki/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: loki - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: loki/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -data: - config.yaml: | - auth_enabled: false - common: - compactor_address: 'loki' - path_prefix: /var/loki - replication_factor: 1 - storage: - filesystem: - chunks_directory: /var/loki/chunks - rules_directory: /var/loki/rules - limits_config: - enforce_metric_name: false - max_cache_freshness_per_query: 10m - reject_old_samples: true - reject_old_samples_max_age: 168h - split_queries_by_interval: 15m - memberlist: - join_members: - - loki-memberlist - query_range: - align_queries_with_step: true - ruler: - storage: - type: local - runtime_config: - file: /etc/loki/runtime-config/runtime-config.yaml - schema_config: - configs: - - from: "2022-01-11" - index: - period: 24h - prefix: loki_index_ - object_store: filesystem - schema: v12 - store: boltdb-shipper - server: - grpc_listen_port: 9095 - http_listen_port: 3100 - storage_config: - hedging: - at: 250ms - max_per_second: 20 - up_to: 3 - table_manager: - retention_deletes_enabled: false - retention_period: 0 ---- -# Source: loki/templates/runtime-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki-runtime - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -data: - runtime-config.yaml: | - - {} ---- -# Source: loki/templates/service-memberlist.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-memberlist - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp - port: 7946 - targetPort: http-memberlist - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/part-of: memberlist ---- -# Source: loki/templates/single-binary/service-headless.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-headless - namespace: istio-system - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm - variant: headless - prometheus.io/service-monitor: "false" -spec: - clusterIP: None - ports: - - name: http-metrics - port: 3100 - targetPort: http-metrics - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki ---- -# Source: loki/templates/single-binary/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: http-metrics - port: 3100 - targetPort: http-metrics - protocol: TCP - - name: grpc - port: 9095 - targetPort: grpc - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary ---- -# Source: loki/templates/single-binary/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: loki - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: single-binary - app.kubernetes.io/part-of: memberlist -spec: - replicas: 1 - podManagementPolicy: Parallel - updateStrategy: - rollingUpdate: - partition: 0 - serviceName: loki-headless - revisionHistoryLimit: 10 - - persistentVolumeClaimRetentionPolicy: - whenDeleted: Delete - whenScaled: Delete - selector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - template: - metadata: - annotations: - checksum/config: a9239b6352e34bbfc748669ed46cb24211fc3491ee7f2c6381af805f8f08fe29 - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - app.kubernetes.io/part-of: memberlist - spec: - serviceAccountName: loki - automountServiceAccountToken: true - enableServiceLinks: true - - securityContext: - fsGroup: 10001 - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10001 - terminationGracePeriodSeconds: 30 - containers: - - name: loki - image: docker.io/grafana/loki:2.7.3 - imagePullPolicy: IfNotPresent - args: - - -config.file=/etc/loki/config/config.yaml - - -target=all - ports: - - name: http-metrics - containerPort: 3100 - protocol: TCP - - name: grpc - containerPort: 9095 - protocol: TCP - - name: http-memberlist - containerPort: 7946 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - httpGet: - path: /ready - port: http-metrics - initialDelaySeconds: 30 - timeoutSeconds: 1 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: config - mountPath: /etc/loki/config - - name: runtime-config - mountPath: /etc/loki/runtime-config - - name: storage - mountPath: /var/loki - resources: - {} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - topologyKey: kubernetes.io/hostname - - volumes: - - name: tmp - emptyDir: {} - - name: config - configMap: - name: loki - - name: runtime-config - configMap: - name: loki-runtime - volumeClaimTemplates: - - metadata: - name: storage - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "10Gi" diff --git a/istio-1.18.2/samples/addons/prometheus.yaml b/istio-1.18.2/samples/addons/prometheus.yaml deleted file mode 100644 index f11e794a..00000000 --- a/istio-1.18.2/samples/addons/prometheus.yaml +++ /dev/null @@ -1,531 +0,0 @@ ---- -# Source: prometheus/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus - namespace: istio-system - annotations: - {} ---- -# Source: prometheus/templates/cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus - namespace: istio-system -data: - allow-snippet-annotations: "false" - alerting_rules.yml: | - {} - alerts: | - {} - prometheus.yml: | - global: - evaluation_interval: 1m - scrape_interval: 15s - scrape_timeout: 10s - rule_files: - - /etc/config/recording_rules.yml - - /etc/config/alerting_rules.yml - - /etc/config/rules - - /etc/config/alerts - scrape_configs: - - job_name: prometheus - static_configs: - - targets: - - localhost:9090 - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-apiservers - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: default;kubernetes;https - source_labels: - - __meta_kubernetes_namespace - - __meta_kubernetes_service_name - - __meta_kubernetes_endpoint_port_name - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes-cadvisor - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - honor_labels: true - job_name: kubernetes-service-endpoints - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape - - action: drop - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (.+?)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: service - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node - - honor_labels: true - job_name: kubernetes-service-endpoints-slow - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (.+?)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: service - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node - scrape_interval: 5m - scrape_timeout: 30s - - honor_labels: true - job_name: prometheus-pushgateway - kubernetes_sd_configs: - - role: service - relabel_configs: - - action: keep - regex: pushgateway - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - honor_labels: true - job_name: kubernetes-services - kubernetes_sd_configs: - - role: service - metrics_path: /probe - params: - module: - - http_2xx - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - source_labels: - - __address__ - target_label: __param_target - - replacement: blackbox - target_label: __address__ - - source_labels: - - __param_target - target_label: instance - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - source_labels: - - __meta_kubernetes_service_name - target_label: service - - honor_labels: true - job_name: kubernetes-pods - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape - - action: drop - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: pod - - action: drop - regex: Pending|Succeeded|Failed|Completed - source_labels: - - __meta_kubernetes_pod_phase - - honor_labels: true - job_name: kubernetes-pods-slow - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: pod - - action: drop - regex: Pending|Succeeded|Failed|Completed - source_labels: - - __meta_kubernetes_pod_phase - scrape_interval: 5m - scrape_timeout: 30s - recording_rules.yml: | - {} - rules: | - {} ---- -# Source: prometheus/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - pods - - ingresses - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - nonResourceURLs: - - "/metrics" - verbs: - - get ---- -# Source: prometheus/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus -subjects: - - kind: ServiceAccount - name: prometheus - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus ---- -# Source: prometheus/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - ports: - - name: http - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - component: "server" - app: prometheus - release: prometheus - sessionAffinity: None - type: "ClusterIP" ---- -# Source: prometheus/templates/deploy.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - selector: - matchLabels: - component: "server" - app: prometheus - release: prometheus - replicas: 1 - strategy: - type: Recreate - rollingUpdate: null - template: - metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - - sidecar.istio.io/inject: "false" - spec: - enableServiceLinks: true - serviceAccountName: prometheus - containers: - - name: prometheus-server-configmap-reload - image: "jimmidyson/configmap-reload:v0.8.0" - imagePullPolicy: "IfNotPresent" - args: - - --volume-dir=/etc/config - - --webhook-url=http://127.0.0.1:9090/-/reload - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - - name: prometheus-server - image: "prom/prometheus:v2.41.0" - imagePullPolicy: "IfNotPresent" - args: - - --storage.tsdb.retention.time=15d - - --config.file=/etc/config/prometheus.yml - - --storage.tsdb.path=/data - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 4 - failureThreshold: 3 - successThreshold: 1 - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: /data - subPath: "" - dnsPolicy: ClusterFirst - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - terminationGracePeriodSeconds: 300 - volumes: - - name: config-volume - configMap: - name: prometheus - - name: storage-volume - emptyDir: - {} diff --git a/istio-1.18.2/samples/bookinfo/README.md b/istio-1.18.2/samples/bookinfo/README.md deleted file mode 100644 index 7683b21b..00000000 --- a/istio-1.18.2/samples/bookinfo/README.md +++ /dev/null @@ -1,100 +0,0 @@ -# Bookinfo Sample - -See . - -**Note**: We need the owner of the PR to perform the appropriate testing with built/pushed images to their own docker repository before we would build/push images to the official Istio repository. - -## Build docker images - -```bash -cd samples/bookinfo -src/build-services.sh -``` - -Where `` is the tag and `` is the docker registry to tag the images. - -For example: - -```bash -$ src/build-services.sh 1.16.3 docker.io/shamsher31 -Sending build context to Docker daemon 1.218MB -Step 1/16 : FROM python:3.7.7-slim -3.7.7-slim: Pulling from library/python -8559a31e96f4: Pull complete -... -Successfully built 1b293582cc2e -Successfully tagged shamsher31/examples-bookinfo-ratings-v2:1.16.3 -Successfully tagged shamsher31/examples-bookinfo-ratings-v2:latest -``` - -The bookinfo versions are different from Istio versions since the sample should work with any version of Istio. - -## Push docker images to docker hub - -After the local build is successful, you need to update the YAML file with the latest tag that you used during the build eg: `1.16.3`. - -Run the following script to build the docker images, push them to docker hub, and to update the YAML files in one step. - -```bash -./build_push_update_images.sh -``` - -For example: - -```bash -$ ./build_push_update_images.sh 1.16.3 --prefix=shamsher31 -... -1.16.3: digest: sha256:70634d3847a190b9826975c8 size: 3883 -Pushing: shamsher31/examples-bookinfo-reviews-v2:1.16.3 -The push refers to a repository [docker.io/shamsher31/examples-bookinfo-reviews-v2] -... -``` - -Verify that expected tag eg: `1.16.3` is updated in `platform/kube/bookinfo*.yaml` files. - -## Tests - -Test that the bookinfo samples work with the latest tag eg: `1.16.3` that you pushed. - -```bash -$ cd ../../ -$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -serviceaccount/bookinfo-details created -deployment.apps/details-v1 created -serviceaccount/bookinfo-ratings created -... -``` - -Wait for all the pods to be in `Running` start. - -```bash -$ kubectl get pods -NAME READY STATUS RESTARTS AGE -details-v1-7f556f5c6b-485l2 2/2 Running 0 10m -productpage-v1-84c8f95c8d-tlml2 2/2 Running 0 10m -ratings-v1-66777f856b-2ls78 2/2 Running 0 10m -reviews-v1-64c47f4f44-rx642 2/2 Running 0 10m -reviews-v2-66b6b95f44-s5nt6 2/2 Running 0 10m -reviews-v3-7f69dd7fd4-zjvc8 2/2 Running 0 10m -``` - -Once all the pods are in the `Running` state. Test if the bookinfo works through cli. - -```bash -$ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o ".*" -Simple Bookstore App -``` - -You can also test it by hitting productpage in the browser. - -```bash -http://192.168.39.116:31395/productpage -``` - -You should see the following in the browser. - -![star](https://user-images.githubusercontent.com/2920003/86032538-212ff900-ba55-11ea-9492-d4bc90656a02.png) - -**Note**: If everything works as mentioned above, request a new official set of images be built and pushed from the reviewer, and add another commit to the original PR with the version changes. - -Bookinfo is tested by istio.io integration tests. You can find them under [tests](https://github.com/istio/istio.io/tree/master/tests) in the [istio/istio.io](https://github.com/istio/istio.io) repository. diff --git a/istio-1.18.2/samples/bookinfo/build_push_update_images.sh b/istio-1.18.2/samples/bookinfo/build_push_update_images.sh deleted file mode 100755 index dfdff985..00000000 --- a/istio-1.18.2/samples/bookinfo/build_push_update_images.sh +++ /dev/null @@ -1,130 +0,0 @@ -#!/bin/bash -# -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit - -display_usage() { - echo - echo "USAGE: ./build_push_update_images.sh [-h|--help] [--prefix=value] [--scan-images] [--multiarch-images]" - echo " version: Version of the sample app images (Required)" - echo " -h|--help: Prints usage information" - echo " --prefix: Use the value as the prefix for image names. By default, 'istio' is used" - echo -e " --scan-images: Enable security vulnerability scans for docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled." - echo -e " --multiarch-images : Enables building and pushing multiarch docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled." -} - -# Print usage information for help -if [[ "$1" == "-h" || "$1" == "--help" ]]; then - display_usage - exit 0 -fi - -# Check if there is at least one input argument -if [[ -z "$1" ]] ; then - echo "Missing version parameter" - display_usage - exit 1 -else - VERSION="$1" - shift -fi - -# Process the input arguments. By default, image scanning is disabled. -PREFIX=istio -ENABLE_IMAGE_SCAN=false -ENABLE_MULTIARCH_IMAGES=false -echo "$@" -for i in "$@" -do - case "$i" in - --prefix=* ) - PREFIX="${i#--prefix=}" ;; - --scan-images ) - ENABLE_IMAGE_SCAN=true ;; - --multiarch-images ) - ENABLE_MULTIARCH_IMAGES=true ;; - -h|--help ) - echo - echo "Build the docker images for bookinfo sample apps, push them to docker hub and update the yaml files." - display_usage - exit 0 ;; - * ) - echo "Unknown argument: $i" - display_usage - exit 1 ;; - esac -done - -# Build docker images -ENABLE_MULTIARCH_IMAGES="${ENABLE_MULTIARCH_IMAGES}" src/build-services.sh "${VERSION}" "${PREFIX}" - -# Currently the `--load` argument does not work for multi arch images -# Remove this once https://github.com/docker/buildx/issues/59 is addressed. -if [[ "${ENABLE_MULTIARCH_IMAGES}" == "false" ]]; then - # Get all the new image names and tags - for v in ${VERSION} "latest" - do - IMAGES+=$(docker images -f reference="${PREFIX}/examples-bookinfo*:$v" --format "{{.Repository}}:$v") - IMAGES+=" " - done - - # Check that $IMAGES contains the images we've just built - if [[ "${IMAGES}" =~ ^\ +$ ]] ; then - echo "Found no images matching prefix \"${PREFIX}/examples-bookinfo\"." - echo "Try running the script without specifying the image registry in --prefix (e.g. --prefix=/foo instead of --prefix=docker.io/foo)." - exit 1 - fi -fi - -# -# Run security vulnerability scanning on bookinfo sample app images using -# trivy. If the image has vulnerabilities, the file will have a .failed -# suffix. A successful scan will have a .passed suffix. -function run_vulnerability_scanning() { - RESULT_DIR="vulnerability_scan_results" - mkdir -p "$RESULT_DIR" - # skip-dir added to prevent timeout of review images - set +e - trivy image --ignore-unfixed --no-progress --exit-code 2 --skip-dirs /opt/ol/wlp --output "$RESULT_DIR/$1_$VERSION.failed" "$2" - test $? -ne 0 || mv "$RESULT_DIR/$1_$VERSION.failed" "$RESULT_DIR/$1_$VERSION.passed" - set -e -} - -# Push images. Scan images if ENABLE_IMAGE_SCAN is true. -for IMAGE in ${IMAGES}; -do - # Multiarch images have already been pushed using buildx build - if [[ "${ENABLE_MULTIARCH_IMAGES}" == "false" ]]; then - echo "Pushing: ${IMAGE}" - docker push "${IMAGE}"; - fi - - # $IMAGE has the following format: istio/examples-bookinfo*:"$v". - # We want to get the sample app name from $IMAGE (the examples-bookinfo* portion) - # to create the file to store the results of the scan for that image. The first - # part of the $IMAGE_NAME gets examples-bookinfo*:"$v", and the second part gets - # 'examples-bookinfo*'. - if [[ "$ENABLE_IMAGE_SCAN" == "true" ]]; then - echo "Scanning ${IMAGE} for security vulnerabilities" - IMAGE_NAME=${IMAGE#*/} - IMAGE_NAME=${IMAGE_NAME%:*} - run_vulnerability_scanning "${IMAGE_NAME}" "${IMAGE}" - fi -done - -# Update image references in the yaml files -find ./platform -name "*bookinfo*.yaml" -exec sed -i.bak "s#image:.*\\(\\/examples-bookinfo-.*\\):.*#image: ${PREFIX//\//\\/}\\1:$VERSION#g" {} + - diff --git a/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml b/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml deleted file mode 100644 index 4edaba40..00000000 --- a/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# IOP configuration used to install the demo profile without gateways. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - profile: demo - components: - ingressGateways: - - name: istio-ingressgateway - enabled: false - egressGateways: - - name: istio-egressgateway - enabled: false diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml deleted file mode 100644 index 3870a4cc..00000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: bookinfo-gateway -spec: - gatewayClassName: istio - listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: bookinfo -spec: - parentRefs: - - name: bookinfo-gateway - rules: - - matches: - - path: - type: Exact - value: /productpage - - path: - type: PathPrefix - value: /static - - path: - type: Exact - value: /login - - path: - type: Exact - value: /logout - - path: - type: PathPrefix - value: /api/v1/products - backendRefs: - - name: productpage - port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml deleted file mode 100644 index 9496ed2e..00000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: productpage -spec: - parentRefs: - - kind: Service - name: productpage - port: 9080 - rules: - - backendRefs: - - name: productpage-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: ratings -spec: - parentRefs: - - kind: Service - name: ratings - port: 9080 - rules: - - backendRefs: - - name: ratings-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: details -spec: - parentRefs: - - kind: Service - name: details - port: 9080 - rules: - - backendRefs: - - name: details-v1 - port: 9080 ---- diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml deleted file mode 100644 index 76bbea8f..00000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 - weight: 50 - - name: reviews-v3 - port: 9080 - weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml deleted file mode 100644 index f74349fe..00000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 - weight: 90 - - name: reviews-v2 - port: 9080 - weight: 10 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml deleted file mode 100644 index 8e11bcd9..00000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml deleted file mode 100644 index b5515fd1..00000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v3 - port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml b/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml deleted file mode 100644 index 948682dc..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: bookinfo-gateway -spec: - # The selector matches the ingress gateway pod labels. - # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: bookinfo -spec: - hosts: - - "*" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 diff --git a/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml b/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml deleted file mode 100644 index 3fa65378..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: cert-manager-gateway - namespace: istio-system -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: cert-manager - namespace: istio-system -spec: - hosts: - - "*" - gateways: - - cert-manager-gateway - http: - - match: - - uri: - prefix: /.well-known/acme-challenge/ - route: - - destination: - host: cert-manager-resolver - port: - number: 8089 diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml deleted file mode 100644 index 2a19c3fb..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: productpage -spec: - host: productpage - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: ratings -spec: - host: ratings - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v2-mysql - labels: - version: v2-mysql - - name: v2-mysql-vm - labels: - version: v2-mysql-vm ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: details -spec: - host: details - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml deleted file mode 100644 index 96be6993..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: productpage -spec: - host: productpage - subsets: - - name: v1 - labels: - version: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: ratings -spec: - host: ratings - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v2-mysql - labels: - version: v2-mysql - - name: v2-mysql-vm - labels: - version: v2-mysql-vm ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: details -spec: - host: details - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml deleted file mode 100644 index 69f30f1d..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - trafficPolicy: - loadBalancer: - simple: RANDOM - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 diff --git a/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml b/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml deleted file mode 100644 index d35e3ac1..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: googleapis -spec: - hosts: - - www.googleapis.com - ports: - - number: 80 - name: http - protocol: HTTP - - number: 443 - name: https - protocol: HTTPS - resolution: DNS ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: rewrite-port-for-googleapis -spec: - hosts: - - www.googleapis.com - http: - - match: - - port: 80 - route: - - destination: - host: www.googleapis.com - port: - number: 443 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: originate-tls-for-googleapis -spec: - host: www.googleapis.com - trafficPolicy: - loadBalancer: - simple: ROUND_ROBIN - portLevelSettings: - - port: - number: 443 - tls: - mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com diff --git a/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml b/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml deleted file mode 100644 index c4550925..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - fault: - abort: - httpStatus: 555 - percentage: - value: 100 - route: - - destination: - host: details - subset: v1 - - route: - - destination: - host: details - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: details -spec: - host: details - subsets: - - name: v1 - labels: - version: v1 \ No newline at end of file diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml deleted file mode 100644 index 6811e31d..