diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 8c003640..f4f36456 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -60,6 +60,7 @@ jobs:
with:
args: --timeout=10m --tests="false"
version: v1.47.0
+ go-version: '1.14'
style-check:
name: style-check
runs-on: ubuntu-latest
diff --git a/istio-1.18.2/LICENSE b/istio-1.18.2/LICENSE
deleted file mode 100644
index bb7b19de..00000000
--- a/istio-1.18.2/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "{}"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright 2016-2022 Istio Authors
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/istio-1.18.2/README.md b/istio-1.18.2/README.md
deleted file mode 100644
index 8955af70..00000000
--- a/istio-1.18.2/README.md
+++ /dev/null
@@ -1,117 +0,0 @@
-# Istio
-
-[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1395/badge)](https://bestpractices.coreinfrastructure.org/projects/1395)
-[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio)
-[![GoDoc](https://godoc.org/istio.io/istio?status.svg)](https://godoc.org/istio.io/istio)
-
-
-
-
-
----
-
-Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes.
-
-- For in-depth information about how to use Istio, visit [istio.io](https://istio.io)
-- To ask questions and get assistance from our community, visit [discuss.istio.io](https://discuss.istio.io)
-- To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community)
-
-In this README:
-
-- [Introduction](#introduction)
-- [Repositories](#repositories)
-- [Issue management](#issue-management)
-
-In addition, here are some other documents you may wish to read:
-
-- [Istio Community](https://github.com/istio/community#istio-community) - describes how to get involved and contribute to the Istio project
-- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Preparing-for-Development) - explains how to set up and use an Istio development environment
-- [Project Conventions](https://github.com/istio/istio/wiki/Development-Conventions) - describes the conventions we use within the code base
-- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base
-
-You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki).
-
-## Introduction
-
-[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate
-microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies
-and aggregate telemetry data. Istio's control plane provides an abstraction
-layer over the underlying cluster management platform, such as Kubernetes.
-
-Istio is composed of these components:
-
-- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic
- between services in the cluster and from a service to external
- services. The proxies form a _secure microservice mesh_ providing a rich
- set of functions like discovery, rich layer-7 routing, circuit breakers,
- policy enforcement and telemetry recording/reporting
- functions.
-
- > Note: The service mesh is not an overlay network. It
- > simplifies and enhances how microservices in an application talk to each
- > other over the network provided by the underlying platform.
-
-- **Istiod** - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components:
-
- - **Pilot** - Responsible for configuring the proxies at runtime.
-
- - **Citadel** - Responsible for certificate issuance and rotation.
-
- - **Galley** - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio.
-
-- **Operator** - The component provides user friendly options to operate the Istio service mesh.
-
-## Repositories
-
-The Istio project is divided across a few GitHub repositories:
-
-- [istio/api](https://github.com/istio/api). This repository defines
-component-level APIs and common configuration formats for the Istio platform.
-
-- [istio/community](https://github.com/istio/community). This repository contains
-information on the Istio community, including the various documents that govern
-the Istio open source project.
-
-- [istio/istio](README.md). This is the main code repository. It hosts Istio's
-core components, install artifacts, and sample programs. It includes:
-
- - [istioctl](istioctl/). This directory contains code for the
-[_istioctl_](https://istio.io/latest/docs/reference/commands/istioctl/) command line utility.
-
- - [operator](operator/). This directory contains code for the
-[Istio Operator](https://istio.io/latest/docs/setup/install/operator/).
-
- - [pilot](pilot/). This directory
-contains platform-specific code to populate the
-[abstract service model](https://istio.io/docs/concepts/traffic-management/#pilot), dynamically reconfigure the proxies
-when the application topology changes, as well as translate
-[routing rules](https://istio.io/latest/docs/reference/config/networking/) into proxy specific configuration.
-
- - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code,
-including Citadel (acting as Certificate Authority), citadel agent, etc.
-
-- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains
-extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of
-Envoy filters) that support authentication, authorization, and telemetry collection.
-
-## Issue management
-
-We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata:
-
-- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things.
-Each issue is ultimately part of an epic.
-
-- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we
-think the issue should get addressed.
-
-- **Priority**. Each issue has a priority which is represented by the column in the [Prioritization](https://github.com/orgs/istio/projects/6) project. Priority can be one of
-P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the
-milestone cannot be considered achieved if the issue isn't resolved.