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: productpage -spec: - hosts: - - productpage - http: - - route: - - destination: - host: productpage - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - route: - - destination: - host: details - subset: v1 ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml deleted file mode 100644 index 5f21fa53..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - route: - - destination: - host: details - subset: v2 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml deleted file mode 100644 index 1698ec24..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2 ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml deleted file mode 100644 index fdf88270..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2-mysql-vm ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml deleted file mode 100644 index 03a700ea..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2-mysql ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml deleted file mode 100644 index 51c6fe9c..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - match: - - headers: - end-user: - exact: jason - fault: - abort: - percentage: - value: 100.0 - httpStatus: 500 - route: - - destination: - host: ratings - subset: v1 - - route: - - destination: - host: ratings - subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml deleted file mode 100644 index 6c4e19da..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - match: - - headers: - end-user: - exact: jason - fault: - delay: - percentage: - value: 100.0 - fixedDelay: 7s - route: - - destination: - host: ratings - subset: v1 - - route: - - destination: - host: ratings - subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml deleted file mode 100644 index aad8c317..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 50 - - destination: - host: reviews - subset: v3 - weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml deleted file mode 100644 index 7304d867..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 80 - - destination: - host: reviews - subset: v2 - weight: 20 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml deleted file mode 100644 index d211dd16..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 90 - - destination: - host: reviews - subset: v2 - weight: 10 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml deleted file mode 100644 index fb357136..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - match: - - headers: - end-user: - exact: jason - route: - - destination: - host: reviews - subset: v2 - - route: - - destination: - host: reviews - subset: v3 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml deleted file mode 100644 index ea07efb2..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - match: - - headers: - end-user: - exact: jason - route: - - destination: - host: reviews - subset: v2 - - route: - - destination: - host: reviews - subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml deleted file mode 100644 index 7ae7b804..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v2 - weight: 50 - - destination: - host: reviews - subset: v3 - weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml deleted file mode 100644 index 5da999d4..00000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/README.md b/istio-1.18.2/samples/bookinfo/platform/kube/README.md deleted file mode 100644 index d1189bec..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/README.md +++ /dev/null @@ -1,2 +0,0 @@ -See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio -docs for instructions on how to run this demo application. diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml deleted file mode 100644 index bce874dc..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging - namespace: istio-system -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: stage@istio.io - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - # Enable the HTTP-01 challenge provider - http01: {} ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Certificate -metadata: - name: istio-ingressgateway-certs - namespace: istio-system -spec: - secretName: istio-ingressgateway-certs - issuerRef: - name: letsencrypt-staging - kind: ClusterIssuer - commonName: bookinfo.example.com - dnsNames: - - bookinfo.example.com - acme: - config: - - http01: - ingressClass: none - domains: - - bookinfo.example.com diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml deleted file mode 100644 index 474410c8..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: mongodb - labels: - app: mongodb - service: mongodb -spec: - ports: - - port: 27017 - name: mongo - selector: - app: mongodb ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mongodb-v1 - labels: - app: mongodb - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: mongodb - version: v1 - template: - metadata: - labels: - app: mongodb - version: v1 - spec: - containers: - - name: mongodb - image: docker.io/istio/examples-bookinfo-mongodb:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 27017 - volumeMounts: - - name: data-db - mountPath: /data/db - volumes: - - name: data-db - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml deleted file mode 100644 index e5a0e73c..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Details service v2 -################################################################################################## -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v2 - labels: - app: details - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v2 - template: - metadata: - labels: - app: details - version: v2 - spec: - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v2:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - env: - - name: DO_NOT_ENCRYPT - value: "true" - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml deleted file mode 100644 index 6cb7db36..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml deleted file mode 100644 index e2143399..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -########################################################################### -# Ingress resource (gateway) -########################################################################## -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: gateway - annotations: - kubernetes.io/ingress.class: "istio" -spec: - rules: - - http: - paths: - - path: /productpage - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /static/ - pathType: Prefix - backend: - service: - name: productpage - port: - number: 9080 - - path: /login - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /logout - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /api/v1/products - pathType: Prefix - backend: - service: - name: productpage - port: - number: 9080 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml deleted file mode 100644 index 073fee46..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Mysql db services -# credentials: root/password -################################################################################################## -apiVersion: v1 -kind: Secret -metadata: - name: mysql-credentials -type: Opaque -data: - rootpasswd: cGFzc3dvcmQ= ---- -apiVersion: v1 -kind: Service -metadata: - name: mysqldb - labels: - app: mysqldb - service: mysqldb -spec: - ports: - - port: 3306 - name: tcp - selector: - app: mysqldb ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mysqldb-v1 - labels: - app: mysqldb - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: mysqldb - version: v1 - template: - metadata: - labels: - app: mysqldb - version: v1 - spec: - containers: - - name: mysqldb - image: docker.io/istio/examples-bookinfo-mysqldb:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 3306 - env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: mysql-credentials - key: rootpasswd - args: ["--default-authentication-plugin","mysql_native_password"] - volumeMounts: - - name: var-lib-mysql - mountPath: /var/lib/mysql - volumes: - - name: var-lib-mysql - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml deleted file mode 100644 index 5b65de63..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml +++ /dev/null @@ -1,369 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# This file defines the same services, service accounts, and deployments as bookinfo.yaml with -# added securityContext fields to allow the bookinfo demo to run on a PodSecurityAdmission -# enabled cluster that enforces the baseline policy. -################################################################################################## - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true ---- -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true ---- -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9080" - prometheus.io/path: "/metrics" - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml deleted file mode 100644 index 61c4b7f1..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml deleted file mode 100644 index 1024c75c..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2-mysql-vm - labels: - app: ratings - version: v2-mysql-vm -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2-mysql-vm - template: - metadata: - labels: - app: ratings - version: v2-mysql-vm - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - # This assumes you registered your mysql vm as - # istioctl register -n vm mysqldb 1.2.3.4 3306 - - name: DB_TYPE - value: "mysql" - - name: MYSQL_DB_HOST - value: mysqldb.vm.svc.cluster.local - - name: MYSQL_DB_PORT - value: "3306" - - name: MYSQL_DB_USER - value: root - - name: MYSQL_DB_PASSWORD - value: password - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml deleted file mode 100644 index 09c4610a..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2-mysql - labels: - app: ratings - version: v2-mysql -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2-mysql - template: - metadata: - labels: - app: ratings - version: v2-mysql - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - # ratings-v2 will use mongodb as the default db backend. - # if you would like to use mysqldb then you can use this file - # which sets DB_TYPE = 'mysql' and the rest of the parameters shown - # here and also create the # mysqldb service using bookinfo-mysql.yaml - # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml - - name: DB_TYPE - value: "mysql" - - name: MYSQL_DB_HOST - value: mysqldb - - name: MYSQL_DB_PORT - value: "3306" - - name: MYSQL_DB_USER - value: root - - name: MYSQL_DB_PASSWORD - value: password - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml deleted file mode 100644 index a645d19a..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings-v2 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2 - labels: - app: ratings - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2 - template: - metadata: - labels: - app: ratings - version: v2 - spec: - serviceAccountName: bookinfo-ratings-v2 - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - # ratings-v2 will use mongodb as the default db backend. - # if you would like to use mysqldb then set DB_TYPE = 'mysql', set - # the rest of the parameters shown here and also create the - # mysqldb service using bookinfo-mysql.yaml - # - name: DB_TYPE #default to - # value: "mysql" - # - name: MYSQL_DB_HOST - # value: mysqldb - # - name: MYSQL_DB_PORT - # value: "3306" - # - name: MYSQL_DB_USER - # value: root - # - name: MYSQL_DB_PASSWORD - # value: password - - name: MONGO_DB_URL - value: mongodb://mongodb:27017/test - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml deleted file mode 100644 index 08c9040d..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml deleted file mode 100644 index 4acc6b26..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Reviews service v2 -################################################################################################## -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml deleted file mode 100644 index c374bbee..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: reviews-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: reviews-v2 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v2 ---- -apiVersion: v1 -kind: Service -metadata: - name: reviews-v3 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v3 ---- -apiVersion: v1 -kind: Service -metadata: - name: productpage-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: ratings-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: details-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: details - version: v1 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml deleted file mode 100644 index 4699e3e7..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml +++ /dev/null @@ -1,347 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# This file defines the services, service accounts, and deployments for the Bookinfo sample. -# -# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -# -# Alternatively, you can deploy any resource separately: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment -################################################################################################## - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9080" - prometheus.io/path: "/metrics" - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh b/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh deleted file mode 100755 index bdf700d1..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -# only ask if in interactive mode -if [[ -t 0 && -z ${NAMESPACE} ]];then - echo -n "namespace ? [default] " - read -r NAMESPACE -fi - -# verify if the namespace exists, otherwise use default namespace -if [[ -n ${NAMESPACE} ]];then - ns=$(kubectl get namespace "${NAMESPACE}" --no-headers --output=go-template="{{.metadata.name}}" 2>/dev/null) - if [[ -z ${ns} ]];then - echo "NAMESPACE ${NAMESPACE} not found." - NAMESPACE=default - fi -fi - -# if no namespace is provided, use default namespace -if [[ -z ${NAMESPACE} ]];then - NAMESPACE=default -fi - -echo "using NAMESPACE=${NAMESPACE}" - -# clean up Istio traffic management resources that may have been used -protos=( destinationrules virtualservices gateways ) -for proto in "${protos[@]}"; do - for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do - kubectl delete -n "${NAMESPACE}" "$resource"; - done -done - -# clean up Gateway API resources that may have been used -if kubectl get crd gateways.gateway.networking.k8s.io >/dev/null 2>&1; then - protos=( httproutes gateways.gateway.networking.k8s.io ) - for proto in "${protos[@]}"; do - for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do - kubectl delete -n "${NAMESPACE}" "$resource"; - done - done - kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo-versions.yaml" >/dev/null 2>&1 -fi - -OUTPUT=$(mktemp) -export OUTPUT -echo "Application cleanup may take up to one minute" -kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo.yaml" > "${OUTPUT}" 2>&1 -ret=$? -function cleanup() { - rm -f "${OUTPUT}" -} - -trap cleanup EXIT - -if [[ ${ret} -eq 0 ]];then - cat "${OUTPUT}" -else - # ignore NotFound errors - OUT2=$(grep -v NotFound "${OUTPUT}") - if [[ -n ${OUT2} ]];then - cat "${OUTPUT}" - exit ${ret} - fi -fi - -# wait for 30 sec for bookinfo to clean up -sleep 30 - -echo "Application cleanup successful" diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml deleted file mode 100644 index aadba2e0..00000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - type: NodePort - ports: - - port: 9080 - name: http - selector: - app: productpage ---- diff --git a/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml b/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml deleted file mode 100644 index ef96dc56..00000000 --- a/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: filter-ratelimit - namespace: istio-system -spec: - workloadSelector: - # select by label in the same namespace - labels: - istio: ingressgateway - configPatches: - # The Envoy config you want to modify - - applyTo: HTTP_FILTER - match: - context: GATEWAY - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: envoy.ratelimit - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit - # domain can be anything! Match it to the ratelimter service config - domain: productpage-ratelimit - failure_mode_deny: true - rate_limit_service: - grpc_service: - envoy_grpc: - cluster_name: rate_limit_cluster - timeout: 10s - - applyTo: CLUSTER - match: - cluster: - service: ratelimit.default.svc.cluster.local - patch: - operation: ADD - value: - name: rate_limit_cluster - type: STRICT_DNS - connect_timeout: 10s - lb_policy: ROUND_ROBIN - http2_protocol_options: {} - load_assignment: - cluster_name: rate_limit_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: ratelimit.default.svc.cluster.local - port_value: 8081 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: filter-ratelimit-svc - namespace: istio-system -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: VIRTUAL_HOST - match: - context: GATEWAY - routeConfiguration: - vhost: - name: "" - route: - action: ANY - patch: - operation: MERGE - value: - rate_limits: - - actions: # any actions in here - # Multiple actions nest the descriptors - # - generic_key: - # descriptor_value: "test" - - request_headers: - header_name: ":path" - descriptor_key: "PATH" - # - remote_address: {} - # - destination_cluster: {} \ No newline at end of file diff --git a/istio-1.18.2/samples/bookinfo/src/build-services.sh b/istio-1.18.2/samples/bookinfo/src/build-services.sh deleted file mode 100755 index aa3d6432..00000000 --- a/istio-1.18.2/samples/bookinfo/src/build-services.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -ox errexit - -display_usage() { - echo - echo "USAGE: ./build-services.sh [-h|--help]" - echo " -h|--help: Prints usage information" - echo " version: Version of the sample app images (Required)" - echo " prefix: Use the value as the prefix for image names (Required)" -} - -if [ "$#" -ne 2 ]; then - if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - display_usage - exit 0 - else - echo "Incorrect parameters" "$@" - display_usage - exit 1 - fi -fi - -VERSION=$1 -PREFIX=$2 -SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -# Docker build variables -ENABLE_MULTIARCH_IMAGES=${ENABLE_MULTIARCH_IMAGES:-"false"} - -if [ "${ENABLE_MULTIARCH_IMAGES}" == "true" ]; then - PLATFORMS="linux/arm64,linux/amd64" - DOCKER_BUILD_ARGS="docker buildx build --platform ${PLATFORMS} --push" - # Install QEMU emulators - docker run --rm --privileged tonistiigi/binfmt --install all - docker buildx rm multi-builder || : - docker buildx create --use --name multi-builder --platform ${PLATFORMS} - docker buildx use multi-builder -else - DOCKER_BUILD_ARGS="docker build" -fi - -pushd "$SCRIPTDIR/productpage" - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-productpage-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v1:latest" . - # flooding - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:latest" --build-arg flood_factor=100 . -popd - -pushd "$SCRIPTDIR/details" - # plain build -- no calling external book service to fetch topics - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-details-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v1:latest" --build-arg service_version=v1 . - # with calling external book service to fetch topic for the book - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-details-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v2:latest" --build-arg service_version=v2 \ - --build-arg enable_external_book_service=true . -popd - - -pushd "$SCRIPTDIR/reviews" - # java build the app. - docker run --rm -u root -v "$(pwd)":/home/gradle/project -w /home/gradle/project gradle:4.8.1 gradle clean build - - pushd reviews-wlpcfg - # plain build -- no ratings - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v1:latest" --build-arg service_version=v1 . - # with ratings black stars - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v2:latest" --build-arg service_version=v2 \ - --build-arg enable_ratings=true . - # with ratings red stars - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v3:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v3:latest" --build-arg service_version=v3 \ - --build-arg enable_ratings=true --build-arg star_color=red . - popd -popd - -pushd "$SCRIPTDIR/ratings" - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v1:latest" --build-arg service_version=v1 . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v2:latest" --build-arg service_version=v2 . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:latest" --build-arg service_version=v-faulty . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:latest" --build-arg service_version=v-delayed . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:latest" --build-arg service_version=v-unavailable . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:latest" --build-arg service_version=v-unhealthy . -popd - -pushd "$SCRIPTDIR/mysql" - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-mysqldb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mysqldb:latest" . -popd - -pushd "$SCRIPTDIR/mongodb" - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-mongodb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mongodb:latest" . -popd diff --git a/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json b/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json deleted file mode 100644 index b4563b50..00000000 --- a/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json +++ /dev/null @@ -1,2 +0,0 @@ -{rating: 5} -{rating: 4} diff --git a/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh b/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh deleted file mode 100644 index 7e230ee5..00000000 --- a/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e -mongoimport --host localhost --db test --collection ratings --drop --file /app/data/ratings_data.json diff --git a/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt b/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt deleted file mode 100644 index 5e5ddf22..00000000 --- a/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt +++ /dev/null @@ -1,32 +0,0 @@ -certifi==2022.12.7 -chardet==3.0.4 -Click==7.0 -contextlib2==0.5.5 -dominate==2.3.5 -Flask==2.1.1 -Flask-Bootstrap==3.3.7.1 -Flask-JSON==0.3.3 -future==0.17.1 -futures==3.1.1 -gevent==21.12.0 -greenlet==1.1.2 -idna==2.8 -itsdangerous==1.1.0 -jaeger-client==3.13.0 -Jinja2==2.11.3 -json2html==1.2.1 -MarkupSafe==0.23 -nose==1.3.7 -opentracing==1.2.2 -opentracing-instrumentation==2.4.3 -prometheus-client==0.15.0 -requests==2.28.1 -simplejson==3.16.0 -six==1.12.0 -threadloop==1.0.2 -thrift==0.11.0 -tornado==5.1 -urllib3==1.26.5 -visitor==0.1.3 -Werkzeug==2.2.3 -wrapt==1.11.1 diff --git a/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt b/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt deleted file mode 100644 index f756640f..00000000 --- a/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt +++ /dev/null @@ -1 +0,0 @@ -requests-mock==1.5.2 diff --git a/istio-1.18.2/samples/bookinfo/src/ratings/package.json b/istio-1.18.2/samples/bookinfo/src/ratings/package.json deleted file mode 100644 index f0498224..00000000 --- a/istio-1.18.2/samples/bookinfo/src/ratings/package.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "scripts": { - "start": "node ratings.js" - }, - "dependencies": { - "httpdispatcher": "1.0.0", - "mongodb": "^3.6.0", - "mysql": "^2.15.0" - }, - "private": true -} diff --git a/istio-1.18.2/samples/bookinfo/swagger.yaml b/istio-1.18.2/samples/bookinfo/swagger.yaml deleted file mode 100644 index 6782e732..00000000 --- a/istio-1.18.2/samples/bookinfo/swagger.yaml +++ /dev/null @@ -1,248 +0,0 @@ -swagger: "2.0" -info: - description: "This is the API of the Istio BookInfo sample application." - version: "1.0.0" - title: "BookInfo API" - termsOfService: "https://istio.io/" - license: - name: "Apache 2.0" - url: "http://www.apache.org/licenses/LICENSE-2.0.html" -basePath: "/api/v1" -tags: -- name: "product" - description: "Information about a product (in this case a book)" -- name: "review" - description: "Review information for a product" -- name: "rating" - description: "Rating information for a product" -externalDocs: - description: "Learn more about the Istio BookInfo application" - url: "https://istio.io/docs/samples/bookinfo.html" -paths: - /products: - get: - tags: - - "product" - summary: "List all products" - description: "List all products available in the application with a minimum amount of information." - operationId: "getProducts" - consumes: - - "application/json" - produces: - - "application/json" - responses: - 200: - description: "successful operation" - schema: - type: "array" - items: - $ref: "#/definitions/Product" - /products/{id}: - get: - tags: - - "product" - summary: "Get individual product" - description: "Get detailed information about an individual product with the given id." - operationId: "getProduct" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductDetails" - 400: - description: "Invalid product id" - /products/{id}/reviews: - get: - tags: - - "review" - summary: "Get reviews for a product" - description: "Get reviews for a product, including review text and possibly ratings information." - operationId: "getProductReviews" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductReviews" - 400: - description: "Invalid product id" - /products/{id}/ratings: - get: - tags: - - "rating" - summary: "Get ratings for a product" - description: "Get ratings for a product, including stars and their color." - operationId: "getProductRatings" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductRatings" - 400: - description: "Invalid product id" - - -definitions: - Product: - type: "object" - description: "Basic information about a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - title: - type: "string" - description: "Title of the book" - descriptionHtml: - type: "string" - description: "Description of the book - may contain HTML tags" - required: - - "id" - - "title" - - "descriptionHtml" - ProductDetails: - type: "object" - description: "Detailed information about a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - publisher: - type: "string" - description: "Publisher of the book" - language: - type: "string" - description: "Language of the book" - author: - type: "string" - description: "Author of the book" - ISBN-10: - type: "string" - description: "ISBN-10 of the book" - ISBN-13: - type: "string" - description: "ISBN-13 of the book" - year: - type: "integer" - format: "int32" - description: "Year the book was first published in" - type: - type: "string" - enum: - - "paperback" - - "hardcover" - description: "Type of the book" - pages: - type: "integer" - format: "int32" - description: "Number of pages of the book" - required: - - "id" - - "publisher" - - "language" - - "author" - - "ISBN-10" - - "ISBN-13" - - "year" - - "type" - - "pages" - ProductReviews: - type: "object" - description: "Object containing reviews for a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - reviews: - type: "array" - description: "List of reviews" - items: - $ref: "#/definitions/Review" - required: - - "id" - - "reviews" - Review: - type: "object" - description: "Review of a product" - properties: - reviewer: - type: "string" - description: "Name of the reviewer" - text: - type: "string" - description: "Review text" - rating: - $ref: "#/definitions/Rating" - required: - - "reviewer" - - "text" - Rating: - type: "object" - description: "Rating of a product" - properties: - stars: - type: "integer" - format: "int32" - minimum: 1 - maximum: 5 - description: "Number of stars" - color: - type: "string" - enum: - - "red" - - "black" - description: "Color in which stars should be displayed" - required: - - "stars" - - "color" - ProductRatings: - type: "object" - description: "Object containing ratings of a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - ratings: - type: "object" - description: "A hashmap where keys are reviewer names, values are number of stars" - additionalProperties: - type: "string" - required: - - "id" - - "ratings" \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/README.md b/istio-1.18.2/samples/certs/README.md deleted file mode 100644 index 6daeaab4..00000000 --- a/istio-1.18.2/samples/certs/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Istio plugin CA sample certificates - -This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such -a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. -Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/). - -The included sample files are: - -- `root-cert.pem`: root CA certificate. -- `root-cert-alt.pem`: alterative CA certificate. -- `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. -- `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key. -- `cert-chain.pem`: certificate trust chain. -- `cert-chain-alt.pem`: alternative certificate chain. -- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. -- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. -- `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate. -- `workload-bar-root-certs.pem`: root and intermediate CA certificates for bar workload certificate. -- `leaf-workload-foo-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo`. -- `leaf-workload-bar-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar`. - -The workload cert and key are generated by: - -```shell script - ./generate-workload.sh foo - ./generate-workload.sh bar -``` - -To generate certs signed by the alternative root `root-cert-alt.pem` - -```shell script -./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root -./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root -``` diff --git a/istio-1.18.2/samples/certs/ca-cert-alt.pem b/istio-1.18.2/samples/certs/ca-cert-alt.pem deleted file mode 100644 index b790d1d2..00000000 --- a/istio-1.18.2/samples/certs/ca-cert-alt.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFVjCCAz6gAwIBAgIUPTPKZWcaC54iCXmHXS7VUFrQpJswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw -MDM1NjM3WhcNMzMwMjE3MDM1NjM3WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE -AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJcfHGT0wipRUckkWR1GXs51+Tl017K1Yza4 -eExg+iEFFmzGW/qpH+g2uUk8g/fqEOQrFbtQsFZgH/PtqJDM19tM+sVj9MWVNHTu -f8yb9pjP2Y6O6xTySAYfnZFwfdOt7ewFRBXu+vHKpPzXrrJdJWQG+NoPuYLany5a -I2hgHxPOCKxYlwbyjwdN8PgUlcj7m/bEW3rhwkyWBIw/Cp+/YZIwxCSWl1MBDrjw -srzrVmM+76BJO4twKjqtJR7+j6PSNk7NDjSCItfmtCNDSiSfaPWPwmhTkGPov6Bd -PopnkoGgqDtSBqBRMuS0sEMhjsI2/e2+X6+musRYdTgxSSy2LEg3//nETbC4c+q5 -TrgOTerjO0J28i3iBSS5PVDYr63v02C35Tyn38TRgmp/QETkYAfITrcSnZnTQoR4 -4Nnd8d5qw6XN3cRR/R9A4cccaTAmNVDm+iZk1jNiV6sJ/P1fDHDQACPpyYntduy0 -UCUHeaasbFdfl4eST9/uPALZygS9se7tjm7xTFZcQ7wGqu2DOMWw6ocPL/Mv6nX9 -NJpY98qCAwhE29LUqq+ptDhSQZCVh5dfrrx9nA3UmANylO6AXNc3oxerS6izJLe5 -bQA4FHIZQeqyWqPR+wEpyEUgO1N6+uMlviwMvchAHGYXbzH3o6Z/mOuunn/MVbGW -f0wU2+9lAgMBAAGjaTBnMB0GA1UdDgQWBBTfaZR3DtzO/E6WWIgn2snHJL/BRzAS -BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdp -c3Rpb2QuaXN0aW8tc3lzdGVtLnN2YzANBgkqhkiG9w0BAQsFAAOCAgEAPxOeQAxC -dEkFQgdmUl/6g6PbqNardN63rzt3el3gVC27RtctI9RgyAOS9Yw/GodQTfao2k1a -WcdqdmK12/eTBccuoJCDuHQx5NgCnIciaOcjE/IdCkNAtZY8T3mRJ0avnm0nxVwo -A3o313NzpJJuZAco8RlaIeM6o7jxD3Z9Pi70xegYwMdopGgm1eVg3kL/TzGhVHty -tFHIuc8LZijQmxFcez28o/eDc5obCRjTOJOe0LYF7CmpkiGiEU0VmfG+iW3rZBKw -JM9/P0dWZZMzaSeDHVWBJPeEZJmKmp2SVtL+4flTj2cQjaboFYINggIO7MzUufcr -xeJ/A2sR2z4zJxBWtiTo5wB7uZju09l6Be4r8p/4OtAxBr/4zSo1iZ7rEyP5wS+k -KevhhHfsnZ/YVEFUcaNqSgJddXjM1RSIssJywvIwQh/6VlUlLNYW/89nEcd+agYz -kBazZIQOUefnvMnEWWlZovabqwVEPBhJ74zTtOn1Z333GnomjJK2vHh5cVMbqxD1 -sTgFx1W+RICgctPWAJxbxOhWunX6edXY1q0pb/dMnAqyIxRg32TEHrHXMCVEP5Hk -Vf6HHDDV7UKhq+S3PVOdo6MHimz6OZenA8cgjyf4jrkd25MrXXL4ergzMEliRg2D -wa4gQqdWzPHE8uCBSAWEAxZCMJ2l2vULltU= ------END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/ca-cert.pem b/istio-1.18.2/samples/certs/ca-cert.pem deleted file mode 100644 index a460e036..00000000 --- a/istio-1.18.2/samples/certs/ca-cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/ca-key-alt.pem b/istio-1.18.2/samples/certs/ca-key-alt.pem deleted file mode 100644 index 872543dd..00000000 --- a/istio-1.18.2/samples/certs/ca-key-alt.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEAlx8cZPTCKlFRySRZHUZeznX5OXTXsrVjNrh4TGD6IQUWbMZb -+qkf6Da5STyD9+oQ5CsVu1CwVmAf8+2okMzX20z6xWP0xZU0dO5/zJv2mM/Zjo7r -FPJIBh+dkXB9063t7AVEFe768cqk/Neusl0lZAb42g+5gtqfLlojaGAfE84IrFiX -BvKPB03w+BSVyPub9sRbeuHCTJYEjD8Kn79hkjDEJJaXUwEOuPCyvOtWYz7voEk7 -i3AqOq0lHv6Po9I2Ts0ONIIi1+a0I0NKJJ9o9Y/CaFOQY+i/oF0+imeSgaCoO1IG -oFEy5LSwQyGOwjb97b5fr6a6xFh1ODFJLLYsSDf/+cRNsLhz6rlOuA5N6uM7Qnby -LeIFJLk9UNivre/TYLflPKffxNGCan9ARORgB8hOtxKdmdNChHjg2d3x3mrDpc3d -xFH9H0DhxxxpMCY1UOb6JmTWM2JXqwn8/V8McNAAI+nJie127LRQJQd5pqxsV1+X -h5JP3+48AtnKBL2x7u2ObvFMVlxDvAaq7YM4xbDqhw8v8y/qdf00mlj3yoIDCETb -0tSqr6m0OFJBkJWHl1+uvH2cDdSYA3KU7oBc1zejF6tLqLMkt7ltADgUchlB6rJa -o9H7ASnIRSA7U3r64yW+LAy9yEAcZhdvMfejpn+Y666ef8xVsZZ/TBTb72UCAwEA -AQKCAgAkT5pf+5uH1YBER1KOQTFYhGo8zwFg9EqBhHOLTqXrNzC7NDI3mVmMT1HX -8g13jSs/18Zh+rJUHsaussUU/dND40xCD5FpxD8VdZUJkdP/xbltkpOTtd9ucTxI -DPJ+4UTQuDcy2fg8Dsfz5NMaEl2AmlhC9RJLCcLDvW7Sjn4JITFeT+8CAVgylhy3 -TyLqZuKDuYyNix9HjahMFn20AqUsHkGS1QhJLnDeKR+ZWyantCCZr9750xqifKX1 -u47B+ymHZ6fpH/fFTq6r5mgzQoZSspcwwBtqlistGhqD4P0H3pVto3jqHniPEYdk -qfSGX/ZFoL+XEgXAVczckqMVdjRPS3eq23xLlp3kkSN7I1JVGxfEbatVUSy+WBT6 -IatSXUenbloD9NTcE2v08OTLG2xgAFNl6gC4kTxEnJuXAccFIMXMrbcmiZh4xZxq -SLv/HwRENy3MjE3WMocAZ7ypfUbKEIsVYMaTvyQzXEr7yyTT9qpL2gJRCqaimUbb -YoUXc/RreGgDY3S5S6OETdFXHeps2ObTXUqMWU1pF+X1lKA5c2H7bl5PBRu0KJ9s -uPEln0tmZ02299S1ropCeqjA7YQcrqQnEsbIwt64pynRnFCUJyTSYmUX1C/ewYIa -2AC7CiMQf7eBUZlTuR9G6zqhimEqgd0ZIPvOvDzkBWG51WrMJQKCAQEAxWgZ4jzQ -RBTfXRIpjFZ93KM2Jy8RCDPesTnXvPK73h7AyvMx32ygm6j0m6yUHV8RN75CE2rM -Vb1ogeL1LHgFjZLsM+3SrQUSfW7uZZ4+Fkm/JYF4Qmflch4jJH4MnPy/HgO75nRs -ai2xMil8YnR8QZFpvTrutRkTRK6bSm8N98vjV+bbVw8eFL/dVgLHpdHTLoFBo4Zd -o7CaA4Aje8AabeWd7Yp0cjTGWHWLHFzxDnD9gfWN5eL8ay1QZwW3BFUw+eLuIrRu -UbC54e8RK0lXSAwbGCbof8+nfd7i+vh4lwM5D0HLMmmvpRs5+2BVuOI8gwtxxrwn -T4SFlIEdRRjxDwKCAQEAw/oLsYDrVPzATQkQ6Kec7ayGBWf9+G209MKOHkRNJdC0 -kms7yMckqTWEs5tMgBD8V0BrajmB8cbjR0g6Fe2M2W+mFZ+x55Lw8j/qNEbHKNor -p3W50leiSlWbntuaIAnzKDR2QamtEToz6IhMG3mtpxVZBf+fRRoaB/dK098BGHQ9 -J7uTeydf19kwGZoaVZ1EGSsVZTGMQEsNhZzFHbqOUaxiD3+UykyIZ1hO8jNlTdB0 -6yqBbgdetcb1Op6vFVVWswxMeJzDUc5S1ehGYXkthHHbIAXAy4iBEo+fVdxFs5nZ -zk3uauyyKZQ7qM2Cu8sa5TrsRd4GncKNdubNO/2wSwKCAQEAspMiXxMuP3g2OsZU -SXxwbOhD85xTJv1tJRszOtzF8AAX3T+0TO3COC3V4QF0F0HJnIiC03fYEnO+F0lN -CoYkV9ahz7QC0bt153wzMj+84IKj5HTDaib8W4hBuCBCnrzQ0oEEOEv3SvG8iqkW -uSWwxcuaQLEQAUkGsinVlrbxhsitBvZyUsX9Kz4JJmZrXmh6RmZtD1VcXdhC6om/ -D5JPFj0R6TFHd4ygJKNoTScSdULnQOn2DBCS0Q1z304/Ki86l8KeM0zPQxzAek6+ -VE8LIsS4uddwmTYqyOWYpPmidNFYi6G0BA2w84W2pNyXjyExJkZzDRll4jv6bsWB -yeDvJwKCAQEAvp/CrgbLYaB0YLpX0yXudBUjS7DqjbIQmR+BY5lmPUkzy1Q5E8P5 -OgnPqXB+yfc7rJcBpJKJfibKPjTYIyosnfeG4nOydaEtc0WORwktgeQtIDdX52zM -dGeu9qd+1Hk5JrtY5+fmauJlSWMCPJtvuRz/ueD6CBoqheMZytqY0zOFpNdEzj7v -cCJXMh/+S5asfZq1tferB4K5hWSHK7Kh6nm17INZtCkbaQKxz88EU9tXTsPKn77V -dhUvxbRCc4rNyV1GKO+64SDC3ESR6RAYoUKqNQzDinadrfM7tiWLOvaEsLKHHURc -zCremQRFjOsznxNgbVlYsC1ksuovaZIK3wKCAQAHEUZJwbsr1FJ0qmBOjY6ZbssG -icHEweWdXlxaFKjXj+iRdUWRRnmZRhNB1jMCub1jqXweoAnhq3xq3DyVMe0oZMrh -7C5zzsiJYdOuv+PKw0jm+/jylyVxS9FYv++gBZvAwMUt1NFgNgSb2Que+hVPXfwW -MVaVRCKaA38e18WjNeILOTVD0+NeViAaxhBZPz3kTIuLEPiRJxxeC9XQbjPkUz6k -iDxGSc+Epi+TcOqtYjCC/jQiHExcZD3vlIcnXH3tX/mnPdnM8rPnVoEmx/VUHnq1 -/4JPVP8XBMQABRG3BWgn2OqJiPssLk5DukomAWGxSXzGVjUIaxWzwyFD+ZTR ------END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/ca-key.pem b/istio-1.18.2/samples/certs/ca-key.pem deleted file mode 100644 index faa77f38..00000000 --- a/istio-1.18.2/samples/certs/ca-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1 -3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd -Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd -PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs -ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ -t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B -C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN -ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU -8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg -oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf -QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w -J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp -FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/ -CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e -DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE -Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN -cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt -yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO -wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY -qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D -Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5 -cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7 -mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa -8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+ -lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw== ------END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/cert-chain-alt.pem b/istio-1.18.2/samples/certs/cert-chain-alt.pem deleted file mode 100644 index dbbd5039..00000000 --- a/istio-1.18.2/samples/certs/cert-chain-alt.pem +++ /dev/null @@ -1,61 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFVjCCAz6gAwIBAgIUPTPKZWcaC54iCXmHXS7VUFrQpJswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw -MDM1NjM3WhcNMzMwMjE3MDM1NjM3WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE -AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJcfHGT0wipRUckkWR1GXs51+Tl017K1Yza4 -eExg+iEFFmzGW/qpH+g2uUk8g/fqEOQrFbtQsFZgH/PtqJDM19tM+sVj9MWVNHTu -f8yb9pjP2Y6O6xTySAYfnZFwfdOt7ewFRBXu+vHKpPzXrrJdJWQG+NoPuYLany5a -I2hgHxPOCKxYlwbyjwdN8PgUlcj7m/bEW3rhwkyWBIw/Cp+/YZIwxCSWl1MBDrjw -srzrVmM+76BJO4twKjqtJR7+j6PSNk7NDjSCItfmtCNDSiSfaPWPwmhTkGPov6Bd -PopnkoGgqDtSBqBRMuS0sEMhjsI2/e2+X6+musRYdTgxSSy2LEg3//nETbC4c+q5 -TrgOTerjO0J28i3iBSS5PVDYr63v02C35Tyn38TRgmp/QETkYAfITrcSnZnTQoR4 -4Nnd8d5qw6XN3cRR/R9A4cccaTAmNVDm+iZk1jNiV6sJ/P1fDHDQACPpyYntduy0 -UCUHeaasbFdfl4eST9/uPALZygS9se7tjm7xTFZcQ7wGqu2DOMWw6ocPL/Mv6nX9 -NJpY98qCAwhE29LUqq+ptDhSQZCVh5dfrrx9nA3UmANylO6AXNc3oxerS6izJLe5 -bQA4FHIZQeqyWqPR+wEpyEUgO1N6+uMlviwMvchAHGYXbzH3o6Z/mOuunn/MVbGW -f0wU2+9lAgMBAAGjaTBnMB0GA1UdDgQWBBTfaZR3DtzO/E6WWIgn2snHJL/BRzAS -BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdp -c3Rpb2QuaXN0aW8tc3lzdGVtLnN2YzANBgkqhkiG9w0BAQsFAAOCAgEAPxOeQAxC -dEkFQgdmUl/6g6PbqNardN63rzt3el3gVC27RtctI9RgyAOS9Yw/GodQTfao2k1a -WcdqdmK12/eTBccuoJCDuHQx5NgCnIciaOcjE/IdCkNAtZY8T3mRJ0avnm0nxVwo -A3o313NzpJJuZAco8RlaIeM6o7jxD3Z9Pi70xegYwMdopGgm1eVg3kL/TzGhVHty -tFHIuc8LZijQmxFcez28o/eDc5obCRjTOJOe0LYF7CmpkiGiEU0VmfG+iW3rZBKw -JM9/P0dWZZMzaSeDHVWBJPeEZJmKmp2SVtL+4flTj2cQjaboFYINggIO7MzUufcr -xeJ/A2sR2z4zJxBWtiTo5wB7uZju09l6Be4r8p/4OtAxBr/4zSo1iZ7rEyP5wS+k -KevhhHfsnZ/YVEFUcaNqSgJddXjM1RSIssJywvIwQh/6VlUlLNYW/89nEcd+agYz -kBazZIQOUefnvMnEWWlZovabqwVEPBhJ74zTtOn1Z333GnomjJK2vHh5cVMbqxD1 -sTgFx1W+RICgctPWAJxbxOhWunX6edXY1q0pb/dMnAqyIxRg32TEHrHXMCVEP5Hk -Vf6HHDDV7UKhq+S3PVOdo6MHimz6OZenA8cgjyf4jrkd25MrXXL4ergzMEliRg2D -wa4gQqdWzPHE8uCBSAWEAxZCMJ2l2vULltU= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUXl9kIYp2G+37cwt+ruWqmKHpFVkwDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw -MDM1NjI2WhcNMzMwMjE3MDM1NjI2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMS9oq7l -OR+vqj+99FcquCZiZB9d3AGmn4CUIzUsHLKwG/H4OZucHNaI+C/2IE+cHpqHq1RV -XqOdE5fMoBsHTjRN24K/WMHVr76IiTdla3e5OGvb8XtFTqH80bPcahWU6J5SKaP5 -nuj6D0OCDuPgV5fDNkMBp6qH3b+zbSBLDKLyepMeHUdfUXKuUjAFCRzPuKuCzJy+ -xNHu61OuRzILSUL7O8kTSK/1iz0mIFAqSxeS6AFDGsQIJRhKEhQSbmH924dGGQ5p -7bm8mFEYPYzyEw7l6zqaEKYEzoVhQrulJzUEVITVK9npW/GAREQK8KcabCakJf6L -wiTMZkWzrY2h7d7U/4Ib/7N3/1HREG6rLjZy08owaf09PNhKE1eqc32rwcJUdbsq -PiRqPRuIuGtNG69/CT+4I7liKoErJrxy4GfAxLRcFrkTA9Smo8lHsShbW/RvCEdr -2eXHolxmfgogDr3kYkrG3jYgUyYqaNIdasVQwRkfQByQpxp3ItL66NLLd1jn9ImO -IHAfWF2CCXdJtXKzksswOs/UW8gu8Y33YzfHZMxRQu5MlDEgKR6TJMDymYVedFAf -BeqpJepIN4zhpV/DnfC4qfhKf5KWCPWHkZgOKwl6sxOVk25ozDeiatXMfHFztTJI -1hWRF9cQNWdmHwVx19Yi2VfMwpgsnLDbeb+/AgMBAAGjQjBAMB0GA1UdDgQWBBQV -XzlSBYPXo+qiYX/1gUkx+t9GrTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAQj5EFGuY8jnXsvrcDEyo3kl+GAar60p3 -OB8BvMQzywYzmalztRluQr77dsTCDo9w+SL7/AKsJqljNJmzQg0Yst0YzPFAFUgt -8PdCFDgjuSfzlrKukcRj7yd2rzs+MQP3amOuWIj5gq7lUWAPNMp0bhU1lIS2eAk7 -Ew8s4BkgMI2fW8z22uEw49j+720n9q3xIpmfGA7SISe32Z3bu10fXrsIii++Zo9p -ItX7B5pKaLCwANjUejzC3NZ5HdL+yV9dXWXrVZrTvdFxRiqhNJtV64YTsSH+kVp8 -cCYyNA90CBVQU8ZyomNnOxqOsrBL1NvZllBmX1f3SnVa2Kw+RxJLtEx9lmKT3aiX -v0kPPhoU+qpA3eOVvbT0CbSBEl56wclPMd7xYMykkNU/AVc3lZ7YFcjb19YNxzff -AKktnJrFx3FHf03aeAnvJ35FxitrcpV4NvLvq5ViCHVw6IMO5h274Z/HoGHVvcle -OPtLRiI5Fkaexa6Y/+SPMDFsCfQJzL4ZWmnGSA+Z6YMD5atviQGEbSP4bCwIgOax -dsSyRo1cTRaOVCGVxed/s+ChbRnvljPd35zl79o+1zOOxJ2ttswYJRkjSsvn+BCL -GZj8c/5MkLtTwvL62wZVhCIHtZoS4LNUqdkyYvRJMZTV72YuEPTfl8NKhmMislqR -5LPKUi9adm4= ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/cert-chain.pem b/istio-1.18.2/samples/certs/cert-chain.pem deleted file mode 100644 index a460e036..00000000 --- a/istio-1.18.2/samples/certs/cert-chain.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/generate-workload.sh b/istio-1.18.2/samples/certs/generate-workload.sh deleted file mode 100755 index 2ff08c8e..00000000 --- a/istio-1.18.2/samples/certs/generate-workload.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -name=${1:-foo} -ns=${2:-$name} -sa=${3:-$name} -tmp=${4:-""} -rootselect=${5:-""} -san="spiffe://trust-domain-$name/ns/$ns/sa/$sa" - -DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -FINAL_DIR=$DIR -if [ -n "$tmp" ]; then - if [ -d "$tmp" ]; then - FINAL_DIR=$tmp - cp "$DIR"/root-cert.pem "$FINAL_DIR" - cp "$DIR"/ca-cert.pem "$FINAL_DIR" - cp "$DIR"/ca-key.pem "$FINAL_DIR" - cp "$DIR"/cert-chain.pem "$FINAL_DIR" - - cp "$DIR"/root-cert-alt.pem "$FINAL_DIR" - cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR" - cp "$DIR"/ca-key-alt.pem "$FINAL_DIR" - cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR" - - else - echo "tmp argument is not a directory: $tmp" - exit 1 - fi -fi - -function cleanup() { - if [ -f "$FINAL_DIR"/.srl ]; then - rm "$FINAL_DIR"/.srl - fi - if [ -f "$FINAL_DIR"/ca-cert.srl ]; then - rm "$FINAL_DIR"/ca-cert.srl - fi - if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then - rm "$FINAL_DIR"/ca-cert-alt.srl - fi - if [ -f "$FINAL_DIR"/workload.cfg ]; then - rm "$FINAL_DIR"/workload.cfg - fi - if [ -f "$FINAL_DIR"/workload.csr ]; then - rm "$FINAL_DIR"/workload.csr - fi -} - -trap cleanup EXIT - -openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048 - -cat > "$FINAL_DIR"/workload.cfg <> "$FINAL_DIR/workload-$sa-cert.pem" -cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem" -cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem" - -echo "Generated workload-$sa-[cert|key].pem with URI SAN $san" -openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem" - diff --git a/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem b/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem deleted file mode 100644 index b5f4752c..00000000 --- a/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd -GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR -91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI -j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE -OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw -Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv -bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre -gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C -FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ -4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT -ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE -JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 -8w== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem b/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem deleted file mode 100644 index fee6dcf8..00000000 --- a/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp -tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er -3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh -MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 -IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG -+PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v -bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV -WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC -FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ -q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og -MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE -Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT -bw== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/root-cert-alt.pem b/istio-1.18.2/samples/certs/root-cert-alt.pem deleted file mode 100644 index 8dc20f9d..00000000 --- a/istio-1.18.2/samples/certs/root-cert-alt.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUXl9kIYp2G+37cwt+ruWqmKHpFVkwDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw -MDM1NjI2WhcNMzMwMjE3MDM1NjI2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMS9oq7l -OR+vqj+99FcquCZiZB9d3AGmn4CUIzUsHLKwG/H4OZucHNaI+C/2IE+cHpqHq1RV -XqOdE5fMoBsHTjRN24K/WMHVr76IiTdla3e5OGvb8XtFTqH80bPcahWU6J5SKaP5 -nuj6D0OCDuPgV5fDNkMBp6qH3b+zbSBLDKLyepMeHUdfUXKuUjAFCRzPuKuCzJy+ -xNHu61OuRzILSUL7O8kTSK/1iz0mIFAqSxeS6AFDGsQIJRhKEhQSbmH924dGGQ5p -7bm8mFEYPYzyEw7l6zqaEKYEzoVhQrulJzUEVITVK9npW/GAREQK8KcabCakJf6L -wiTMZkWzrY2h7d7U/4Ib/7N3/1HREG6rLjZy08owaf09PNhKE1eqc32rwcJUdbsq -PiRqPRuIuGtNG69/CT+4I7liKoErJrxy4GfAxLRcFrkTA9Smo8lHsShbW/RvCEdr -2eXHolxmfgogDr3kYkrG3jYgUyYqaNIdasVQwRkfQByQpxp3ItL66NLLd1jn9ImO -IHAfWF2CCXdJtXKzksswOs/UW8gu8Y33YzfHZMxRQu5MlDEgKR6TJMDymYVedFAf -BeqpJepIN4zhpV/DnfC4qfhKf5KWCPWHkZgOKwl6sxOVk25ozDeiatXMfHFztTJI -1hWRF9cQNWdmHwVx19Yi2VfMwpgsnLDbeb+/AgMBAAGjQjBAMB0GA1UdDgQWBBQV -XzlSBYPXo+qiYX/1gUkx+t9GrTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAQj5EFGuY8jnXsvrcDEyo3kl+GAar60p3 -OB8BvMQzywYzmalztRluQr77dsTCDo9w+SL7/AKsJqljNJmzQg0Yst0YzPFAFUgt -8PdCFDgjuSfzlrKukcRj7yd2rzs+MQP3amOuWIj5gq7lUWAPNMp0bhU1lIS2eAk7 -Ew8s4BkgMI2fW8z22uEw49j+720n9q3xIpmfGA7SISe32Z3bu10fXrsIii++Zo9p -ItX7B5pKaLCwANjUejzC3NZ5HdL+yV9dXWXrVZrTvdFxRiqhNJtV64YTsSH+kVp8 -cCYyNA90CBVQU8ZyomNnOxqOsrBL1NvZllBmX1f3SnVa2Kw+RxJLtEx9lmKT3aiX -v0kPPhoU+qpA3eOVvbT0CbSBEl56wclPMd7xYMykkNU/AVc3lZ7YFcjb19YNxzff -AKktnJrFx3FHf03aeAnvJ35FxitrcpV4NvLvq5ViCHVw6IMO5h274Z/HoGHVvcle -OPtLRiI5Fkaexa6Y/+SPMDFsCfQJzL4ZWmnGSA+Z6YMD5atviQGEbSP4bCwIgOax -dsSyRo1cTRaOVCGVxed/s+ChbRnvljPd35zl79o+1zOOxJ2ttswYJRkjSsvn+BCL -GZj8c/5MkLtTwvL62wZVhCIHtZoS4LNUqdkyYvRJMZTV72YuEPTfl8NKhmMislqR -5LPKUi9adm4= ------END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/root-cert.pem b/istio-1.18.2/samples/certs/root-cert.pem deleted file mode 100644 index 64c3fd50..00000000 --- a/istio-1.18.2/samples/certs/root-cert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-bar-cert.pem b/istio-1.18.2/samples/certs/workload-bar-cert.pem deleted file mode 100644 index 1b59e9c5..00000000 --- a/istio-1.18.2/samples/certs/workload-bar-cert.