-
----
-
-
diff --git a/istio-1.18.2/manifest.yaml b/istio-1.18.2/manifest.yaml
deleted file mode 100644
index d8a50816..00000000
--- a/istio-1.18.2/manifest.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-architectures:
-- linux/amd64
-- linux/arm64
-dashboards:
- istio-extension-dashboard: 13277
- istio-mesh-dashboard: 7639
- istio-performance-dashboard: 11829
- istio-service-dashboard: 7636
- istio-workload-dashboard: 7630
- pilot-dashboard: 7645
-dependencies:
- api:
- sha: 06047cce866f317d90b6ee58386aba7faa63ed9e
- client-go:
- sha: 2683ac554dc2cf65a0a78dfbe8335e593a207f42
- istio:
- sha: 0183f2886bc078e8df4d6bbd21fa452a3a23481d
- pkg:
- sha: 1015535057be24595b88a2b39555716bb0d82bf6
- proxy:
- sha: 3c27a1b0cf381ca854ccc3a2034e88c206928da2
- release-builder:
- sha: bcf4277ff6c526761200652122bb4ea2d21f5747
- test-infra:
- sha: 776c397ca9590b77c00b19d58f888805f3cb986f
- tools:
- sha: 60988e44238a79538c9d667a56b15895296f95a3
- ztunnel:
- sha: 556e299c60ecba1fc2697810010a6a76c3ae6535
-docker: docker.io/istio
-dockerOutput: tar
-skipGenerateBillOfMaterials: false
-version: 1.18.2
diff --git a/istio-1.18.2/manifests/charts/README.md b/istio-1.18.2/manifests/charts/README.md
deleted file mode 100644
index 6575a50c..00000000
--- a/istio-1.18.2/manifests/charts/README.md
+++ /dev/null
@@ -1,136 +0,0 @@
-# Istio Installer
-
-Note: If making any changes to the charts or values.yaml in this dir, first read [UPDATING-CHARTS.md](UPDATING-CHARTS.md)
-
-Istio installer is a modular, 'a-la-carte' installer for Istio. It is based on a
-fork of the Istio helm templates, refactored to increase modularity and isolation.
-
-Goals:
-- Improve upgrade experience: users should be able to gradually roll upgrades, with proper
-canary deployments for Istio components. It should be possible to deploy a new version while keeping the
-stable version in place and gradually migrate apps to the new version.
-
-- More flexibility: the new installer allows multiple 'environments', allowing applications to select
-a set of control plane settings and components. While the entire mesh respects the same APIs and config,
-apps may target different 'environments' which contain different instances and variants of Istio.
-
-- Better security: separate Istio components reside in different namespaces, allowing different teams or
-roles to manage different parts of Istio. For example, a security team would maintain the
-root CA and policy, a telemetry team may only have access to Prometheus,
-and a different team may maintain the control plane components (which are highly security sensitive).
-
-The install is organized in 'environments' - each environment consists of a set of components
-in different namespaces that are configured to work together. Regardless of 'environment',
-workloads can talk with each other and obey the Istio configuration resources, but each environment
-can use different Istio versions and different configuration defaults.
-
-`istioctl kube-inject` or the automatic sidecar injector are used to select the environment.
-In the case of the sidecar injector, the namespace label `istio-env: ` is used instead
-of the conventional `istio-injected: true`. The name of the environment is defined as the namespace
-where the corresponding control plane components (config, discovery, auto-injection) are running.
-In the examples below, by default this is the `istio-control` namespace. Pod annotations can also
-be used to select a different 'environment'.
-
-## Installing
-
-The new installer is intended to be modular and very explicit about what is installed. It has
-far more steps than the Istio installer - but each step is smaller and focused on a specific
-feature, and can be performed by different people/teams at different times.
-
-It is strongly recommended that different namespaces are used, with different service accounts.
-In particular access to the security-critical production components (root CA, policy, control)
-should be locked down and restricted. The new installer allows multiple instances of
-policy/control/telemetry - so testing/staging of new settings and versions can be performed
-by a different role than the prod version.
-
-The intended users of this repo are users running Istio in production who want to select, tune
-and understand each binary that gets deployed, and select which combination to use.