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd -GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR -91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI -j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE -OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw -Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv -bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre -gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C -FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ -4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT -ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE -JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 -8w== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-bar-key.pem b/istio-1.18.2/samples/certs/workload-bar-key.pem deleted file mode 100644 index 1b7889a9..00000000 --- a/istio-1.18.2/samples/certs/workload-bar-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA6p867UZ0Fc1u8L2Jayoc5YgRB4pM7xRNJg7N+VcpAd0YILjZ -NK765FEfzTxCfLPwJ7p4knVTA/6btLbNl81tjUvZUm9ZuhC0ULt6BvGnZ5H3WsnZ -aZGJA7pmgCZAb5RVpUyOpa2s7In+2TONdKyRldxtSRaSs88CTGxIFFagJciPbfR1 -EqCC/NmAiAGbg18OOt2PsCbARkDS3OI8XL/mH7pckSoPxwU7MqPRKinzQYQ7NIHz -MOdkKiYXPwJm/ZZSQmOeCPus4P5ygLUuhYmJSVMUx0CeDBJY+zJqqlm0MPAK34Kz -nWWGRBBcLpve30P1sdtcDFiwRwdqpH50pVUciwIDAQABAoIBABVjCmYSpAZQwaok -POCN6DBsJNFBJB4vBZFQjCoMbeqDku14rCQHR0uEsZdtxMnFRUD52H/RPg4BKYRh -nYAW88OLhHXlPJKfbzBkxozXfmEMhzW5bJ4Y7Bpw5WMNGZaSOPRmdCJaIIc3VQnL -jztxd5vnifa9ngXR+u2oeTGRa+vFncwtf+lDjid6KOsclFEOVRquT9e3BgccwWJL -O7k8GZzHCWj+jxeExrcoD5NMulHZGDTc49ZZeqpVIwQnhFEe+e6LcZ7jaHs1AgUK -v3cHVQUoeHa+NYATeoyXWUJzD0vW6fTgxUrf+GNrtdmbwaoGW4+FmsYKB0YD2FO3 -bQ5cQWECgYEA+sXSllaDmrwFhX7Tga7nHN74maGk0V4eUnVQ2rkwRXgwaUh+V3K7 -5jJ1ZTZuWYbAWup+rVt0cAb0Ja8zBnnkHRdwe0gQqtoj+5YdD8RAluBJePFigp77 -pK+JfdiYnA0JC3Z+7gkeWM/uY9ojDuasX83yVf7Kgm+7HMUrh5dGaDMCgYEA74M5 -Q32oM8zxGm9ck82rh7ox0NwTeIrwr5U42QFqT0h26nR3m51l8odj3rz0WnRtOfAl -sjJ3y5tygdVLMzwpuHzpA/iq7YRY04+g7Q5MoVAImLKzKJzIxZra+6eo2ctcQCBO -U90+jY4C4/YgvTYKnndFvlVXcXXNyhPJKlfLAkkCgYEA8yOWmHjtRLuERvi+rYAd -SJrPQnW9TdoJYD2q1Ua0jMaJear2BGeT0w+dTzLFLzw9iGjPxdlkPbIgSeFigabx -C1vMjVtD/cNfG/Fh4AWR8jcoRYEU2Dy5E+W2UzQMU1E4McsEKlrg948zPdEkKLBy -9LjDe6l8Q5d9PdnV6LM9ao0CgYAnY7NVMCMrcbbtHAdjn11oUuzCZo8lMeRnW+kf -dyYep9I2uLS6+OW9PxrjlLuy7JbSAnaQmdAtwgDQ7V0SrgBGgPRpXMnvieZ51JMo -qUNc/CaNxkXElhRGuzLsVCRmvRUMzsNS833IFeTPzLiRpYOVkBP+O1bIKBGR/DMH -La0LUQKBgQD0Jea309Qr3CZIDp8IYnthYHIezDPmRBbyMKK5kTj/GC19JIXJoonw -nUw9vpVp+WdBy+ZP/567eUp9RrG9xP+OrirWeUT8UFdmpc+JbI54b2tX0UgUePKm -oKXf/DlOM5K2gDaIL+wlFYuxdrLtFCxvFP+7ihueivunjbtENQqdGA== ------END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/workload-bar-root-certs.pem b/istio-1.18.2/samples/certs/workload-bar-root-certs.pem deleted file mode 100644 index 9a43073e..00000000 --- a/istio-1.18.2/samples/certs/workload-bar-root-certs.pem +++ /dev/null @@ -1,46 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-foo-cert.pem b/istio-1.18.2/samples/certs/workload-foo-cert.pem deleted file mode 100644 index 50197b98..00000000 --- a/istio-1.18.2/samples/certs/workload-foo-cert.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp -tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er -3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh -MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 -IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG -+PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v -bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV -WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC -FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ -q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og -MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE -Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT -bw== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-foo-key.pem b/istio-1.18.2/samples/certs/workload-foo-key.pem deleted file mode 100644 index bac90f1e..00000000 --- a/istio-1.18.2/samples/certs/workload-foo-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpgIBAAKCAQEAxEV57zKbR02IsRorjqvdrEeZJo8S77zB5iyrknP76mm2ktit -HFXv1Q8rMqowuZ9xrUpSzo9iQKKl/+Gy82MvCRB/VFGl1JweTXtUr8BrQSveZogP -DlPNF6p3sx+CwhRK2bLpPRZXLMwdUCMNX9pGRPDNbCnb1smB+S8jb9DL0yEw4005 -nf6b5RwgriimCDsaY3DKd+s/GFZ9SyC1gSlpNcRsk6OpCH/wijnogrgBtLki80V8 -3ZEouLTCD1jOB36h2iJ+m6ZpM/qK4mmiFLIKCmGvxreNfkO5Q1d2696LAwb48RJz -RBIbMBYDXX89YLW/SdTjmhZMHfWJt24ZZ6ebZwIDAQABAoIBAQC+W0vZrFFhpFcw -vVsFcrb6Qi7NcPJCxeWhIi39SrRHM+Q5JCExXD/RenbBGsNLJNMR6QXLBNGcMqOh -OvtehxG1TuTPmKinPgs9xqHqG0tq1+tJsig4ExrVGyYg+izNovS9k4IXFzXRYt4D -PRvZnU+NyabSgv6OoL2IOim6Zt1olBIHK0u57bNEFLoLJBHi+/qxVo1H1ZxW4eg/ -/hCkg8IlT7G1wrT9uwAU5ld6wpG6OYub4uHLPsoyWB4E2vl1/liZq4MnUJG0M5m5 -QWHy9wL3jow/LtjVvcn/I09YIJKI9BocUi6/ze/Boy1zo4cL+cryLpfplIhZ0u/N -a/S/222BAoGBAPPXTLJyfSEt70+H2iYPKEBMVo8UBAW2rSICOCMvKZJuCuqccB75 -Jy6h+BQtIJZf+rnNzlG4EH6Vjb4mC/YYBf0U1inpCsdKcw96hv7+EYzBtKf/lK9N -au+AEAgngr1xgA+M84jMWnosFMNw88pO6j260y1aMUmLD8onrnglPcEHAoGBAM4O -79WMqTXipgvQzx66KeQQs6Gf1nwh4Ut9NYs2nk4KQrkAHd4zuURFlxdnqr/mC4wb -nsLCdFOOZaiWIIG93lp0Ox0dLar2jJK88WfCzzerUBljMRv8xJZBLOe7rv5iawVC -mBnZE606m1kTrj6wY5M7TsZiIIeYQcmlJNmW9ZqhAoGBAMY+iqqiDj2FfQTp7F/4 -/r6X0d/tY//JLyVxLHbehyv3r4Riv31PD54ILQsqTU40pkGdo1opDa/8owqvIBZq -HaRO5neYchzo2HcDJPH3WglYCypyzk1f4crqER6wEMk4l+cMr4rOqdieMhtbn7kh -Q6wAUmSS6XNjTekLLfucO4LNAoGBAIjIgYxQg0Kx4WeWhObwzT4HmDaB0+8yzks+ -Inz3FL7ZMNF9slX+H82iJFn1BvO70Y6ABzNhwbZ1oCX5Ajsdvqxs25DH/bivUUFX -CyjFuKhLoDA6GC9r61OSkCyD+fYDfudO/YirANTNQrIuzkvu6yqhA/nMyas49vLU -HVITU5YBAoGBANJVeCLwpjoK2ROM6mIQrHtBR5Ft0a5DhjQWT/6FrsUXGYH3nsdt -cEUCJsBU7z46GcByRIT25xGimoitQppsw6Wcf0gtjNyqbF56aejjEkd5LNtm77gz -9wNya77NzyrtiAjG9TCnDPJUX7satEoXgEGMxmtoiQ+pbD3nvJsFjkZQ ------END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/workload-foo-root-certs.pem b/istio-1.18.2/samples/certs/workload-foo-root-certs.pem deleted file mode 100644 index 9a43073e..00000000 --- a/istio-1.18.2/samples/certs/workload-foo-root-certs.pem +++ /dev/null @@ -1,46 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/cicd/skaffold/README.md b/istio-1.18.2/samples/cicd/skaffold/README.md deleted file mode 100644 index a8fa19ab..00000000 --- a/istio-1.18.2/samples/cicd/skaffold/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# Skaffold - -This is intended for demonstration only, and is not tuned for performance or security. - -skaffold is a tool that enables fast development iteration and controls deployment to local or remote clusters - -If running `skaffold run` for deployment, manifests are pulled from remote charts, if running `skaffold dev` for development and hot reload, manifests are pulled from current branch. - -## Quick Start - -skaffold is built around modules and profiles - -1) istio-base + istio - - ```bash - skaffold run -m istiod - ``` - -2) istio-base + istio + ingress - - ```bash - skaffold run -m ingress - ``` - -3) istio-base + istio + ingress + kiali - - ```bash - skaffold run -m ingress,kiali - ``` - -4) istio-base + istio + ingress + kiali + bookinfo - - ```bash - skaffold run -m ingress,kiali,bookinfo - ``` - -## References - -- Github: [github.com/GoogleContainerTools/skaffold](https://github.com/GoogleContainerTools/skaffold) -- Site: [skaffold.dev](https://skaffold.dev/) - -### TODO - -- Add build and test stage for images in istiod (pilot and proxy) -- Addons diff --git a/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml b/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml deleted file mode 100644 index b67aa289..00000000 --- a/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml +++ /dev/null @@ -1,145 +0,0 @@ -# Skaffold - https://skaffold.dev/ -# ------------------------------------------------ # -# This is for illustration purposes only -# ------------------------------------------------ # -# Installation options & modules -# ------------------------------------------------ # -# istio - `skaffold run -m istiod` -# ingress - `skaffold run -m ingress` -# Addons: -# - kiali - `skaffold run -m kiali` -# - prometheus - `skaffold run -m prometheus` -# Demos: -# - bookinfo - `skaffold run -m bookinfo` -# ------------------------------------------------ # -# Development mode - skaffold dev # -# ------------------------------------------------- # -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: istio-base -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istio-base - chartPath: ../../../manifests/charts/base - namespace: istio-system - createNamespace: true - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istio-base - remoteChart: base - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system - createNamespace: true ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: istiod -requires: - - configs: [istio-base] -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istiod - chartPath: ../../../manifests/charts/istio-control/istio-discovery - namespace: istio-system - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istiod - remoteChart: istiod - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: ingress -requires: - - configs: [istiod] -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istio-ingressgateway - chartPath: ../../../manifests/charts/gateway - namespace: istio-system - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istio-ingressgateway - remoteChart: gateway - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system ---- -# https://istio.io/latest/docs/ops/integrations/prometheus/ -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: prometheus -requires: - - configs: [istiod] -deploy: - kubectl: - manifests: ["../../../samples/addons/prometheus.yaml"] ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: kiali -requires: - - configs: [prometheus] -deploy: - helm: - releases: - - name: kiali-server - remoteChart: kiali-server - repo: https://kiali.org/helm-charts - namespace: istio-system - version: v1.44.0 - valuesFiles: [../../../manifests/addons/values-kiali.yaml] ---- -# Config for https://istio.io/latest/docs/examples/bookinfo/ -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: bookinfo -requires: - - configs: [ingress] -deploy: - kubectl: - hooks: - before: - - host: - command: ["sh", "-c", "kubectl label namespace default istio-injection=enabled --overwrite"] - os: [darwin, linux] - - host: - command: ["cmd.exe", "/C", "kubectl label namespace default istio-injection=enabled --overwrite"] - os: [windows] - manifests: - - "../../../samples/bookinfo/platform/kube/bookinfo.yaml" - - "../../../samples/bookinfo/networking/bookinfo-gateway.yaml" - - "../../../samples/bookinfo/networking/destination-rule-all.yaml" diff --git a/istio-1.18.2/samples/custom-bootstrap/README.md b/istio-1.18.2/samples/custom-bootstrap/README.md deleted file mode 100644 index 814e7dcc..00000000 --- a/istio-1.18.2/samples/custom-bootstrap/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# Custom Envoy Bootstrap Configuration - -This sample creates a simple helloworld service that bootstraps the Envoy proxy with a custom configuration file. - -## Starting the service - -First, we need to create a `ConfigMap` resource with our bootstrap configuration. - -```bash -kubectl apply -f custom-bootstrap.yaml -``` - -Next, we can create a service that uses this bootstrap configuration. - -To do this, we need to add an annotation, `sidecar.istio.io/bootstrapOverride`, with the name of our ConfigMap as the value. - -We can create our helloworld app, using the custom config, with: - -```bash -kubectl apply -f example-app.yaml -``` - -If you don't have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) -set in your cluster you will need to manually inject it to the services instead: - -```bash -istioctl kube-inject -f example-app.yaml -o example-app-istio.yaml -kubectl apply -f example-app-istio.yaml -``` - -## Checking the Bootstrap Configuration - -To see what bootstrap configuration a pod is using: - -```bash -istioctl proxy-config bootstrap -``` - -## Customizing the Bootstrap - -The configuration provided will be passed to envoy using the [`--config-yaml`](https://www.envoyproxy.io/docs/envoy/v1.7.1/operations/cli#cmdoption-config-yaml) flag. - -This will merge the passed in configuration with the default configuration. Singular values will replace the default values, while repeated values will be appended. - -For reference, [the default bootstrap configuration](../../tools/packaging/common/envoy_bootstrap.json) and Envoy's [configuration reference](https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration#config) may be useful - -## Cleanup - -```bash -kubectl delete -f custom-bootstrap.yaml -kubectl delete -f example-app.yaml -``` diff --git a/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml b/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml deleted file mode 100644 index 5f406976..00000000 --- a/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-custom-bootstrap-config - namespace: default -data: - custom_bootstrap.json: | - "tracing": { - "http": { - "name": "envoy.tracers.zipkin", - "typed_config": { - "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig", - "collector_cluster": "zipkin", - "collector_endpoint": "/api/v1/spans/custom", - "collector_endpoint_version": "HTTP_JSON", - "trace_id_128bit": true, - "shared_span_context": false - } - } - } diff --git a/istio-1.18.2/samples/custom-bootstrap/example-app.yaml b/istio-1.18.2/samples/custom-bootstrap/example-app.yaml deleted file mode 100644 index 3a351a31..00000000 --- a/istio-1.18.2/samples/custom-bootstrap/example-app.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-v1 - labels: - app: helloworld - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - version: v1 - template: - metadata: - annotations: - sidecar.istio.io/bootstrapOverride: "istio-custom-bootstrap-config" - labels: - app: helloworld - version: v1 - spec: - containers: - - name: helloworld - image: docker.io/istio/examples-helloworld-v1 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 5000 diff --git a/istio-1.18.2/samples/extauthz/README.md b/istio-1.18.2/samples/extauthz/README.md deleted file mode 100644 index 1aba62b6..00000000 --- a/istio-1.18.2/samples/extauthz/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Ext Authz Service - -[Ext Authz server](cmd/extauthz) implements the external server for the [Envoy ext_authz filter](https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/security/ext_authz_filter) -as an example of integrating custom authorization system into Istio. - -The Ext Authz server supports authorization check request using either HTTP (port 8000) or gRPC v2/v3 (port 9000) API and -will allow the request if it includes the header `x-ext-authz: allow` or if the service account of the source workload is `a`. -Note that `a` is just a default value for testing. It can be changed with the flag `-allow_service_account` when running the ext authz server. - -## Usage - -1. Deploy the Ext Authz service in a dedicated pod: - - ```console - $ kubectl apply -f ext-authz.yaml - service/ext-authz created - deployment.apps/ext-authz created - ``` - - Note, you can also deploy the Ext Authz service locally with the application container in the same pod, see the example in `local-ext-authz.yaml`. - -1. Verify the Ext Authz server is up and running: - - Deploy a sleep pod to send the request: - - ```console - $ kubectl apply -f ../sleep/sleep.yaml - ``` - - Send a check request with header `x-ext-authz: allow` to the Ext Authz server: - - ```console - $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: allow" - * Trying 10.97.88.183:8000... - * Connected to ext-authz-server (10.97.88.183) port 8000 (#0) - > GET / HTTP/1.1 - > Host: ext-authz-server:8000 - > User-Agent: curl/7.73.0-DEV - > Accept: */* - > x-ext-authz: allow - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-ext-authz-result: allowed - < date: Tue, 03 Nov 2020 03:06:11 GMT - < content-length: 0 - < x-envoy-upstream-service-time: 19 - < server: envoy - < - * Connection #0 to host ext-authz-server left intact - ``` - - As you observe, the check request with header `x-ext-authz: allow` is allowed by the Ext Authz server. - - Send another check request with `x-ext-authz: blabla` to the Ext Authz server: - - ```console - $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: bla" - > GET / HTTP/1.1 - > Host: ext-authz-server:8000 - > User-Agent: curl/7.73.0-DEV - > Accept: */* - > x-ext-authz: allowx - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 403 Forbidden - < x-ext-authz-check-result: denied - < date: Tue, 03 Nov 2020 03:14:02 GMT - < content-length: 76 - < content-type: text/plain; charset=utf-8 - < x-envoy-upstream-service-time: 44 - < server: envoy - < - * Connection #0 to host ext-authz-server left intact - denied by ext_authz for not found header `x-ext-authz: allow` in the request - ``` - - As you observe, the check request with header `x-ext-authz: bla` is denied by the Ext Authz server. - -1. To clean up, execute the following commands: - - ```console - $ kubectl delete -f ../sleep/sleep.yaml - $ kubectl delete -f ext-authz.yaml - ``` - -## Advanced features - -The Ext Authz server supports the following advanced features that are useful for testing: - -- The ext authz server will add the `x-ext-authz-check-received` header to the user request. The content is the dump of - the check request it received from the ext-authz filter. This header is useful in verifying the ext-authz filter sending - the expected request to the ext authz server. - -- The ext authz server will add (or override if it already exists) the header `x-ext-authz-additional-header-override` to - the user request. The value of the header depends on the type of ext-authz server. - The ext authz HTTP server will set it to the value of the same `x-ext-authz-additional-header-override` header in the - check request. The ext authz gRPC server will set it to the constant value `grpc-additional-header-override-value`. - This header is useful in verifying the header override behavior in the ext-authz filter. diff --git a/istio-1.18.2/samples/extauthz/ext-authz.yaml b/istio-1.18.2/samples/extauthz/ext-authz.yaml deleted file mode 100644 index 0860df5c..00000000 --- a/istio-1.18.2/samples/extauthz/ext-authz.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Example configurations for deploying ext-authz server separately in the mesh. - -apiVersion: v1 -kind: Service -metadata: - name: ext-authz - labels: - app: ext-authz -spec: - ports: - - name: http - port: 8000 - targetPort: 8000 - - name: grpc - port: 9000 - targetPort: 9000 - selector: - app: ext-authz ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ext-authz -spec: - replicas: 1 - selector: - matchLabels: - app: ext-authz - template: - metadata: - labels: - app: ext-authz - spec: - containers: - - image: gcr.io/istio-testing/ext-authz:latest - imagePullPolicy: IfNotPresent - name: ext-authz - ports: - - containerPort: 8000 - - containerPort: 9000 ---- diff --git a/istio-1.18.2/samples/extauthz/local-ext-authz.yaml b/istio-1.18.2/samples/extauthz/local-ext-authz.yaml deleted file mode 100644 index 60a9bf85..00000000 --- a/istio-1.18.2/samples/extauthz/local-ext-authz.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Example configurations for deploying ext-authz server locally with the application container in the same pod. - -# Define the service entry for the local ext-authz service on port 8000. -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: httpbin-ext-authz-http -spec: - hosts: - - "ext-authz-http.local" - endpoints: - - address: "127.0.0.1" - ports: - - name: http - number: 8000 - protocol: HTTP - resolution: STATIC ---- -# Define the service entry for the local ext-authz service on port 9000. -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: httpbin-ext-authz-grpc -spec: - hosts: - - "ext-authz-grpc.local" - endpoints: - - address: "127.0.0.1" - ports: - - name: grpc - number: 9000 - protocol: GRPC - resolution: STATIC ---- -# Deploy the ext-authz server locally with the application container in the same pod. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: httpbin -spec: - replicas: 1 - selector: - matchLabels: - app: httpbin - version: v1 - template: - metadata: - labels: - app: httpbin - version: v1 - spec: - serviceAccountName: httpbin - containers: - - image: docker.io/kong/httpbin - imagePullPolicy: IfNotPresent - name: httpbin - ports: - - containerPort: 80 - - image: gcr.io/istio-testing/ext-authz:latest - imagePullPolicy: IfNotPresent - name: ext-authz - ports: - - containerPort: 8000 - - containerPort: 9000 ---- -apiVersion: v1 -kind: Service -metadata: - name: httpbin - labels: - app: httpbin - service: httpbin -spec: - ports: - - name: http - port: 8000 - targetPort: 80 - selector: - app: httpbin ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: httpbin ---- diff --git a/istio-1.18.2/samples/external/README.md b/istio-1.18.2/samples/external/README.md deleted file mode 100644 index e17198b8..00000000 --- a/istio-1.18.2/samples/external/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# External Services - -By default Istio-enabled services are unable to access services and URLs outside of the cluster. Pods use iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations. - -See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for -information on configuring Istio to contact external services. - -This directory contains samples showing how to enable pods to contact a few well -known services. - -If Istio is not configured to allow pods to contact external services, the pods will -see errors such as 404s, HTTPS connection problems, and TCP connection problems. If -ServiceEntries are misconfigured pods may see problems with server names. - -## Try it out - -After an operator runs `kubectl create -f aptget.yaml` pods will be able to -succeed with `apt-get update` and `apt-get install`. - -After an operator runs `kubectl create -f github.yaml` pods will be able to -succeed with `git clone https://github.com/fortio/fortio.git`. - -Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`. - -It is not a best practice to enable pods to update libraries dynamically. -We are providing these samples -because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud -services. - -### Enable communication by default - -Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique -discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will -allow external communication for ports 80 and 22. diff --git a/istio-1.18.2/samples/external/aptget.yaml b/istio-1.18.2/samples/external/aptget.yaml deleted file mode 100644 index fa24fa45..00000000 --- a/istio-1.18.2/samples/external/aptget.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# This ServiceEntry exposes the hosts needed for installing packages with apt-get. -# After applying this file, Istio-enabled pods (configured apt-get) be able to execute -# `apt-get upgrade` and `apt-get install`. If this is not installed you may get -# "404 Not Found" - -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: make-aptget-work -spec: - hosts: - - deb.debian.org - - cdn-fastly.deb.debian.org - - security.debian.org - - archive.ubuntu.com - - security.ubuntu.com - ports: - - number: 80 - name: http - protocol: HTTP diff --git a/istio-1.18.2/samples/external/github.yaml b/istio-1.18.2/samples/external/github.yaml deleted file mode 100644 index 832cbc37..00000000 --- a/istio-1.18.2/samples/external/github.yaml +++ /dev/null @@ -1,53 +0,0 @@ -# This ServiceEntry exposes the hosts needed for github.com. -# After applying this file, Istio-enabled pods will be able to execute -# `git clone https://github.com/istio/api.git` and (with local identification -# config and certificate) `git clone git@github.com:istio/api.git` - -# HTTP and TLS, the host must be specified -# See https://istio.io/docs/tasks/traffic-management/egress/ -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: github-https -spec: - hosts: - - github.com - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# For TCP services the IP ranges SHOULD be specified to avoid problems -# if multiple SEs use the same port number. -# See https://istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: github-tcp -spec: - hosts: - - dummy.github.com # not used - addresses: # from https://help.github.com/articles/about-github-s-ip-addresses/ - - "13.229.188.59/32" - - "13.250.177.223/32" - - "140.82.112.0/20" - - "18.194.104.89/32" - - "18.195.85.27/32" - - "185.199.108.0/22" - - "185.199.108.153/32" - - "185.199.109.153/32" - - "185.199.110.153/32" - - "185.199.111.153/32" - - "192.30.252.0/22" - - "192.30.252.153/32" - - "192.30.252.154/32" - - "23.20.92.3/32" - - "35.159.8.160/32" - - "52.74.223.119/32" - - "54.166.52.62/32" - - "54.87.5.173/32" - ports: - - name: tcp - number: 22 - protocol: tcp - location: MESH_EXTERNAL diff --git a/istio-1.18.2/samples/external/pypi.yaml b/istio-1.18.2/samples/external/pypi.yaml deleted file mode 100644 index 7f457a5a..00000000 --- a/istio-1.18.2/samples/external/pypi.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This ServiceEntry exposes the hosts needed for Python `pip`. -# After applying this file, Istio-enabled pods will be able to execute -# `pip search istio`. - -# HTTP and TLS, the host must be specified -# See https://istio.io/docs/tasks/traffic-management/egress/ - -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: python-https -spec: - hosts: - - pypi.python.org - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# pypi.python.org may 301 redirect to pypi.org, so we need this too. -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: pypi-https -spec: - hosts: - - pypi.org - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# pip install may fetch files from files.pythonhosted.org -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: pythonhosted-https -spec: - hosts: - - files.pythonhosted.org - ports: - - number: 443 - name: https - protocol: HTTPS diff --git a/istio-1.18.2/samples/grpc-echo/README.md b/istio-1.18.2/samples/grpc-echo/README.md deleted file mode 100644 index 46631698..00000000 --- a/istio-1.18.2/samples/grpc-echo/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# grpc-echo - -This sample demonstrates Istio's Proxyless gRPC support with a special injection template `grpc-agent`. -The template injects the `istio-proxy` sidecar, but the sidecar will only run `pilot-agent` and not envoy. - -See the [gRPC xDS feature status](https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md) for more -information. diff --git a/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml b/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml deleted file mode 100644 index fb3899c3..00000000 --- a/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml +++ /dev/null @@ -1,197 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: echo - name: echo - namespace: echo-grpc -spec: - selector: - app: echo - type: ClusterIP - ports: - - name: http - port: 80 - targetPort: 18080 - - name: grpc - port: 7070 - targetPort: 17070 - - name: tcp - port: 9090 - targetPort: 19090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: echo-v1 - namespace: echo-grpc -spec: - replicas: 1 - selector: - matchLabels: - app: echo - version: v1 - template: - metadata: - annotations: - inject.istio.io/templates: grpc-agent - proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' - labels: - app: echo - version: v1 - spec: - containers: - - args: - - --metrics=15014 - - --port - - "18080" - - --tcp - - "19090" - - --xds-grpc-server=17070 - - --grpc - - "17070" - - --grpc - - "17171" - - --port - - "3333" - - --port - - "8080" - - --version - - v1 - - --crt=/cert.crt - - --key=/cert.key - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: gcr.io/istio-testing/app:latest - imagePullPolicy: Always - livenessProbe: - failureThreshold: 10 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 - name: app - ports: - - containerPort: 17070 - protocol: TCP - - containerPort: 17171 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 3333 - name: tcp-health-port - protocol: TCP - readinessProbe: - failureThreshold: 10 - httpGet: - path: / - port: 8080 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - runAsGroup: 1338 - runAsUser: 1338 - startupProbe: - failureThreshold: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: echo-v2 - namespace: echo-grpc -spec: - replicas: 1 - selector: - matchLabels: - app: echo - version: v2 - template: - metadata: - annotations: - inject.istio.io/templates: grpc-agent - proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' - labels: - app: echo - version: v2 - spec: - containers: - - args: - - --metrics=15014 - - --xds-grpc-server=17070 - - --port - - "18080" - - --tcp - - "19090" - - --grpc - - "17070" - - --grpc - - "17171" - - --port - - "3333" - - --port - - "8080" - - --version - - v2 - - --crt=/cert.crt - - --key=/cert.key - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: gcr.io/istio-testing/app:latest - imagePullPolicy: Always - livenessProbe: - failureThreshold: 10 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 - name: app - ports: - - containerPort: 17070 - protocol: TCP - - containerPort: 17171 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 3333 - name: tcp-health-port - protocol: TCP - readinessProbe: - failureThreshold: 10 - httpGet: - path: / - port: 8080 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - runAsGroup: 1338 - runAsUser: 1338 - startupProbe: - failureThreshold: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 diff --git a/istio-1.18.2/samples/health-check/liveness-command.yaml b/istio-1.18.2/samples/health-check/liveness-command.yaml deleted file mode 100644 index 247b55e5..00000000 --- a/istio-1.18.2/samples/health-check/liveness-command.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Liveness service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: liveness - labels: - app: liveness - service: liveness -spec: - ports: - - port: 80 - name: http - selector: - app: liveness ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: liveness -spec: - selector: - matchLabels: - app: liveness - template: - metadata: - labels: - app: liveness - spec: - containers: - - name: liveness - image: registry.k8s.io/busybox - args: - - /bin/sh - - -c - - touch /tmp/healthy; sleep 3600 - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - initialDelaySeconds: 5 - periodSeconds: 5 diff --git a/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml b/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml deleted file mode 100644 index a39a3ff1..00000000 --- a/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: liveness-http - labels: - app: liveness-http - service: liveness-http -spec: - ports: - - name: http - port: 8001 - selector: - app: liveness-http ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: liveness-http -spec: - selector: - matchLabels: - app: liveness-http - version: v1 - template: - metadata: - labels: - app: liveness-http - version: v1 - spec: - containers: - - name: liveness-http - image: docker.io/istio/health:example - ports: - - containerPort: 8001 - livenessProbe: - httpGet: - path: /foo - port: 8001 - initialDelaySeconds: 5 - periodSeconds: 5 diff --git a/istio-1.18.2/samples/helloworld/README.md b/istio-1.18.2/samples/helloworld/README.md deleted file mode 100644 index e41bd167..00000000 --- a/istio-1.18.2/samples/helloworld/README.md +++ /dev/null @@ -1,110 +0,0 @@ -# Helloworld service - -This sample includes two versions of a simple helloworld service that returns its version -and instance (hostname) when called. -It can be used as a test service when experimenting with version routing. - -This service is also used to demonstrate canary deployments working in conjunction with autoscaling. -See [Canary deployments using Istio](https://istio.io/blog/2017/0.1-canary). - -## Start the helloworld service - -The following commands assume you have -[automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) -enabled in your cluster. -If not, you'll need to modify them to include -[manual sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection). - -To run both versions of the helloworld service, use the following command: - -```bash -kubectl apply -f helloworld.yaml -``` - -Alternatively, you can run just one version at a time by first defining the service: - -```bash -kubectl apply -f helloworld.yaml -l service=helloworld -``` - -and then deploying version v1, v2, or both: - -```bash -kubectl apply -f helloworld.yaml -l version=v1 -kubectl apply -f helloworld.yaml -l version=v2 -``` - -For even more flexibility, there is also a script, `gen-helloworld.sh`, that will -generate YAML for the helloworld service. This script takes the following -arguments: - -Argument | Default | Description --------- | ------- | ----------- -`-h`,`--help` | | Prints usage information. -`--version` | `v1` | Specifies the version that will be returned by the helloworld service. -`--includeService` | `true` | If `true` the service will be included in the YAML. -`--includeDeployment` | `true` | If `true` the deployment will be included in the YAML. - -You can use this script to deploy a custom version: - -```bash -./gen-helloworld.sh --version customversion | \ - kubectl apply -f - -``` - -## Configure the helloworld gateway - -*___Note:___ Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). You can use the Gateway API to configure the helloworld service, instead of the classic Istio configuration model, by following the instructions in [./gateway-api/README.md](./gateway-api/README.md), instead of the instructions below.* - -Apply the helloworld gateway configuration: - -```bash -kubectl apply -f helloworld-gateway.yaml -``` - -Follow [these instructions](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) -to set the INGRESS_HOST and INGRESS_PORT variables and then confirm the sample is running using curl: - -```bash -export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT -curl http://$GATEWAY_URL/hello -``` - -## Autoscale the services - -Note that a Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) -only works if all containers in the pods request cpu. In this sample the deployment -containers in `helloworld.yaml` are configured with the request. -The injected istio-proxy containers also include cpu requests, -making the helloworld service ready for autoscaling. - -Enable autoscaling on both versions of the service: - -```bash -kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10 -kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10 -kubectl get hpa -``` - -## Generate load - -```bash -./loadgen.sh & -./loadgen.sh & # run it twice to generate lots of load -``` - -Wait for about 2 minutes and then check the number of replicas: - -```bash -kubectl get hpa -``` - -If the autoscaler is functioning correctly, the `REPLICAS` column should have a value > 1. - -## Cleanup - -```bash -kubectl delete -f helloworld.yaml -kubectl delete -f helloworld-gateway.yaml -kubectl delete hpa helloworld-v1 helloworld-v2 -``` diff --git a/istio-1.18.2/samples/helloworld/gateway-api/README.md b/istio-1.18.2/samples/helloworld/gateway-api/README.md deleted file mode 100644 index ee37810e..00000000 --- a/istio-1.18.2/samples/helloworld/gateway-api/README.md +++ /dev/null @@ -1,74 +0,0 @@ -# Configure helloworld using the Kubernetes Gateway API - -Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). -You can use the following instructions to configure the ingress gateway and routing for the helloworld sample. - -## Before you begin - -The Gateway API CRDs do not come installed by default on most Kubernetes clusters, so install them if not present: - -```bash -kubectl get crd gateways.gateway.networking.k8s.io || \ - { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; } -``` - -Also make sure you are running two versions (v1 and v2) of the helloworld service: - -```bash -kubectl apply -f ../helloworld.yaml -``` - -## Configure the helloworld gateway - -Apply the helloworld gateway configuration: - -```bash -kubectl apply -f ./helloworld-gateway.yaml -``` - -Note that unlike an Istio `Gateway`, creating a Kubernetes `Gateway` resource will, by default, also [deploy an associated controller](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment). - -Set the INGRESS_HOST environment variables to the address of the helloworld gateway: - -```bash -kubectl wait --for=condition=ready gtw helloworld-gateway -export INGRESS_HOST=$(kubectl get gtw helloworld-gateway -o jsonpath='{.status.addresses[*].value}') -``` - -Confirm the sample is running using curl: - -```bash -for run in {1..10}; do curl http://$INGRESS_HOST/hello; done -``` - -Since no version routing has been configured, you should see an equal split of traffic, about half handled by helloworld-v1 and the other half handled by helloworld-v2. - -## Configure weight-based routing - -Declare the helloworld versions (Gateway API requires backend service definitions, unlike the Istio API which uses DestinationRule subsets for this): - -```bash -kubectl apply -f ./helloworld-versions.yaml -``` - -Apply the following route rule to distribute the helloworld traffic 90% to v1, 10% to v2: - -```bash -kubectl apply -f ./helloworld-route.yaml -``` - -Run the previous curl commands again: - -```bash -for run in {1..10}; do curl http://$INGRESS_HOST/hello; done -``` - -Now you should see about 9 out of 10 requests handled by helloworld-v1 and only about 1 in 10 handled by helloworld-v2. - -## Cleanup - -```bash -kubectl delete -f ./helloworld-gateway.yaml -kubectl delete -f ./helloworld-versions.yaml -kubectl delete -f ../helloworld.yaml -``` diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml deleted file mode 100644 index c4c8a8a6..00000000 --- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - gatewayClassName: istio - listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: helloworld -spec: - parentRefs: - - name: helloworld-gateway - rules: - - matches: - - path: - type: Exact - value: /hello - backendRefs: - - name: helloworld - port: 5000 diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml deleted file mode 100644 index 1e316f95..00000000 --- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: helloworld -spec: - parentRefs: - - name: helloworld-gateway - rules: - - matches: - - path: - type: Exact - value: /hello - backendRefs: - - name: helloworld-v1 - port: 5000 - weight: 90 - - name: helloworld-v2 - port: 5000 - weight: 10 diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml deleted file mode 100644 index fc218515..00000000 --- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld-v1 -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: helloworld-v2 -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld - version: v2 diff --git a/istio-1.18.2/samples/helloworld/gen-helloworld.sh b/istio-1.18.2/samples/helloworld/gen-helloworld.sh deleted file mode 100755 index 8634ddc7..00000000 --- a/istio-1.18.2/samples/helloworld/gen-helloworld.sh +++ /dev/null @@ -1,131 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -display_usage() { - echo - echo "USAGE: ./gen-helloworld.sh [--version] [--includeService value] [--includeDeployment value]" - echo " -h|--help: Prints usage information" - echo " --version: Specifies the version that will be returned by the helloworld service, default: 'v1'" - echo " --includeService: If 'true' the service will be included in the YAML, default: 'true'" - echo " --includeDeployment: If 'true' the deployment will be included in the YAML, default: 'true'" -} - -INCLUDE_SERVICE=${INCLUDE_SERVICE:-"true"} -INCLUDE_DEPLOYMENT=${INCLUDE_DEPLOYMENT:-"true"} -SERVICE_VERSION=${SERVICE_VERSION:-"v1"} -while (( "$#" )); do - case "$1" in - -h|--help) - display_usage - exit 0 - ;; - - --version) - SERVICE_VERSION=$2 - shift 2 - ;; - - --includeService) - INCLUDE_SERVICE=$2 - shift 2 - ;; - - --includeDeployment) - INCLUDE_DEPLOYMENT=$2 - shift 2 - ;; - - *) - echo "Error: Unsupported flag $1" >&2 - display_usage - exit 1 - ;; - esac -done - -SERVICE_YAML=$(cat </dev/null || true) -if [[ "${ENVOS}" != "Linux" ]]; then - echo "Your system is not supported by this script. Only Linux is supported" - exit 1 -fi - -# Check prerequisites -REQUISITES=("kubectl" "kind" "docker") -for item in "${REQUISITES[@]}"; do - if [[ -z $(which "${item}") ]]; then - echo "${item} cannot be found on your system, please install ${item}" - exit 1 - fi -done - -# Function to print the usage message -function printHelp() { - echo "Usage: " - echo " $0 --cluster-name cluster1 --k8s-release 1.22.1 --ip-space 255" - echo "" - echo "Where:" - echo " -n|--cluster-name - name of the k8s cluster to be created" - echo " -r|--k8s-release - the release of the k8s to setup, latest available if not given" - echo " -s|--ip-space - the 2rd to the last part for public ip addresses, 255 if not given, valid range: 0-255" - echo " -i|--ip-family - ip family to be supported, default is ipv4 only. Value should be ipv4, ipv6, or dual" - echo " -h|--help - print the usage of this script" -} - -# Setup default values -CLUSTERNAME="cluster1" -K8SRELEASE="" -IPSPACE=255 -IPFAMILY="ipv4" - -# Handling parameters -while [[ $# -gt 0 ]]; do - optkey="$1" - case $optkey in - -h|--help) - printHelp; exit 0;; - -n|--cluster-name) - CLUSTERNAME="$2"; shift 2;; - -r|--k8s-release) - K8SRELEASE="--image=kindest/node:v$2"; shift 2;; - -s|--ip-space) - IPSPACE="$2"; shift 2;; - -i|--ip-family) - IPFAMILY="${2,,}";shift 2;; - -m|--mode) - MODE="$2"; shift 2;; - *) # unknown option - echo "parameter $1 is not supported"; printHelp; exit 1;; - esac -done - -# This block is to setup kind to have a local image repo to push -# images using localhost:5000, to use this feature, start up -# a registry container such as gcr.io/istio-testing/registry, then -# connect it to the docker network where kind nodes are running on -# which normally will be called kind -FEATURES=$(cat << EOF -featureGates: - MixedProtocolLBService: true - GRPCContainerProbe: true -kubeadmConfigPatches: - - | - apiVersion: kubeadm.k8s.io/v1beta2 - kind: ClusterConfiguration - metadata: - name: config - etcd: - local: - # Run etcd in a tmpfs (in RAM) for performance improvements - dataDir: /tmp/kind-cluster-etcd - # We run single node, drop leader election to reduce overhead - controllerManagerExtraArgs: - leader-elect: "false" - schedulerExtraArgs: - leader-elect: "false" - apiServer: - extraArgs: - "service-account-issuer": "kubernetes.default.svc" - "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" -containerdConfigPatches: - - |- - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] - endpoint = ["http://kind-registry:5000"] -EOF -) - -validIPFamilies=("ipv4" "ipv6" "dual") -# Validate if the ip family value is correct. -isValid="false" -for family in "${validIPFamilies[@]}"; do - if [[ "$family" == "${IPFAMILY}" ]]; then - isValid="true" - break - fi -done - -if [[ "${isValid}" == "false" ]]; then - echo "${IPFAMILY} is not valid ip family, valid values are ipv4, ipv6 or dual" - exit 1 -fi - -if [[ "${MODE}" == "ambient" ]]; then -NODES=$(cat << EOF -nodes: -- role: control-plane -- role: worker -- role: worker -EOF -) -else -NODES=$(cat << EOF -nodes: -- role: control-plane -EOF -) -fi - - -# Create k8s cluster using the giving release and name -if [[ -z "${K8SRELEASE}" ]]; then - cat << EOF | kind create cluster --config - -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -${FEATURES} -name: ${CLUSTERNAME} -${NODES} -networking: - ipFamily: ${IPFAMILY} -EOF -else - cat << EOF | kind create cluster "${K8SRELEASE}" --config - -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -${FEATURES} -name: ${CLUSTERNAME} -${NODES} -networking: - ipFamily: ${IPFAMILY} -EOF -fi - -# Setup cluster context -kubectl cluster-info --context "kind-${CLUSTERNAME}" - -# Setup metallb using v0.13.6 -kubectl apply -f https://github.com/raw/metallb/metallb/v0.13.6/config/manifests/metallb-native.yaml - -addrName="IPAddress" -ipv4Prefix="" -ipv6Prefix="" - -# Get both ipv4 and ipv6 gateway for the cluster -gatewaystr=$(docker network inspect -f '{{range .IPAM.Config }}{{ .Gateway }} {{end}}' kind | cut -f1,2) -read -r -a gateways <<< "${gatewaystr}" -for gateway in "${gateways[@]}"; do - if [[ "$gateway" == *"."* ]]; then - ipv4Prefix=$(echo "${gateway}" |cut -d'.' -f1,2) - else - ipv6Prefix=$(echo "${gateway}" |cut -d':' -f1,2,3,4) - fi -done - -if [[ "${IPFAMILY}" == "ipv4" ]]; then - addrName="IPAddress" - ipv4Range="- ${ipv4Prefix}.$IPSPACE.200-${ipv4Prefix}.$IPSPACE.240" - ipv6Range="" -elif [[ "${IPFAMILY}" == "ipv6" ]]; then - ipv4Range="" - ipv6Range="- ${ipv6Prefix}::$IPSPACE:200-${ipv6Prefix}::$IPSPACE:240" - addrName="GlobalIPv6Address" -else - ipv4Range="- ${ipv4Prefix}.$IPSPACE.200-${ipv4Prefix}.