-
-Note: each component can be installed in parallel with an existing Istio 1.0 or 1.1 install in
-`istio-system`. The new components will not interfere with existing apps, but can interoperate
-and it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and
-across environments ( for example canary -> prod )
-
-Note: there are still some cluster roles that may need to be fixed, most likely cluster permissions
-will need to move to the security component.
-
-## Everything is Optional
-
-Each component in the new installer is optional. Users can install the component defined in the new installer,
-use the equivalent component in `istio-system`, configured with the official installer, or use a different
-version or implementation.
-
-For example you may use your own Prometheus and Grafana installs, or you may use a specialized/custom
-certificate provisioning tool, or use components that are centrally managed and running in a different cluster.
-
-This is a work in progress - building on top of the multi-cluster installer.
-
-As an extreme, the goal is to be possible to run Istio workloads in a cluster without installing any Istio component
-in that cluster. Currently the minimum we require is the security provider (node agent or citadel).
-
-### Install Istio CRDs
-
-This is the first step of the install. Please do not remove or edit any CRD - config currently requires
-all CRDs to be present. On each upgrade it is recommended to reapply the file, to make sure
-you get all CRDs. CRDs are separated by release and by component type in the CRD directory.
-
-Istio has strong integration with certmanager. Some operators may want to keep their current certmanager
-CRDs in place and not have Istio modify them. In this case, it is necessary to apply CRD files individually.
-
-```bash
-kubectl apply -k github.com/istio/installer/base
-```
-
-or
-
-```bash
-kubectl apply -f base/files
-```
-
-### Install Istio-CNI
-
-This is an optional step - CNI must run in a dedicated namespace, it is a 'singleton' and extremely
-security sensitive. Access to the CNI namespace must be highly restricted.
-
-**NOTE:** The environment variable `ISTIO_CLUSTER_ISGKE` is assumed to be set to `true` if the cluster
-is a GKE cluster.
-
-```bash
-ISTIO_CNI_ARGS=
-# TODO: What k8s data can we use for this check for whether GKE?
-if [[ "${ISTIO_CLUSTER_ISGKE}" == "true" ]]; then
- ISTIO_CNI_ARGS="--set cni.cniBinDir=/home/kubernetes/bin"
-fi
-iop kube-system istio-cni $IBASE/istio-cni/ ${ISTIO_CNI_ARGS}
-```
-
-TODO. It is possible to add Istio-CNI later, and gradually migrate.
-
-### Install Control plane
-
-This can run in any cluster. A mesh should have at least one cluster should run Pilot or equivalent XDS server,
-and it is recommended to have Pilot running in each region and in multiple availability zones for multi cluster.
-
-```bash
-iop istio-control istio-discovery $IBASE/istio-control/istio-discovery \
- --set global.istioNamespace=istio-system
-
-# Second istio-discovery, using master version of istio
-TAG=latest HUB=gcr.io/istio-testing iop istio-master istio-discovery-master $IBASE/istio-control/istio-discovery \
- --set policy.enable=false \
- --set global.istioNamespace=istio-master
-```
-
-### Gateways
-
-A cluster may use multiple Gateways, each with a different load balancer IP, domains and certificates.
-
-Since the domain certificates are stored in the gateway namespace, it is recommended to keep each
-gateway in a dedicated namespace and restrict access.
-
-For large-scale gateways it is optionally possible to use a dedicated pilot in the gateway namespace.
-
-### Additional test templates
-
-A number of helm test setups are general-purpose and should be installable in any cluster, to confirm
-Istio works properly and allow testing the specific install.
diff --git a/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md b/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md
deleted file mode 100644
index 88a89291..00000000
--- a/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md
+++ /dev/null
@@ -1,67 +0,0 @@
-# Updating charts and values.yaml
-
-## Acceptable Pull Requests
-
-Helm charts `values.yaml` represent a complex user facing API that tends to grow uncontrollably over time
-due to design choices in Helm.
-The underlying Kubernetes resources we configure have 1000s of fields; given enough users and bespoke use cases,
-eventually someone will want to customize every one of those fields.
-If all fields are exposed in `values.yaml`, we end up with an massive API that is also likely worse than just using the Kubernetes API directly.
-
-To avoid this, the project attempts to minimize additions to the `values.yaml` API where possible.
-
-If the change is a dynamic runtime configuration, it probably belongs in the [MeshConfig API](https://github.com/istio/api/blob/master/mesh/v1alpha1/config.proto).
-This allows configuration without re-installing or restarting deployments.
-
-If the change is to a Kubernetes field (such as modifying a Deployment attribute), it will likely need to be install-time configuration.
-However, that doesn't necessarily mean a PR to add a value will be accepted.
-The `values.yaml` API is intended to maintain a *minimal core set of configuration* that most users will use.
-For bespoke use cases, [Helm Chart Customization](https://istio.io/latest/docs/setup/additional-setup/customize-installation-helm/#advanced-helm-chart-customization) can be used
-to allow arbitrary customizations.
-
-If the change truly is generally purpose, it is generally preferred to have broader APIs. For example, instead of providing
-direct access to each of the complex fields in [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/), just providing
-a single `affinity` field that is passed through as-is to the Kubernetes resource.
-This provides maximum flexibility with minimal API surface overhead.
-
-## Making changes
-
-## Step 1. Make changes in charts and values.yaml in `manifests` directory
-
-Be sure to provide sufficient documentation and example usage in values.yaml.
-If the chart has a `values.schema.json`, that should be updated as well.
-
-## Step 2. Update the istioctl/Operator values
-
-If you are modifying the `gateway` chart, you can stop here.
-All other charts, however, are exposed by `istioctl` and need to follow the steps below.
-
-The charts in the `manifests` directory are used in istioctl to generate an installation manifest.
-
-If `values.yaml` is changed, be sure to update corresponding values changes in [../profiles/default.yaml](../profiles/default.yaml)
-
-## Step 3. Update istioctl schema
-
-Istioctl uses a [schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto) to validate the values. Any changes to
-the schema must be added here, otherwise istioctl users will see errors.
-Once the schema file is updated, run:
-
-```bash
-$ make operator-proto
-```
-
-This will regenerate the Go structs used for schema validation.
-
-## Step 4. Update the generated manifests
-
-Tests of istioctl use the auto-generated manifests to ensure that the istioctl binary has the correct version of the charts.
-These manifests can be found in [gen-istio.yaml](../charts/istio-control/istio-discovery/files/gen-istio.yaml).
-To regenerate the manifests, run:
-
-```bash
-$ make copy-templates update-golden
-```
-
-## Step 5. Create a PR using outputs from Steps 1 to 4
-
-Your PR should pass all the checks if you followed these steps.
diff --git a/istio-1.18.2/manifests/charts/base/Chart.yaml b/istio-1.18.2/manifests/charts/base/Chart.yaml
deleted file mode 100644
index 8e2b4c5b..00000000
--- a/istio-1.18.2/manifests/charts/base/Chart.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-name: base
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-tillerVersion: ">=2.7.2"
-description: Helm chart for deploying Istio cluster resources and CRDs
-keywords:
- - istio
-sources:
- - https://github.com/istio/istio
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/base/README.md b/istio-1.18.2/manifests/charts/base/README.md
deleted file mode 100644
index 68bf667a..00000000
--- a/istio-1.18.2/manifests/charts/base/README.md
+++ /dev/null
@@ -1,21 +0,0 @@
-# Istio base Helm Chart
-
-This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
-
-## Setup Repo Info
-
-```console
-helm repo add istio https://istio-release.storage.googleapis.com/charts
-helm repo update
-```
-
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
-
-## Installing the Chart
-
-To install the chart with the release name `istio-base`:
-
-```console
-kubectl create namespace istio-system
-helm install istio-base istio/base -n istio-system
-```
diff --git a/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml b/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml
deleted file mode 100644
index 7c294856..00000000
--- a/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml
+++ /dev/null
@@ -1,7199 +0,0 @@
-# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: wasmplugins.extensions.istio.io
-spec:
- group: extensions.istio.io
- names:
- categories:
- - istio-io
- - extensions-istio-io
- kind: WasmPlugin
- listKind: WasmPluginList
- plural: wasmplugins
- singular: wasmplugin
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Extend the functionality provided by the Istio proxy through
- WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
- properties:
- imagePullPolicy:
- enum:
- - UNSPECIFIED_POLICY
- - IfNotPresent
- - Always
- type: string
- imagePullSecret:
- description: Credentials to use for OCI image pulling.