$IPSPACE.240" - ipv6Range="- ${ipv6Prefix}::$IPSPACE:200-${ipv6Prefix}::$IPSPACE:240" -fi - -# utility function to wait for pods to be ready -function waitForPods() { - ns=$1 - lb=$2 - waittime=$3 - # Wait for the pods to be ready in the given namespace with lable - while : ; do - res=$(kubectl wait --context "kind-${CLUSTERNAME}" -n "${ns}" pod \ - -l "${lb}" --for=condition=Ready --timeout="${waittime}s" 2>/dev/null ||true) - if [[ "${res}" == *"condition met"* ]]; then - break - fi - echo "Waiting for pods in namespace ${ns} with label ${lb} to be ready..." - sleep "${waittime}" - done -} - -waitForPods metallb-system app=metallb 10 - -# Now configure the loadbalancer public IP range -cat <&2 - exit 1 - ;; - esac -done - - -# single-cluster installations may need this gateway to allow VMs to get discovery -# for non-single cluster, we add additional topology information -SINGLE_CLUSTER="${SINGLE_CLUSTER:-0}" -if [[ "${SINGLE_CLUSTER}" -eq 0 ]]; then - if [[ -z "${NETWORK:-}" ]]; then - echo "Must specify either --single-cluster or --network." - exit 1 - fi -fi - -# base -IOP=$(cat < apply -f ../otel.yaml -``` - -In this example, we use `otel-collector` as the namespace to deploy the `otel-collector` backend: - -```ba -kubectl -n otel-collector apply -f ../otel.yaml -``` - -The otel-collector will create a grpc receiver on port `4317`, and later the sidecars will report trace information to this grpc port. You can find more details from [here](https://github.com/open-telemetry/opentelemetry-collector). - -Below is the configuration: - -```yaml -receivers: - otlp: - protocols: - grpc: - http: -processors: - batch: -exporters: - logging: - loglevel: debug -service: - pipelines: - logs: - receivers: [otlp] - processors: [batch] - exporters: [logging] -``` - -In this example, `Jaeger` is the exporter for gathering the traces. Assuming you have already deployed Jaeger as your tracing system with [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation, you are good to go to the next steps. If you already have your own `Jaeger` deployed, you may need to modify the otel collector config. The configmap name is `opentelemetry-collector-conf` in the namespace you deployed the otel collector, and the related config is defined as: - -```yaml -exporters: - jaeger: - endpoint: jaeger-collector.istio-system.svc.cluster.local:14250 - tls: - insecure: true - sending_queue: - enabled: true - retry_on_failure: - enabled: true -service: - pipelines: - traces: - exporters: - - jaeger -``` - -You need to modify the jaeger exporter endpoint with the one you deployed, in this case it's `jaeger-collector.istio-system.svc.cluster.local:14250`. - -If you have not deployed the `Jaeger` service, you can follow [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation to install the service. - -You may also choose any existing tracing system if you have, and you should change the exporter settings in the configmap mentioned above. - -You may also choose to use your own otel collector if you have, and the key part is to have the `otlp` grpc protocol receiver to receive the traces. One important thing is to make sure your otel collector service's grpc port starts with `grpc-` prefix, which is like: - -```ya -spec: - ports: - - name: grpc-otlp - port: 4317 - protocol: TCP - targetPort: 4317 -``` - -Otherwise the traces may not be reported. - -## Update mesh config - -Install or update Istio with the `demo` profile to make sure you have the OpenTelemetry tracing provider enabled: - -```bash -istioctl install --set profile=demo -y -``` - -Or ensure you have the following additional mesh config set in your Istio: - -```yaml -mesh: |- - extensionProviders: - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local -``` - -Make sure the service name matches the one you deployed if you select a different namespace. - -## Apply the Telemetry resource to report traces - -Next, add a Telemetry resource that tells Istio to send trace records to the OpenTelemetry collector. - -```yaml -kubectl -n otel-collector apply -f ./telemetry.yaml -``` - -The core config is: - -```yaml -tracing: -- providers: - - name: otel-tracing - randomSamplingPercentage: 0 -``` - -As you see, the `randomSamplingPercentage` is 0, which means the tracing is still not enabled because of `0` sampling percentage. The tracing can be opt-on by increasing the `randomSamplingPercentage` value to `1-100`. The `Telemetry` resource can also be manipulated in workload/namespace/global levels, you can check [here](https://istio.io/latest/docs/reference/config/telemetry/) for more config examples. - -## Check tracing results - -If you have followed [this](https://istio.io/latest/docs/setup/getting-started/) getting started steps, you have the sample bookinfo applications installed. Try to make some requests to the productpage to generate some traces. - -Then open up the `Jaeger` dashboard with: - -```bash -istioctl dashboard jaeger -``` - -You will see the requests' trace records. - -## Cleanup - -```bash -kubectl -n otel-collector delete -f ./telemetry.yaml -kubectl -n otel-collector delete -f ../otel.yaml -``` diff --git a/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml b/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml deleted file mode 100644 index fd831a2b..00000000 --- a/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: telemetry.istio.io/v1alpha1 -kind: Telemetry -metadata: - name: otel-demo -spec: - tracing: - - providers: - - name: otel-tracing - randomSamplingPercentage: 0 diff --git a/istio-1.18.2/samples/operator/cni-on.yaml b/istio-1.18.2/samples/operator/cni-on.yaml deleted file mode 100644 index ae850b4d..00000000 --- a/istio-1.18.2/samples/operator/cni-on.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - cni: - enabled: true diff --git a/istio-1.18.2/samples/operator/default-install.yaml b/istio-1.18.2/samples/operator/default-install.yaml deleted file mode 100644 index 65a4d9b6..00000000 --- a/istio-1.18.2/samples/operator/default-install.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: istio-operator -spec: - profile: default - diff --git a/istio-1.18.2/samples/operator/pilot-advanced-override.yaml b/istio-1.18.2/samples/operator/pilot-advanced-override.yaml deleted file mode 100644 index 4b57fd84..00000000 --- a/istio-1.18.2/samples/operator/pilot-advanced-override.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - pilot: - k8s: - overlays: - - kind: Deployment - name: istiod - patches: - - path: spec.template.spec.containers.[name:discovery].args.[30m] - value: "60m" # OVERRIDDEN - - path: spec.template.spec.containers.[name:discovery].ports.[containerPort:8080].containerPort - value: 8090 # OVERRIDDEN - - kind: Service - name: istiod - patches: - - path: spec.ports.[name:grpc-xds].port - value: 15099 # OVERRIDDEN diff --git a/istio-1.18.2/samples/operator/pilot-k8s.yaml b/istio-1.18.2/samples/operator/pilot-k8s.yaml deleted file mode 100644 index 081f55ed..00000000 --- a/istio-1.18.2/samples/operator/pilot-k8s.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - pilot: - k8s: - resources: - requests: - cpu: 1000m # override from default 500m - memory: 4096Mi # ... default 2048Mi - hpaSpec: - maxReplicas: 10 # ... default 5 - minReplicas: 2 # ... default 1 diff --git a/istio-1.18.2/samples/operator/values-global.yaml b/istio-1.18.2/samples/operator/values-global.yaml deleted file mode 100644 index 8726f27e..00000000 --- a/istio-1.18.2/samples/operator/values-global.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - global: - logging: - level: "default:warning" # override from info diff --git a/istio-1.18.2/samples/operator/values-pilot.yaml b/istio-1.18.2/samples/operator/values-pilot.yaml deleted file mode 100644 index bca6c2ee..00000000 --- a/istio-1.18.2/samples/operator/values-pilot.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - pilot: - traceSampling: 0.1 # override from 1.0 diff --git a/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml b/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml deleted file mode 100644 index cfda9c76..00000000 --- a/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml +++ /dev/null @@ -1,151 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Redis service and deployment -# Ratelimit service and deployment - -# Note: a configmap is needed to make the rate limit deployment work properly, for example: -# -# apiVersion: v1 -# kind: ConfigMap -# metadata: -# name: ratelimit-config -# data: -# config.yaml: | -# domain: echo-ratelimit -# descriptors: -# - key: PATH -# value: "/" -# rate_limit: -# unit: minute -# requests_per_unit: 1 -# - key: PATH -# rate_limit: -# unit: minute -# requests_per_unit: 100 -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: redis - labels: - app: redis -spec: - ports: - - name: redis - port: 6379 - selector: - app: redis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - image: redis:alpine - imagePullPolicy: Always - name: redis - ports: - - name: redis - containerPort: 6379 - restartPolicy: Always - serviceAccountName: "" ---- -apiVersion: v1 -kind: Service -metadata: - name: ratelimit - labels: - app: ratelimit -spec: - ports: - - name: http-port - port: 8080 - targetPort: 8080 - protocol: TCP - - name: grpc-port - port: 8081 - targetPort: 8081 - protocol: TCP - - name: http-debug - port: 6070 - targetPort: 6070 - protocol: TCP - selector: - app: ratelimit ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratelimit -spec: - replicas: 1 - selector: - matchLabels: - app: ratelimit - strategy: - type: Recreate - template: - metadata: - labels: - app: ratelimit - spec: - containers: - - image: envoyproxy/ratelimit:9d8d70a8 # 2022/08/16 - imagePullPolicy: Always - name: ratelimit - command: ["/bin/ratelimit"] - env: - - name: LOG_LEVEL - value: debug - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis:6379 - - name: USE_STATSD - value: "false" - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: HOST - value: "::" - - name: GRPC_HOST - value: "::" - ports: - - containerPort: 8080 - - containerPort: 8081 - - containerPort: 6070 - volumeMounts: - - name: config-volume - mountPath: /data/ratelimit/config - volumes: - - name: config-volume - configMap: - name: ratelimit-config diff --git a/istio-1.18.2/samples/security/psp/sidecar-psp.yaml b/istio-1.18.2/samples/security/psp/sidecar-psp.yaml deleted file mode 100644 index f9612d6b..00000000 --- a/istio-1.18.2/samples/security/psp/sidecar-psp.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: istio-sidecar -spec: - # Allow the istio sidecar injector to work - allowedCapabilities: - - NET_ADMIN - - NET_RAW - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-sidecar-psp -rules: - - apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - istio-sidecar - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-sidecar-psp -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-sidecar-psp -subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:serviceaccounts diff --git a/istio-1.18.2/samples/security/spire/README.md b/istio-1.18.2/samples/security/spire/README.md deleted file mode 100644 index b3e1978f..00000000 --- a/istio-1.18.2/samples/security/spire/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# Integrating SPIRE as a CA through Envoy's SDS API - -This sample deploys a setup of [SPIRE](https://github.com/spiffe/spire) (the SPIFFE Runtime Environment) as an example of integrating with [Envoy's SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) API. For more information -on the SPIFFE specs, refer to the [SPIFFE Overview](https://spiffe.io/docs/latest/spiffe-about/overview/). - -Once SPIRE is deployed and integrated with Istio, this sample deploys a modified version of the [sleep](/samples/sleep/README.md) service and validates that its [identity](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid) was issued by SPIRE. Workload registration is handled by the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). - -See [Istio CA Integration with SPIRE](https://istio.io/latest/docs/ops/integrations/spire) for further details about this integration. - -## Deploy the integration - -1. Deploy SPIRE. For proper socket injection, this **must** be done prior to installing Istio in your cluster: - - ```bash - $ kubectl apply -f spire-quickstart.yaml - ``` - -1. Ensure that the deployment is completed before moving to the next step. This can be verified by waiting on the `spire-agent` pod to become ready: - - ```bash - $ kubectl wait pod --for=condition=ready -n spire -l app=spire-agent - ``` - -1. Use the configuration profile provided to install Istio (requires istioctl v1.14+): - - ```bash - $ istioctl install -f istio-spire-config.yaml - ``` - -1. Create a ClusterSPIFFEID to create a registration entry for all workloads with the `spiffe.io/spire-managed-identity: true` label: - - ```bash - $ kubectl apply -f clusterspiffeid.yaml - ``` - -1. Add the `spiffe.io/spire-managed-identity: true` label to the Ingress-gateway Deployment: - - ```bash - $ kubectl patch deployment istio-ingressgateway -n istio-system -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spire-managed-identity": "true"}}}}}' - ``` - -1. Deploy the `sleep-spire.yaml` version of the [sleep](/samples/sleep/README.md) service, which injects the custom istio-agent template defined in `istio-spire-config.yaml` and has the `spiffe.io/spire-managed-identity: true` label. - - If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: - - ```bash - $ kubectl apply -f sleep-spire.yaml - ``` - - Otherwise, manually inject the sidecar before applying: - - ```bash - $ kubectl apply -f <(istioctl kube-inject -f sleep-spire.yaml) - ``` - -1. Retrieve sleep's SVID identity document using the `istioctl proxy-config secret` command: - - ```bash - $ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") - $ istioctl pc secret $SLEEP_POD -o json | jq -r \ - '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem - ``` - -1. Inspect the certificate content and verify that SPIRE was the issuer: - - ```bash - $ openssl x509 -in chain.pem -text | grep SPIRE - Subject: C = US, O = SPIRE, CN = sleep-5d6df95bbf-kt2tt - ``` - -## Tear down - -1. Delete all deployments and configurations for the SPIRE Agent, Server, and namespace: - - ```bash - $ kubectl delete namespace spire - ``` - -1. Delete the ClusterRole, ClusterRoleBinding, Role, RoleBindings, ValidatingWebhookConfiguration, CSIDriver, and CustomResourceDefinition: - - ```bash - $ kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role - $ kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding - $ kubectl delete role spire-server-role leader-election-role - $ kubectl delete rolebinding spire-server-role-binding leader-election-role-binding - $ kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook - $ kubectl delete csidriver csi.spiffe.io - $ kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io - $ kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io - ``` diff --git a/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml b/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml deleted file mode 100644 index bf67989e..00000000 --- a/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: example -spec: - spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - podSelector: - matchLabels: - spiffe.io/spire-managed-identity: "true" diff --git a/istio-1.18.2/samples/security/spire/istio-spire-config.yaml b/istio-1.18.2/samples/security/spire/istio-spire-config.yaml deleted file mode 100644 index 812c65ec..00000000 --- a/istio-1.18.2/samples/security/spire/istio-spire-config.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system -spec: - profile: default - meshConfig: - trustDomain: example.org - values: - global: - # This is used to customize the sidecar template - sidecarInjectorWebhook: - templates: - spire: | - spec: - containers: - - name: istio-proxy - volumeMounts: - - name: workload-socket - mountPath: /run/secrets/workload-spiffe-uds - readOnly: true - volumes: - - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - components: - ingressGateways: - - name: istio-ingressgateway - enabled: true - label: - istio: ingressgateway - k8s: - overlays: - - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - patches: - - path: spec.template.spec.volumes.[name:workload-socket] - value: - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket] - value: - name: workload-socket - mountPath: "/run/secrets/workload-spiffe-uds" - readOnly: true - - path: spec.template.spec.initContainers - value: - - name: wait-for-spire-socket - image: busybox:1.28 - volumeMounts: - - name: workload-socket - mountPath: /run/secrets/workload-spiffe-uds - readOnly: true - env: - - name: CHECK_FILE - value: /run/secrets/workload-spiffe-uds/socket - command: - - sh - - "-c" - - |- - echo `date -Iseconds` Waiting for: ${CHECK_FILE} - while [[ ! -e ${CHECK_FILE} ]] ; do - echo `date -Iseconds` File does not exist: ${CHECK_FILE} - sleep 15 - done - ls -l ${CHECK_FILE} diff --git a/istio-1.18.2/samples/security/spire/sleep-spire.yaml b/istio-1.18.2/samples/security/spire/sleep-spire.yaml deleted file mode 100644 index d1e1673f..00000000 --- a/istio-1.18.2/samples/security/spire/sleep-spire.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spiffe.io/spire-managed-identity: "true" - # Injects custom sidecar template - annotations: - inject.istio.io/templates: "sidecar,spire" - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} ---- \ No newline at end of file diff --git a/istio-1.18.2/samples/security/spire/spire-quickstart.yaml b/istio-1.18.2/samples/security/spire/spire-quickstart.yaml deleted file mode 100644 index cff84d0d..00000000 --- a/istio-1.18.2/samples/security/spire/spire-quickstart.yaml +++ /dev/null @@ -1,985 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: spire - ---- -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" -spec: - # Only ephemeral, inline volumes are supported. There is no need for a - # controller to provision and attach volumes. - attachRequired: false - - # Request the pod information which the CSI driver uses to verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # Don't change ownership on the contents of the mount since the Workload API - # Unix Domain Socket is typically open to all (i.e. 0777). - fsGroupPolicy: None - - # Declare support for ephemeral volumes only. - volumeLifecycleModes: - - Ephemeral - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: spire - ---- -# ConfigMap for spire-agent bootstrapping. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: spire - ---- -# ClusterRole to allow spire-server to query k8s API server. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role -rules: - # allow TokenReview requests (to verify service account tokens for PSAT - # attestation) -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-server service account. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role-binding -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire -roleRef: - kind: ClusterRole - name: spire-server-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- -# Role for the SPIRE server. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: spire - name: spire-server-role -rules: - # allow "get" access to pods (to resolve selectors for PSAT attestation) -- apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE - # agent bootstrapping, see the spire-bundle ConfigMap) -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-bundle"] - verbs: ["get", "patch"] - ---- -# RoleBinding granting the spire-server-role to the SPIRE server -# service account. -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role-binding - namespace: spire -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire -roleRef: - kind: Role - name: spire-server-role - apiGroup: rbac.authorization.k8s.io - ---- -# ClusterRules for the SPIRE Controller Manager. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/status"] - verbs: ["get", "patch", "update"] - ---- -# Binds manager-role cluster role to spire-server service account. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire - ---- -# Permissions for the SPIRE server to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: leader-election-role - namespace: spire -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - ---- -# Binds leader-election-role to spire-server service account. -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: leader-election-role-binding - namespace: spire -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: leader-election-role -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire - ---- -# ConfigMap containing the SPIRE server configuration. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: spire -data: - server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = "example.org" - data_dir = "/run/spire/server/data" - log_level = "DEBUG" - federation { - bundle_endpoint { - address = "0.0.0.0" - port = 8443 - } - } - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/server/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - # NOTE: Change this to your cluster name - "demo-cluster" = { - service_account_allow_list = ["spire:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/server/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - namespace = "spire" - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } - ---- -# Configuration for the SPIRE Controller Manager. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-controller-manager-config - namespace: spire -data: - spire-controller-manager-config.yaml: | - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metrics: - bindAddress: 127.0.0.1:8082 - healthProbe: - bindAddress: 127.0.0.1:8083 - leaderElection: - leaderElect: true - resourceName: 98c9c988.spiffe.io - resourceNamespace: spire - clusterName: demo-cluster - trustDomain: example.org - ignoreNamespaces: - - kube-system - - kube-public - - spire - - local-path-storage - ---- -# SPIRE Server Deployment. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: spire-server - namespace: spire - labels: - app: spire-server -spec: - replicas: 1 - selector: - matchLabels: - app: spire-server - template: - metadata: - namespace: spire - labels: - app: spire-server - spec: - serviceAccountName: spire-server - shareProcessNamespace: true - containers: - - name: spire-server - image: ghcr.io/spiffe/spire-server:1.5.4 - imagePullPolicy: IfNotPresent - args: - - -config - - /run/spire/server/config/server.conf - livenessProbe: - httpGet: - path: /live - port: 8080 - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - ports: - - containerPort: 8081 - volumeMounts: - - name: spire-config - mountPath: /run/spire/server/config - readOnly: true - - name: spire-server-socket - mountPath: /tmp/spire-server/private - readOnly: false - - name: spire-controller-manager - image: ghcr.io/spiffe/spire-controller-manager:0.2.3 - imagePullPolicy: IfNotPresent - args: - - "--config=spire-controller-manager-config.yaml" - ports: - - containerPort: 9443 - volumeMounts: - - name: spire-server-socket - mountPath: /spire-server - readOnly: true - - name: spire-controller-manager-config - mountPath: /spire-controller-manager-config.yaml - subPath: spire-controller-manager-config.yaml - volumes: - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-config - configMap: - name: spire-controller-manager-config - ---- -# Service definition for SPIRE server defining the gRPC port. -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: spire -spec: - type: NodePort - ports: - - name: grpc - port: 8081 - targetPort: 8081 - protocol: TCP - selector: - app: spire-server - ---- -# Service definition for SPIRE server bundle endpoint. -apiVersion: v1 -kind: Service -metadata: - name: spire-server-bundle-endpoint - namespace: spire -spec: - type: NodePort - ports: - - name: tcp-api - port: 8443 - protocol: TCP - selector: - app: spire-server - ---- -# Service definition for SPIRE controller manager webhook. -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook-service - namespace: spire -spec: - ports: - - name: tcp - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app: spire-server - ---- -# ClusterFederatedTrustDomains CRD. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: clusterfederatedtrustdomains.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterFederatedTrustDomain - listKind: ClusterFederatedTrustDomainList - plural: clusterfederatedtrustdomains - singular: clusterfederatedtrustdomain - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.trustDomain - name: Trust Domain - type: string - - jsonPath: .spec.bundleEndpointURL - name: Endpoint URL - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterFederatedTrustDomainSpec defines the desired state - of ClusterFederatedTrustDomain - properties: - bundleEndpointProfile: - description: BundleEndpointProfile is the profile for the bundle endpoint. - properties: - endpointSPIFFEID: - description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. - It is required for the "https_spiffe" profile. - type: string - type: - description: Type is the type of the bundle endpoint profile. - enum: - - https_spiffe - - https_web - type: string - required: - - type - type: object - bundleEndpointURL: - description: BundleEndpointURL is the URL of the bundle endpoint. - It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). - type: string - trustDomain: - description: TrustDomain is the name of the trust domain to federate - with (e.g. example.org) - pattern: '[a-z0-9._-]{1,255}' - type: string - trustDomainBundle: - description: TrustDomainBundle is the contents of the bundle for the - referenced trust domain. This field is optional when the resource - is created. - type: string - required: - - bundleEndpointProfile - - bundleEndpointURL - - trustDomain - type: object - status: - description: ClusterFederatedTrustDomainStatus defines the observed state - of ClusterFederatedTrustDomain - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# ClusterSPIFFEID CRD. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: clusterspiffeids.