- type: string
- match:
- description: Specifies the criteria to determine which traffic is
- passed to WasmPlugin.
- items:
- properties:
- mode:
- description: Criteria for selecting traffic by their direction.
- enum:
- - UNDEFINED
- - CLIENT
- - SERVER
- - CLIENT_AND_SERVER
- type: string
- ports:
- description: Criteria for selecting traffic by their destination
- port.
- items:
- properties:
- number:
- type: integer
- type: object
- type: array
- type: object
- type: array
- phase:
- description: Determines where in the filter chain this `WasmPlugin`
- is to be injected.
- enum:
- - UNSPECIFIED_PHASE
- - AUTHN
- - AUTHZ
- - STATS
- type: string
- pluginConfig:
- description: The configuration that will be passed on to the plugin.
- type: object
- x-kubernetes-preserve-unknown-fields: true
- pluginName:
- type: string
- priority:
- description: Determines ordering of `WasmPlugins` in the same `phase`.
- nullable: true
- type: integer
- selector:
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- sha256:
- description: SHA256 checksum that will be used to verify Wasm module
- or OCI container.
- type: string
- url:
- description: URL of a Wasm module or OCI container.
- type: string
- verificationKey:
- type: string
- vmConfig:
- description: Configuration for a Wasm VM.
- properties:
- env:
- description: Specifies environment variables to be injected to
- this VM.
- items:
- properties:
- name:
- type: string
- value:
- description: Value for the environment variable.
- type: string
- valueFrom:
- enum:
- - INLINE
- - HOST
- type: string
- type: object
- type: array
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: destinationrules.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: DestinationRule
- listKind: DestinationRuleList
- plural: destinationrules
- shortNames:
- - dr
- singular: destinationrule
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The name of a service from the service registry
- jsonPath: .spec.host
- name: Host
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting load balancing, outlier detection,
- etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
- properties:
- exportTo:
- description: A list of namespaces to which this destination rule is
- exported.
- items:
- type: string
- type: array
- host:
- description: The name of a service from the service registry.
- type: string
- subsets:
- items:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- name:
- description: Name of the subset.
- type: string
- trafficPolicy:
- description: Traffic policies that apply to this subset.
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should
- be upgraded to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to
- a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will
- be preserved while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the
- socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query
- parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to
- traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this
- is DestinationRule-level and will override mesh
- wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list
- of labels used to sort endpoints to do priority
- based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local
- origin failures from external errors.
- type: boolean
- type: object
- portLevelSettings:
- description: Traffic policies specific to individual ports.
- items:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection
- should be upgraded to http2 for the associated
- destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests
- to a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream
- connection pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per
- connection to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol
- will be preserved while initiating connection
- to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and
- TCP upstream connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP
- connections to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE
- on the socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between
- keep-alive probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer
- algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP
- header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP
- query parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev
- hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend
- hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/'
- separated, e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities
- to traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing,
- this is DestinationRule-level and will override
- mesh wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered
- list of labels used to sort endpoints to
- do priority based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a
- host is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep
- analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish
- local origin failures from external errors.
- type: boolean
- type: object
- port:
- properties:
- number:
- type: integer
- type: object
- tls:
- description: TLS related settings for connections
- to the upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server
- during TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- tls:
- description: TLS related settings for connections to the
- upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during
- TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- tunnel:
- properties:
- protocol:
- description: Specifies which protocol to use for tunneling
- the downstream connection.
- type: string
- targetHost:
- description: Specifies a host to which the downstream
- connection is tunneled.
- type: string
- targetPort:
- description: Specifies a port to which the downstream
- connection is tunneled.
- type: integer
- type: object
- type: object
- type: object
- type: array
- trafficPolicy:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should be upgraded
- to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will be preserved
- while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the socket
- to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements consistent
- hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer implements
- consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute, failover
- or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to traffic
- distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this is DestinationRule-level
- and will override mesh wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute, failover
- or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list of labels
- used to sort endpoints to do priority based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local origin
- failures from external errors.
- type: boolean
- type: object
- portLevelSettings:
- description: Traffic policies specific to individual ports.