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterSPIFFEID - listKind: ClusterSPIFFEIDList - plural: clusterspiffeids - singular: clusterspiffeid - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSPIFFEID is the Schema for the clusterspiffeids API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID - properties: - admin: - description: Admin indicates whether or not the SVID can be used to - access the SPIRE administrative APIs. Extra care should be taken - to only apply this SPIFFE ID to admin workloads. - type: boolean - dnsNameTemplates: - description: DNSNameTemplate represents templates for extra DNS names - that are applicable to SVIDs minted for this ClusterSPIFFEID. The - node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - downstream: - description: Downstream indicates that the entry describes a downstream SPIRE server. - type: boolean - federatesWith: - description: FederatesWith is a list of trust domain names that workloads - that obtain this SPIFFE ID will federate with. - items: - type: string - type: array - namespaceSelector: - description: NamespaceSelector selects the namespaces that are targeted - by this CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - podSelector: - description: PodSelector selects the pods that are targeted by this - CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - spiffeIDTemplate: - description: SPIFFEID is the SPIFFE ID template. The node and pod - spec are made available to the template under .NodeSpec, .PodSpec - respectively. - type: string - ttl: - description: TTL indicates an upper-bound time-to-live for SVIDs minted - for this ClusterSPIFFEID. If unset, a default will be chosen. - type: string - workloadSelectorTemplates: - description: WorkloadSelectorTemplates are templates to produce arbitrary - workload selectors that apply to a given workload before it will - receive this SPIFFE ID. The rendered value is interpreted by SPIRE - and are of the form type:value, where the value may, and often does, - contain semicolons, .e.g., k8s:container-image:docker/hello-world - The node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - required: - - spiffeIDTemplate - type: object - status: - description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID - properties: - stats: - description: Stats produced by the last entry reconciliation run - properties: - entriesMasked: - description: How many entries were masked by entries for other - ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs - produce an entry for the same pod with the same set of workload - selectors. - type: integer - entriesToSet: - description: How many entries are to be set for this ClusterSPIFFEID. - In nominal conditions, this should reflect the number of pods - selected, but not always if there were problems encountered - rendering an entry for the pod (RenderFailures) or entries are - masked (EntriesMasked). - type: integer - entryFailures: - description: How many entries were unable to be set due to failures - to create or update the entries via the SPIRE Server API. - type: integer - namespacesIgnored: - description: How many (selected) namespaces were ignored (based - on configuration). - type: integer - namespacesSelected: - description: How many namespaces were selected. - type: integer - podEntryRenderFailures: - description: How many failures were encountered rendering an entry - selected pods. This could be due to either a bad template in - the ClusterSPIFFEID or Pod metadata that when applied to the - template did not produce valid entry values. - type: integer - podsSelected: - description: How many pods were selected out of the namespaces. - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# ValidatingWebhookConfiguration for validating ClusterSPIFFEID and -# ClusterFederatedTrustDomain custom resources. -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: spire-controller-manager-webhook -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire - path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain - failurePolicy: Fail - name: vclusterfederatedtrustdomain.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterfederatedtrustdomains"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire - path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid - failurePolicy: Fail - name: vclusterspiffeid.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterspiffeids"] - sideEffects: None - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: spire - ---- -# Required cluster role to allow spire-agent to query k8s API server. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role -rules: -- apiGroups: [""] - resources: ["pods","nodes","nodes/proxy"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-agent service account. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role-binding -subjects: -- kind: ServiceAccount - name: spire-agent - namespace: spire -roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- -# ConfigMap for the SPIRE agent featuring: -# 1) PSAT node attestation -# 2) K8S Workload Attestation over the secure kubelet port -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: spire -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path = "/run/secrets/workload-spiffe-uds/socket" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = "example.org" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - # NOTE: Change this to your cluster name - cluster = "demo-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - # Defaults to the secure kubelet port by default. - # Minikube does not have a cert in the cluster CA bundle that - # can authenticate the kubelet cert, so skip validation. - skip_kubelet_verification = true - - # We need to set disable_container_selectors = true if we make holdApplicationUntilProxyStarts = true in istio - # see https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig - # If true, container selectors are not produced. - # This can be used to produce pod selectors when the workload pod is known - # but the workload container is not ready at the time of attestation. - # disable_container_selectors = true - } - } - - WorkloadAttestor "unix" { - plugin_data { - } - } - - } - ---- -# SPIRE Agent DaemonSet. -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: spire - labels: - app: spire-agent -spec: - selector: - matchLabels: - app: spire-agent - template: - metadata: - namespace: spire - labels: - app: spire-agent - spec: - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - containers: - - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.2.3 - imagePullPolicy: IfNotPresent - args: ["-config", "/run/spire/config/agent.conf"] - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-agent-socket-dir - mountPath: /run/secrets/workload-spiffe-uds - - name: spire-token - mountPath: /var/run/secrets/tokens - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: ghcr.io/spiffe/spiffe-csi-driver:0.2.0 - imagePullPolicy: IfNotPresent - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - privileged: true - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.4.0 - imagePullPolicy: IfNotPresent - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - # This volume is used to share the workload api socket between the - # CSI driver and SPIRE agent - - name: spire-agent-socket-dir - emptyDir: {} - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory diff --git a/istio-1.18.2/samples/sleep/README.md b/istio-1.18.2/samples/sleep/README.md deleted file mode 100644 index 045df5c5..00000000 --- a/istio-1.18.2/samples/sleep/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Simple sleep service - -This sample consists of a simple service that does nothing but sleep. -It's a ubuntu container with curl installed that can be used as a request source for invoking other services -to experiment with Istio networking. - -To use it: - -1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/). - -1. Start the sleep service: - - If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: - - ```bash - kubectl apply -f sleep.yaml - ``` - - Otherwise manually inject the sidecars before applying: - - ```bash - kubectl apply -f <(istioctl kube-inject -f sleep.yaml) - ``` - -1. Start some other services, for example, the [Bookinfo sample](https://istio.io/docs/examples/bookinfo/). - - Now you can `kubectl exec` into the sleep service to experiment with Istio networking. - For example, the following commands can be used to call the Bookinfo `ratings` service: - - ```bash - export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) - kubectl exec -it $SLEEP_POD -c sleep -- curl http://ratings.default.svc.cluster.local:9080/ratings/1 - {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}} - ``` - -You can also use the sleep service to test accessing services outside of the mesh. -See [configuring egress](https://istio.io/docs/tasks/traffic-management/egress/) for details. diff --git a/istio-1.18.2/samples/sleep/notsleep.yaml b/istio-1.18.2/samples/sleep/notsleep.yaml deleted file mode 100644 index 898d4ab4..00000000 --- a/istio-1.18.2/samples/sleep/notsleep.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Notsleep service - based on the sleep service but has its own identity and affinity rule -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: notsleep ---- -apiVersion: v1 -kind: Service -metadata: - name: notsleep - labels: - app: notsleep - service: notsleep -spec: - ports: - - port: 80 - name: http - selector: - app: notsleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: notsleep -spec: - replicas: 1 - selector: - matchLabels: - app: notsleep - template: - metadata: - labels: - app: notsleep - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - productpage - topologyKey: kubernetes.io/hostname - terminationGracePeriodSeconds: 0 - serviceAccountName: notsleep - containers: - - name: notsleep - image: curlimages/curl - command: ["/bin/sleep", "3650d"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/sleep/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: notsleep-secret - optional: true ---- diff --git a/istio-1.18.2/samples/sleep/sleep-vault.yaml b/istio-1.18.2/samples/sleep/sleep-vault.yaml deleted file mode 100644 index b31196cf..00000000 --- a/istio-1.18.2/samples/sleep/sleep-vault.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2019 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spec: - serviceAccountName: vault-citadel-sa - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent ---- diff --git a/istio-1.18.2/samples/sleep/sleep.yaml b/istio-1.18.2/samples/sleep/sleep.yaml deleted file mode 100644 index 570086b9..00000000 --- a/istio-1.18.2/samples/sleep/sleep.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/sleep/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: sleep-secret - optional: true ---- diff --git a/istio-1.18.2/samples/tcp-echo/README.md b/istio-1.18.2/samples/tcp-echo/README.md deleted file mode 100644 index 50f2d82a..00000000 --- a/istio-1.18.2/samples/tcp-echo/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# TCP Echo Service - -This sample runs [TCP Echo Server](src/) as an Istio service. TCP Echo Server -allows you to connect to it over TCP and echoes back data sent to it along with -a preconfigured prefix. - -## Usage - -To run the TCP Echo Service sample: - -1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html). - -1. Start the `tcp-echo-server` service inside the Istio service mesh: - - ```console - $ kubectl apply -f <(istioctl kube-inject -f tcp-echo.yaml) - service/tcp-echo created - deployment.apps/tcp-echo created - ``` - -1. Test by running the `nc` command from a `busybox` container from within the cluster. - - ```console - $ kubectl run -i --rm --restart=Never dummy --image=busybox -- sh -c "echo world | nc tcp-echo 9000" - hello world - pod "dummy" deleted - ``` - - As you observe, sending _world_ on a TCP connection to the server results in - the server prepending _hello_ and echoing back with _hello world_. - -1. To clean up, execute the following command: - - ```console - $ kubectl delete -f tcp-echo.yaml - service "tcp-echo" deleted - deployment.apps "tcp-echo" deleted - ``` diff --git a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml deleted file mode 100644 index 11e27be3..00000000 --- a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-echo -spec: - parentRefs: - - name: tcp-echo-gateway - sectionName: tcp-31400 - rules: - - backendRefs: - - name: tcp-echo-v1 - port: 9000 - weight: 80 - - name: tcp-echo-v2 - port: 9000 - weight: 20 diff --git a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml deleted file mode 100644 index 23965bbc..00000000 --- a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: tcp-echo-gateway -spec: - gatewayClassName: istio - listeners: - - name: tcp-31400 - protocol: TCP - port: 31400 - allowedRoutes: - kinds: - - kind: TCPRoute ---- -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo-v1 -spec: - ports: - - port: 9000 - name: tcp - selector: - app: tcp-echo - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo-v2 -spec: - ports: - - port: 9000 - name: tcp - selector: - app: tcp-echo - version: v2 ---- -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-echo -spec: - parentRefs: - - name: tcp-echo-gateway - sectionName: tcp-31400 - rules: - - backendRefs: - - name: tcp-echo-v1 - port: 9000 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml deleted file mode 100644 index f69ab115..00000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: tcp-echo -spec: - hosts: - - "*" - gateways: - - tcp-echo-gateway - tcp: - - match: - - port: 31400 - route: - - destination: - host: tcp-echo - port: - number: 9000 - subset: v1 - weight: 80 - - destination: - host: tcp-echo - port: - number: 9000 - subset: v2 - weight: 20 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml deleted file mode 100644 index 3c302c51..00000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: tcp-echo-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 31400 - name: tcp - protocol: TCP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: tcp-echo-destination -spec: - host: tcp-echo - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: tcp-echo -spec: - hosts: - - "*" - gateways: - - tcp-echo-gateway - tcp: - - match: - - port: 31400 - route: - - destination: - host: tcp-echo - port: - number: 9000 - subset: v1 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml deleted file mode 100644 index dd72061d..00000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: - - IPv6 - - IPv4 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml deleted file mode 100644 index 8ac98630..00000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: SingleStack - ipFamilies: - - IPv4 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: Always - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml deleted file mode 100644 index 02ddd6de..00000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: SingleStack - ipFamilies: - - IPv6 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml deleted file mode 100644 index 7f645746..00000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo-v1 - labels: - app: tcp-echo - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "one" ] - ports: - - containerPort: 9000 - - containerPort: 9001 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo-v2 - labels: - app: tcp-echo - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v2 - template: - metadata: - labels: - app: tcp-echo - version: v2 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "two" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml deleted file mode 100644 index fae95161..00000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/wasm_modules/README.md b/istio-1.18.2/samples/wasm_modules/README.md deleted file mode 100644 index 4a8a8702..00000000 --- a/istio-1.18.2/samples/wasm_modules/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# WASM demo - -`header_injector` is used for istio e2e tests, more tests can be found [here](https://github.com/istio-ecosystem/wasm-extensions). diff --git a/istio-1.18.2/samples/wasm_modules/header_injector/Makefile b/istio-1.18.2/samples/wasm_modules/header_injector/Makefile deleted file mode 100644 index 377495d2..00000000 --- a/istio-1.18.2/samples/wasm_modules/header_injector/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -.PHONY: docker-push docker-build build clean - -VERSION_LIST := 1 2 -HUB ?= gcr.io/istio-testing -IMAGE_PREFIX ?= /wasm -IMG := $(HUB)$(IMAGE_PREFIX)/header-injector - -all: docker-push - -build: plugin.cc plugin.h BUILD WORKSPACE - rm -f *.wasm - $(foreach VERSION, $(VERSION_LIST), bazel build :plugin-0.0.$(VERSION).wasm && cp bazel-bin/plugin-0.0.$(VERSION).wasm .;) - -docker-build: build - $(foreach VERSION, $(VERSION_LIST), docker buildx build . -t $(IMG):0.0.$(VERSION) --build-arg WASM_BINARY=plugin-0.0.$(VERSION).wasm;) - -docker-push: docker-build - $(foreach VERSION, $(VERSION_LIST), docker push $(IMG):0.0.$(VERSION);) - -clean: - rm -rf bazel-* - rm -f *.wasm diff --git a/istio-1.18.2/samples/websockets/README.md b/istio-1.18.2/samples/websockets/README.md deleted file mode 100644 index 26a1f382..00000000 --- a/istio-1.18.2/samples/websockets/README.md +++ /dev/null @@ -1,48 +0,0 @@ -# Tornado - Demo Websockets App - -This is a sample application that demonstrates the use of an upgraded websockets connection on an ingress traffic when using Istio `VirtualService`. -The `app.yaml` creates a Kubernetes `Service` and a `Deployment` that is based on an existing Docker image for [Hiroakis's Tornado Websocket Example](https://github.com/hiroakis/tornado-websocket-example). - -__Notice:__ The addition of websockets upgrade support in v1alpha3 routing rules has only been added after the release of `Istio v0.8.0`. - -## Prerequisites - -Install Istio by following the [Istio Quick Start](https://istio.io/docs/setup/kubernetes/quick-start.html). - -## Installation - -1. First install the application service: - - - With manual sidecar injection: - - ```command - kubectl create -f <(istioctl kube-inject -f samples/websockets/app.yaml) - ``` - - - With automatic sidecar injection - - ```command - kubectl create -f samples/websockets/app.yaml - ``` - -1. Create the Ingress `Gateway` and `VirtualService` that enables the upgrade to Websocket for incoming traffic: - - ```command - kubectl create -f samples/websockets/route.yaml - ``` - -## Test - -- [Find your ingress gateway IP](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports) - -- Access with your browser - -- The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established. -To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing). - -## Cleanup - -```command -kubectl delete -f samples/websockets/route.yaml -kubectl delete -f samples/websockets/app.yaml -``` diff --git a/istio-1.18.2/samples/websockets/app.yaml b/istio-1.18.2/samples/websockets/app.yaml deleted file mode 100644 index 4f44ea7d..00000000 --- a/istio-1.18.2/samples/websockets/app.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: tornado - labels: - app: tornado - service: tornado -spec: - ports: - - port: 8888 - name: http - selector: - app: tornado ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tornado -spec: - replicas: 1 - selector: - matchLabels: - app: tornado - version: v1 - template: - metadata: - labels: - app: tornado - version: v1 - spec: - containers: - - name: tornado - image: hiroakis/tornado-websocket-example - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8888 ---- diff --git a/istio-1.18.2/samples/websockets/route.yaml b/istio-1.18.2/samples/websockets/route.yaml deleted file mode 100644 index ef580b2c..00000000 --- a/istio-1.18.2/samples/websockets/route.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: tornado-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: tornado -spec: - hosts: - - "*" - gateways: - - tornado-gateway - http: - - match: - - uri: - prefix: / - route: - - destination: - host: tornado - weight: 100 diff --git a/istio-1.18.2/tools/_istioctl b/istio-1.18.2/tools/_istioctl deleted file mode 100644 index d1e29f21..00000000 --- a/istio-1.18.2/tools/_istioctl +++ /dev/null @@ -1,212 +0,0 @@ -#compdef istioctl -compdef _istioctl istioctl - -# zsh completion for istioctl -*- shell-script -*- - -__istioctl_debug() -{ - local file="$BASH_COMP_DEBUG_FILE" - if [[ -n ${file} ]]; then - echo "$*" >> "${file}" - fi -} - -_istioctl() -{ - local shellCompDirectiveError=1 - local shellCompDirectiveNoSpace=2 - local shellCompDirectiveNoFileComp=4 - local shellCompDirectiveFilterFileExt=8 - local shellCompDirectiveFilterDirs=16 - local shellCompDirectiveKeepOrder=32 - - local lastParam lastChar flagPrefix requestComp out directive comp lastComp noSpace keepOrder - local -a completions - - __istioctl_debug "\n========= starting completion logic ==========" - __istioctl_debug "CURRENT: ${CURRENT}, words[*]: ${words[*]}" - - # The user could have moved the cursor backwards on the command-line. - # We need to trigger completion from the $CURRENT location, so we need - # to truncate the command-line ($words) up to the $CURRENT location. - # (We cannot use $CURSOR as its value does not work when a command is an alias.) - words=("${=words[1,CURRENT]}") - __istioctl_debug "Truncated words[*]: ${words[*]}," - - lastParam=${words[-1]} - lastChar=${lastParam[-1]} - __istioctl_debug "lastParam: ${lastParam}, lastChar: ${lastChar}" - - # For zsh, when completing a flag with an = (e.g., istioctl -n=) - # completions must be prefixed with the flag - setopt local_options BASH_REMATCH - if [[ "${lastParam}" =~ '-.*=' ]]; then - # We are dealing with a flag with an = - flagPrefix="-P ${BASH_REMATCH}" - fi - - # Prepare the command to obtain completions - requestComp="${words[1]} __complete ${words[2,-1]}" - if [ "${lastChar}" = "" ]; then - # If the last parameter is complete (there is a space following it) - # We add an extra empty parameter so we can indicate this to the go completion code. - __istioctl_debug "Adding extra empty parameter" - requestComp="${requestComp} \"\"" - fi - - __istioctl_debug "About to call: eval ${requestComp}" - - # Use eval to handle any environment variables and such - out=$(eval ${requestComp} 2>/dev/null) - __istioctl_debug "completion output: ${out}" - - # Extract the directive integer following a : from the last line - local lastLine - while IFS='\n' read -r line; do - lastLine=${line} - done < <(printf "%s\n" "${out[@]}") - __istioctl_debug "last line: ${lastLine}" - - if [ "${lastLine[1]}" = : ]; then - directive=${lastLine[2,-1]} - # Remove the directive including the : and the newline - local suffix - (( suffix=${#lastLine}+2)) - out=${out[1,-$suffix]} - else - # There is no directive specified. Leave $out as is. - __istioctl_debug "No directive found. Setting do default" - directive=0 - fi - - __istioctl_debug "directive: ${directive}" - __istioctl_debug "completions: ${out}" - __istioctl_debug "flagPrefix: ${flagPrefix}" - - if [ $((directive & shellCompDirectiveError)) -ne 0 ]; then - __istioctl_debug "Completion received error. Ignoring completions." - return - fi - - local activeHelpMarker="_activeHelp_ " - local endIndex=${#activeHelpMarker} - local startIndex=$((${#activeHelpMarker}+1)) - local hasActiveHelp=0 - while IFS='\n' read -r comp; do - # Check if this is an activeHelp statement (i.e., prefixed with $activeHelpMarker) - if [ "${comp[1,$endIndex]}" = "$activeHelpMarker" ];then - __istioctl_debug "ActiveHelp found: $comp" - comp="${comp[$startIndex,-1]}" - if [ -n "$comp" ]; then - compadd -x "${comp}" - __istioctl_debug "ActiveHelp will need delimiter" - hasActiveHelp=1 - fi - - continue - fi - - if [ -n "$comp" ]; then - # If requested, completions are returned with a description. - # The description is preceded by a TAB character. - # For zsh's _describe, we need to use a : instead of a TAB. - # We first need to escape any : as part of the completion itself. - comp=${comp//:/\\:} - - local tab="$(printf '\t')" - comp=${comp//$tab/:} - - __istioctl_debug "Adding completion: ${comp}" - completions+=${comp} - lastComp=$comp - fi - done < <(printf "%s\n" "${out[@]}") - - # Add a delimiter after the activeHelp statements, but only if: - # - there are completions following the activeHelp statements, or - # - file completion will be performed (so there will be choices after the activeHelp) - if [ $hasActiveHelp -eq 1 ]; then - if [ ${#completions} -ne 0 ] || [ $((directive & shellCompDirectiveNoFileComp)) -eq 0 ]; then - __istioctl_debug "Adding activeHelp delimiter" - compadd -x "--" - hasActiveHelp=0 - fi - fi - - if [ $((directive & shellCompDirectiveNoSpace)) -ne 0 ]; then - __istioctl_debug "Activating nospace." - noSpace="-S ''" - fi - - if [ $((directive & shellCompDirectiveKeepOrder)) -ne 0 ]; then - __istioctl_debug "Activating keep order." - keepOrder="-V" - fi - - if [ $((directive & shellCompDirectiveFilterFileExt)) -ne 0 ]; then - # File extension filtering - local filteringCmd - filteringCmd='_files' - for filter in ${completions[@]}; do - if [ ${filter[1]} != '*' ]; then - # zsh requires a glob pattern to do file filtering - filter="\*.$filter" - fi - filteringCmd+=" -g $filter" - done - filteringCmd+=" ${flagPrefix}" - - __istioctl_debug "File filtering command: $filteringCmd" - _arguments '*:filename:'"$filteringCmd" - elif [ $((directive & shellCompDirectiveFilterDirs)) -ne 0 ]; then - # File completion for directories only - local subdir - subdir="${completions[1]}" - if [ -n "$subdir" ]; then - __istioctl_debug "Listing directories in $subdir" - pushd "${subdir}" >/dev/null 2>&1 - else - __istioctl_debug "Listing directories in ." - fi - - local result - _arguments '*:dirname:_files -/'" ${flagPrefix}" - result=$? - if [ -n "$subdir" ]; then - popd >/dev/null 2>&1 - fi - return $result - else - __istioctl_debug "Calling _describe" - if eval _describe $keepOrder "completions" completions $flagPrefix $noSpace; then - __istioctl_debug "_describe found some completions" - - # Return the success of having called _describe - return 0 - else - __istioctl_debug "_describe did not find completions." - __istioctl_debug "Checking if we should do file completion." - if [ $((directive & shellCompDirectiveNoFileComp)) -ne 0 ]; then - __istioctl_debug "deactivating file completion" - - # We must return an error code here to let zsh know that there were no - # completions found by _describe; this is what will trigger other - # matching algorithms to attempt to find completions. - # For example zsh can match letters in the middle of words. - return 1 - else - # Perform file completion - __istioctl_debug "Activating file completion" - - # We must return the result of this command, so it must be the - # last command, or else we must store its result to return it. - _arguments '*:filename:_files'" ${flagPrefix}" - fi - fi - fi -} - -# don't run the completion function when being source-ed or eval-ed -if [ "$funcstack[1]" = "_istioctl" ]; then - _istioctl -fi diff --git a/istio-1.18.2/tools/certs/Makefile.k8s.mk b/istio-1.18.2/tools/certs/Makefile.k8s.mk deleted file mode 100644 index 3d2e7fe0..00000000 --- a/istio-1.18.2/tools/certs/Makefile.k8s.mk +++ /dev/null @@ -1,102 +0,0 @@ -.SUFFIXES: .csr .pem .conf -.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem -.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem -.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf - -.DEFAULT_GOAL := help - -SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) - -include $(SELF_DIR)common.mk - -#------------------------------------------------------------------------ -##help: print this help message -.PHONY: help - -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' - -#------------------------------------------------------------------------ -##fetch-root-ca: fetch root CA and key from a k8s cluster. -.PHONY: fetch-root-ca -rawcluster := $(shell kubectl config current-context) -cluster := $(subst /,-,$(rawcluster)) -pwd := $(shell pwd) -export KUBECONFIG - -fetch-root-ca: - @echo "fetching root ca from k8s cluster: "$(cluster)"" - @mkdir -p $(pwd)/$(cluster) - @res=$(shell kubectl get secret istio-ca-secret -n $(ISTIO-NAMESPACE) >/dev/null 2>&1; echo $$?) -ifeq ($(res), 1) - @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem - @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem -else - @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem - @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem -endif - -k8s-root-cert.pem: - @cat $(cluster)/k8s-root-cert.pem > $@ - -k8s-root-key.pem: - @cat $(cluster)/k8s-root-key.pem > $@ -#------------------------------------------------------------------------ -##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory -.PHONY: %-cacerts - -%-cacerts: %/cert-chain.pem - @echo "done" - -%/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate certs stored in $(dir $<)" - @cp k8s-root-cert.pem $(dir $<)/root-cert.pem - -%/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem - @echo "generating $@" - @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ - -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/intermediate.conf \ - -in $< -out $@ - -%/cluster-ca.csr: L=$(dir $@) -%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf - @echo "generating $@" - @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ - -%/ca-key.pem: fetch-root-ca - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 - -#------------------------------------------------------------------------ -##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. -.PHONY: %-certs - -%-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem - @echo "done" - -%/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate and workload certs stored in $(dir $<)" - @cp k8s-root-cert.pem $(dir $@)/root-cert.pem - -%/workload-cert.pem: %/workload.csr - @echo "generating $@" - @openssl x509 -req -days $(WORKLOAD_DAYS) \ - -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/workload.conf \ - -in $< -out $@ - -%/workload.csr: L=$(dir $@) -%/workload.csr: %/key.pem %/workload.conf - @echo "generating $@" - @openssl req -new -config $(L)/workload.conf -key $< -out $@ - -%/key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 \ No newline at end of file diff --git a/istio-1.18.2/tools/certs/Makefile.selfsigned.mk b/istio-1.18.2/tools/certs/Makefile.selfsigned.mk deleted file mode 100644 index 2a87d071..00000000 --- a/istio-1.18.2/tools/certs/Makefile.selfsigned.mk +++ /dev/null @@ -1,98 +0,0 @@ -.SUFFIXES: .csr .pem .conf -.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem -.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem -.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf - -.DEFAULT_GOAL := help - -SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) - -include $(SELF_DIR)common.mk - -#------------------------------------------------------------------------ -##help: print this help message -.PHONY: help - -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' - -#------------------------------------------------------------------------ -##root-ca: generate root CA files (key and certificate) in current directory. -.PHONY: root-ca - -root-ca: root-key.pem root-cert.pem - -root-cert.pem: root-cert.csr root-key.pem - @echo "generating $@" - @openssl x509 -req -sha256 -days $(ROOTCA_DAYS) -signkey root-key.pem \ - -extensions req_ext -extfile root-ca.conf \ - -in $< -out $@ - -root-cert.csr: root-key.pem root-ca.conf - @echo "generating $@" - @openssl req -sha256 -new -key $< -config root-ca.conf -out $@ - -root-key.pem: - @echo "generating $@" - @openssl genrsa -out $@ 4096 -#------------------------------------------------------------------------ -##-cacerts: generate self signed intermediate certificates for and store them under directory. -.PHONY: %-cacerts - -%-cacerts: %/cert-chain.pem - @echo "done" - -%/cert-chain.pem: %/ca-cert.pem root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate inputs stored in $(dir $<)" - @cp root-cert.pem $(dir $<) - - -%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem - @echo "generating $@" - @openssl x509 -req -sha256 -days $(INTERMEDIATE_DAYS) \ - -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/intermediate.conf \ - -in $< -out $@ - -%/cluster-ca.csr: L=$(dir $@) -%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf - @echo "generating $@" - @openssl req -sha256 -new -config $(L)/intermediate.conf -key $< -out $@ - -%/ca-key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 - -#------------------------------------------------------------------------ -##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs. -.PHONY: %-certs - -%-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem - @echo "done" - -%/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate and workload certs stored in $(dir $<)" - @cp root-cert.pem $(dir $@)/root-cert.pem - - -%/workload-cert.pem: %/workload.csr - @echo "generating $@" - @openssl x509 -sha256 -req -days $(WORKLOAD_DAYS) \ - -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/workload.conf \ - -in $< -out $@ - -%/workload.csr: L=$(dir $@) -%/workload.csr: %/key.pem %/workload.conf - @echo "generating $@" - @openssl req -sha256 -new -config $(L)/workload.conf -key $< -out $@ - -%/key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 diff --git a/istio-1.18.2/tools/certs/README.md b/istio-1.18.2/tools/certs/README.md deleted file mode 100644 index f197e2a8..00000000 --- a/istio-1.18.2/tools/certs/README.md +++ /dev/null @@ -1,26 +0,0 @@ -# Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust - -The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: -- `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default -`kubeconfig` is used for accessing the cluster. -- `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. - -The table below describes the targets supported by both Makefiles. - -Make Target | Makefile | Description ------- | -------- | ----------- -`root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. -`fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. -`$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. -`$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. -`clean` | Both | Removes any generated root certificates, keys, and intermediate files. - -For example: - -```bash -make -f Makefile.selfsigned.mk root-ca -``` - -Note that the Makefile generates long-lived intermediate certificates. While this might be -acceptable for demonstration purposes, a more realistic and secure deployment would use -short-lived and automatically renewed certificates for the intermediate CAs. diff --git a/istio-1.18.2/tools/certs/common.mk b/istio-1.18.2/tools/certs/common.mk deleted file mode 100644 index ba3f90c9..00000000 --- a/istio-1.18.2/tools/certs/common.mk +++ /dev/null @@ -1,101 +0,0 @@ -#------------------------------------------------------------------------ -# variables: root CA -ROOTCA_DAYS ?= 3650 -ROOTCA_KEYSZ ?= 4096 -ROOTCA_ORG ?= Istio -ROOTCA_CN ?= Root CA -KUBECONFIG ?= $(HOME)/.kube/config -ISTIO_NAMESPACE ?= istio-system -# Additional variables are defined in root-ca.conf target below. - -#------------------------------------------------------------------------ -# variables: intermediate CA -INTERMEDIATE_DAYS ?= 3650 -INTERMEDIATE_KEYSZ ?= 4096 -INTERMEDIATE_ORG ?= Istio -INTERMEDIATE_CN ?= Intermediate CA -INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc -# Additional variables are defined in %/intermediate.conf target below. - -#------------------------------------------------------------------------ -# variables: workload certs: eg VM -WORKLOAD_DAYS ?= 1 -SERVICE_ACCOUNT ?= default -WORKLOAD_CN ?= Workload - -#------------------------------------------------------------------------ -# variables: files to clean -FILES_TO_CLEAN+=k8s-root-cert.pem \ - k8s-root-cert.srl \ - k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem -#------------------------------------------------------------------------ -# clean -.PHONY: clean - -clean: ## Cleans all the intermediate files and folders previously generated. - @rm -f $(FILES_TO_CLEAN) - -root-ca.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:true" >> $@ - @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(ROOTCA_ORG)" >> $@ - @echo "CN = $(ROOTCA_CN)" >> $@ - -%/intermediate.conf: L=$(dir $@) -%/intermediate.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ - @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ - @echo "subjectAltName=@san" >> $@ - @echo "[ san ]" >> $@ - @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(INTERMEDIATE_ORG)" >> $@ - @echo "CN = $(INTERMEDIATE_CN)" >> $@ - @echo "L = $(L:/=)" >> $@ - -%/workload.conf: L=$(dir $@) -%/workload.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:false" >> $@ - @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ - @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ - @echo "subjectAltName=@san" >> $@ - @echo "[ san ]" >> $@ - @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(INTERMEDIATE_ORG)" >> $@ - @echo "CN = $(WORKLOAD_CN)" >> $@ - @echo "L = $(L:/=)" >> $@ diff --git a/istio-1.18.2/tools/istioctl.bash b/istio-1.18.2/tools/istioctl.bash deleted file mode 100644 index 6f1e1585..00000000 --- a/istio-1.18.2/tools/istioctl.bash +++ /dev/null @@ -1,338 +0,0 @@ -# bash completion V2 for istioctl -*- shell-script -*- - -__istioctl_debug() -{ - if [[ -n ${BASH_COMP_DEBUG_FILE-} ]]; then - echo "$*" >> "${BASH_COMP_DEBUG_FILE}" - fi -} - -# Macs have bash3 for which the bash-completion package doesn't include -# _init_completion. This is a minimal version of that function. -__istioctl_init_completion() -{ - COMPREPLY=() - _get_comp_words_by_ref "$@" cur prev words cword -} - -# This function calls the istioctl program to obtain the completion -# results and the directive. It fills the 'out' and 'directive' vars. -__istioctl_get_completion_results() { - local requestComp lastParam lastChar args - - # Prepare the command to request completions for the program. - # Calling ${words[0]} instead of directly istioctl allows to handle aliases - args=("${words[@]:1}") - requestComp="${words[0]} __complete ${args[*]}" - - lastParam=${words[$((${#words[@]}-1))]} - lastChar=${lastParam:$((${#lastParam}-1)):1} - __istioctl_debug "lastParam ${lastParam}, lastChar ${lastChar}" - - if [[ -z ${cur} && ${lastChar} != = ]]; then - # If the last parameter is complete (there is a space following it) - # We add an extra empty parameter so we can indicate this to the go method. - __istioctl_debug "Adding extra empty parameter" - requestComp="${requestComp} ''" - fi - - # When completing a flag with an = (e.g., istioctl -n=) - # bash focuses on the part after the =, so we need to remove - # the flag part from $cur - if [[ ${cur} == -*=* ]]; then - cur="${cur#*=}" - fi - - __istioctl_debug "Calling ${requestComp}" - # Use eval to handle any environment variables and such - out=$(eval "${requestComp}" 2>/dev/null) - - # Extract the directive integer at the very end of the output following a colon (:) - directive=${out##*:} - # Remove the directive - out=${out%:*} - if [[ ${directive} == "${out}" ]]; then - # There is not directive specified - directive=0 - fi - __istioctl_debug "The completion directive is: ${directive}" - __istioctl_debug "The completions are: ${out}" -} - -__istioctl_process_completion_results() { - local shellCompDirectiveError=1 - local shellCompDirectiveNoSpace=2 - local shellCompDirectiveNoFileComp=4 - local shellCompDirectiveFilterFileExt=8 - local shellCompDirectiveFilterDirs=16 - local shellCompDirectiveKeepOrder=32 - - if (((directive & shellCompDirectiveError) != 0)); then - # Error code. No completion. - __istioctl_debug "Received error from custom completion go code" - return - else - if (((directive & shellCompDirectiveNoSpace) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - __istioctl_debug "Activating no space" - compopt -o nospace - else - __istioctl_debug "No space directive not supported in this version of bash" - fi - fi - if (((directive & shellCompDirectiveKeepOrder) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - # no sort isn't supported for bash less than < 4.4 - if [[ ${BASH_VERSINFO[0]} -lt 4 || ( ${BASH_VERSINFO[0]} -eq 4 && ${BASH_VERSINFO[1]} -lt 4 ) ]]; then - __istioctl_debug "No sort directive not supported in this version of bash" - else - __istioctl_debug "Activating keep order" - compopt -o nosort - fi - else - __istioctl_debug "No sort directive not supported in this version of bash" - fi - fi - if (((directive & shellCompDirectiveNoFileComp) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - __istioctl_debug "Activating no file completion" - compopt +o default - else - __istioctl_debug "No file completion directive not supported in this version of bash" - fi - fi - fi - - # Separate activeHelp from normal completions - local completions=() - local activeHelp=() - __istioctl_extract_activeHelp - - if (((directive & shellCompDirectiveFilterFileExt) != 0)); then - # File extension filtering - local fullFilter filter filteringCmd - - # Do not use quotes around the $completions variable or else newline - # characters will be kept. - for filter in ${completions[*]}; do - fullFilter+="$filter|" - done - - filteringCmd="_filedir $fullFilter" - __istioctl_debug "File filtering command: $filteringCmd" - $filteringCmd - elif (((directive & shellCompDirectiveFilterDirs) != 0)); then - # File completion for directories only - - local subdir - subdir=${completions[0]} - if [[ -n $subdir ]]; then - __istioctl_debug "Listing directories in $subdir" - pushd "$subdir" >/dev/null 2>&1 && _filedir -d && popd >/dev/null 2>&1 || return - else - __istioctl_debug "Listing directories in ." - _filedir -d - fi - else - __istioctl_handle_completion_types - fi - - __istioctl_handle_special_char "$cur" : - __istioctl_handle_special_char "$cur" = - - # Print the activeHelp statements before we finish - if ((${#activeHelp[*]} != 0)); then - printf "\n"; - printf "%s\n" "${activeHelp[@]}" - printf "\n" - - # The prompt format is only available from bash 4.4. - # We test if it is available before using it. - if (x=${PS1@P}) 2> /dev/null; then - printf "%s" "${PS1@P}${COMP_LINE[@]}" - else - # Can't print the prompt. Just print the - # text the user had typed, it is workable enough. - printf "%s" "${COMP_LINE[@]}" - fi - fi -} - -# Separate activeHelp lines from real completions. -# Fills the $activeHelp and $completions arrays. -__istioctl_extract_activeHelp() { - local activeHelpMarker="_activeHelp_ " - local endIndex=${#activeHelpMarker} - - while IFS='' read -r comp; do - if [[ ${comp:0:endIndex} == $activeHelpMarker ]]; then - comp=${comp:endIndex} - __istioctl_debug "ActiveHelp found: $comp" - if [[ -n $comp ]]; then - activeHelp+=("$comp") - fi - else - # Not an activeHelp line but a normal completion - completions+=("$comp") - fi - done <<<"${out}" -} - -__istioctl_handle_completion_types() { - __istioctl_debug "__istioctl_handle_completion_types: COMP_TYPE is $COMP_TYPE" - - case $COMP_TYPE in - 37|42) - # Type: menu-complete/menu-complete-backward and insert-completions - # If the user requested inserting one completion at a time, or all - # completions at once on the command-line we must remove the descriptions. - # https://github.com/spf13/cobra/issues/1508 - local tab=$'\t' comp - while IFS='' read -r comp; do - [[ -z $comp ]] && continue - # Strip any description - comp=${comp%%$tab*} - # Only consider the completions that match - if [[ $comp == "$cur"* ]]; then - COMPREPLY+=("$comp") - fi - done < <(printf "%s\n" "${completions[@]}") - ;; - - *) - # Type: complete (normal completion) - __istioctl_handle_standard_completion_case - ;; - esac -} - -__istioctl_handle_standard_completion_case() { - local tab=$'\t' comp - - # Short circuit to optimize if we don't have descriptions - if [[ "${completions[*]}" != *$tab* ]]; then - IFS=$'\n' read -ra COMPREPLY -d '' < <(compgen -W "${completions[*]}" -- "$cur") - return 0 - fi - - local longest=0 - local compline - # Look for the longest completion so that we can format things nicely - while IFS='' read -r compline; do - [[ -z $compline ]] && continue - # Strip any description before checking the length - comp=${compline%%$tab*} - # Only consider the completions that match - [[ $comp == "$cur"* ]] || continue - COMPREPLY+=("$compline") - if ((${#comp}>longest)); then - longest=${#comp} - fi - done < <(printf "%s\n" "${completions[@]}") - - # If there is a single completion left, remove the description text - if ((${#COMPREPLY[*]} == 1)); then - __istioctl_debug "COMPREPLY[0]: ${COMPREPLY[0]}" - comp="${COMPREPLY[0]%%$tab*}" - __istioctl_debug "Removed description from single completion, which is now: ${comp}" - COMPREPLY[0]=$comp - else # Format the descriptions - __istioctl_format_comp_descriptions $longest - fi -} - -__istioctl_handle_special_char() -{ - local comp="$1" - local char=$2 - if [[ "$comp" == *${char}* && "$COMP_WORDBREAKS" == *${char}* ]]; then - local word=${comp%"${comp##*${char}}"} - local idx=${#COMPREPLY[*]} - while ((--idx >= 0)); do - COMPREPLY[idx]=${COMPREPLY[idx]#"$word"} - done - fi -} - -__istioctl_format_comp_descriptions() -{ - local tab=$'\t' - local comp desc maxdesclength - local longest=$1 - - local i ci - for ci in ${!COMPREPLY[*]}; do - comp=${COMPREPLY[ci]} - # Properly format the description string which follows a tab character if there is one - if [[ "$comp" == *$tab* ]]; then - __istioctl_debug "Original comp: $comp" - desc=${comp#*$tab} - comp=${comp%%$tab*} - - # $COLUMNS stores the current shell width. - # Remove an extra 4 because we add 2 spaces and 2 parentheses. - maxdesclength=$(( COLUMNS - longest - 4 )) - - # Make sure we can fit a description of at least 8 characters - # if we are to align the descriptions. - if ((maxdesclength > 8)); then - # Add the proper number of spaces to align the descriptions - for ((i = ${#comp} ; i < longest ; i++)); do - comp+=" " - done - else - # Don't pad the descriptions so we can fit more text after the completion - maxdesclength=$(( COLUMNS - ${#comp} - 4 )) - fi - - # If there is enough space for any description text, - # truncate the descriptions that are too long for the shell width - if ((maxdesclength > 0)); then - if ((${#desc} > maxdesclength)); then - desc=${desc:0:$(( maxdesclength - 1 ))} - desc+="…" - fi - comp+=" ($desc)" - fi - COMPREPLY[ci]=$comp - __istioctl_debug "Final comp: $comp" - fi - done -} - -__start_istioctl() -{ - local cur prev words cword split - - COMPREPLY=() - - # Call _init_completion from the bash-completion package - # to prepare the arguments properly - if declare -F _init_completion >/dev/null 2>&1; then - _init_completion -n =: || return - else - __istioctl_init_completion -n =: || return - fi - - __istioctl_debug - __istioctl_debug "========= starting completion logic ==========" - __istioctl_debug "cur is ${cur}, words[*] is ${words[*]}, #words[@] is ${#words[@]}, cword is $cword" - - # The user could have moved the cursor backwards on the command-line. - # We need to trigger completion from the $cword location, so we need - # to truncate the command-line ($words) up to the $cword location. - words=("${words[@]:0:$cword+1}") - __istioctl_debug "Truncated words[*]: ${words[*]}," - - local out directive - __istioctl_get_completion_results - __istioctl_process_completion_results -} - -if [[ $(type -t compopt) = "builtin" ]]; then - complete -o default -F __start_istioctl istioctl -else - complete -o default -o nospace -F __start_istioctl istioctl -fi - -# ex: ts=4 sw=4 et filetype=sh