- items:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should
- be upgraded to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to
- a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will
- be preserved while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the
- socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query
- parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to
- traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this
- is DestinationRule-level and will override mesh
- wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list
- of labels used to sort endpoints to do priority
- based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local
- origin failures from external errors.
- type: boolean
- type: object
- port:
- properties:
- number:
- type: integer
- type: object
- tls:
- description: TLS related settings for connections to the
- upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during
- TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- tls:
- description: TLS related settings for connections to the upstream
- service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during TLS
- handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- tunnel:
- properties:
- protocol:
- description: Specifies which protocol to use for tunneling
- the downstream connection.
- type: string
- targetHost:
- description: Specifies a host to which the downstream connection
- is tunneled.
- type: string
- targetPort:
- description: Specifies a port to which the downstream connection
- is tunneled.
- type: integer
- type: object
- type: object
- workloadSelector:
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: The name of a service from the service registry
- jsonPath: .spec.host
- name: Host
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting load balancing, outlier detection,
- etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
- properties:
- exportTo:
- description: A list of namespaces to which this destination rule is
- exported.
- items:
- type: string
- type: array
- host:
- description: The name of a service from the service registry.
- type: string
- subsets:
- items:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- name:
- description: Name of the subset.
- type: string
- trafficPolicy:
- description: Traffic policies that apply to this subset.
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should
- be upgraded to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to
- a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will
- be preserved while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the
- socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query
- parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to
- traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this
- is DestinationRule-level and will override mesh
- wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list
- of labels used to sort endpoints to do priority
- based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local
- origin failures from external errors.
- type: boolean
- type: object
- portLevelSettings:
- description: Traffic policies specific to individual ports.
- items:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection
- should be upgraded to http2 for the associated
- destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests
- to a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream
- connection pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per
- connection to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol
- will be preserved while initiating connection
- to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and
- TCP upstream connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP
- connections to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE
- on the socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between
- keep-alive probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer
- algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP
- header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP
- query parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev
- hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend
- hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/'
- separated, e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities
- to traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing,
- this is DestinationRule-level and will override
- mesh wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered
- list of labels used to sort endpoints to
- do priority based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a
- host is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep
- analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish
- local origin failures from external errors.
- type: boolean
- type: object
- port:
- properties:
- number:
- type: integer
- type: object
- tls:
- description: TLS related settings for connections
- to the upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server
- during TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- tls:
- description: TLS related settings for connections to the
- upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during
- TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- tunnel:
- properties:
- protocol:
- description: Specifies which protocol to use for tunneling
- the downstream connection.
- type: string
- targetHost:
- description: Specifies a host to which the downstream
- connection is tunneled.
- type: string
- targetPort:
- description: Specifies a port to which the downstream
- connection is tunneled.
- type: integer
- type: object
- type: object
- type: object
- type: array
- trafficPolicy:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should be upgraded
- to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will be preserved
- while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the socket
- to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements consistent
- hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer implements
- consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute, failover
- or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to traffic
- distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this is DestinationRule-level
- and will override mesh wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute, failover
- or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list of labels
- used to sort endpoints to do priority based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local origin
- failures from external errors.
- type: boolean
- type: object
- portLevelSettings:
- description: Traffic policies specific to individual ports.
- items:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should
- be upgraded to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to
- a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will
- be preserved while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the
- socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query
- parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to
- traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this
- is DestinationRule-level and will override mesh
- wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list
- of labels used to sort endpoints to do priority
- based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local
- origin failures from external errors.
- type: boolean
- type: object
- port:
- properties:
- number:
- type: integer
- type: object
- tls:
- description: TLS related settings for connections to the
- upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during
- TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- tls:
- description: TLS related settings for connections to the upstream
- service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during TLS
- handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- tunnel:
- properties:
- protocol:
- description: Specifies which protocol to use for tunneling
- the downstream connection.
- type: string
- targetHost:
- description: Specifies a host to which the downstream connection
- is tunneled.
- type: string
- targetPort:
- description: Specifies a port to which the downstream connection
- is tunneled.
- type: integer
- type: object
- type: object
- workloadSelector:
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: envoyfilters.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: EnvoyFilter
- listKind: EnvoyFilterList
- plural: envoyfilters
- singular: envoyfilter
- scope: Namespaced
- versions:
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Customizing Envoy configuration generated by Istio. See
- more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
- properties:
- configPatches:
- description: One or more patches with match conditions.
- items:
- properties:
- applyTo:
- enum:
- - INVALID
- - LISTENER
- - FILTER_CHAIN
- - NETWORK_FILTER
- - HTTP_FILTER
- - ROUTE_CONFIGURATION
- - VIRTUAL_HOST
- - HTTP_ROUTE
- - CLUSTER
- - EXTENSION_CONFIG
- - BOOTSTRAP
- - LISTENER_FILTER
- type: string
- match:
- description: Match on listener/route configuration/cluster.
- oneOf:
- - not:
- anyOf:
- - required:
- - listener
- - required:
- - routeConfiguration
- - required:
- - cluster
- - required:
- - listener
- - required:
- - routeConfiguration
- - required:
- - cluster
- properties:
- cluster:
- description: Match on envoy cluster attributes.
- properties:
- name:
- description: The exact name of the cluster to match.
- type: string
- portNumber:
- description: The service port for which this cluster
- was generated.
- type: integer
- service:
- description: The fully qualified service name for this
- cluster.
- type: string
- subset:
- description: The subset associated with the service.
- type: string
- type: object
- context:
- description: The specific config generation context to match
- on.
- enum:
- - ANY
- - SIDECAR_INBOUND
- - SIDECAR_OUTBOUND
- - GATEWAY
- type: string
- listener:
- description: Match on envoy listener attributes.
- properties:
- filterChain:
- description: Match a specific filter chain in a listener.
- properties:
- applicationProtocols:
- description: Applies only to sidecars.
- type: string
- destinationPort:
- description: The destination_port value used by
- a filter chain's match condition.
- type: integer
- filter:
- description: The name of a specific filter to apply
- the patch to.
- properties:
- name:
- description: The filter name to match on.
- type: string
- subFilter:
- properties:
- name:
- description: The filter name to match on.
- type: string
- type: object
- type: object
- name:
- description: The name assigned to the filter chain.
- type: string
- sni:
- description: The SNI value used by a filter chain's
- match condition.
- type: string
- transportProtocol:
- description: Applies only to `SIDECAR_INBOUND` context.
- type: string
- type: object
- listenerFilter:
- description: Match a specific listener filter.
- type: string
- name:
- description: Match a specific listener by its name.
- type: string
- portName:
- type: string
- portNumber:
- type: integer
- type: object
- proxy:
- description: Match on properties associated with a proxy.
- properties:
- metadata:
- additionalProperties:
- type: string
- type: object
- proxyVersion:
- type: string
- type: object
- routeConfiguration:
- description: Match on envoy HTTP route configuration attributes.
- properties:
- gateway:
- type: string
- name:
- description: Route configuration name to match on.
- type: string
- portName:
- description: Applicable only for GATEWAY context.
- type: string
- portNumber:
- type: integer
- vhost:
- properties:
- name:
- type: string
- route:
- description: Match a specific route within the virtual
- host.
- properties:
- action:
- description: Match a route with specific action
- type.
- enum:
- - ANY
- - ROUTE
- - REDIRECT
- - DIRECT_RESPONSE
- type: string
- name:
- type: string
- type: object
- type: object
- type: object
- type: object
- patch:
- description: The patch to apply along with the operation.
- properties:
- filterClass:
- description: Determines the filter insertion order.
- enum:
- - UNSPECIFIED
- - AUTHN
- - AUTHZ
- - STATS
- type: string
- operation:
- description: Determines how the patch should be applied.
- enum:
- - INVALID
- - MERGE
- - ADD
- - REMOVE
- - INSERT_BEFORE
- - INSERT_AFTER
- - INSERT_FIRST
- - REPLACE
- type: string
- value:
- description: The JSON config of the object being patched.
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- priority:
- description: Priority defines the order in which patch sets are applied
- within a context.
- format: int32
- type: integer
- workloadSelector:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: gateways.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: Gateway
- listKind: GatewayList
- plural: gateways
- shortNames:
- - gw
- singular: gateway
- scope: Namespaced
- versions:
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting edge load balancer. See more details
- at: https://istio.io/docs/reference/config/networking/gateway.html'
- properties:
- selector:
- additionalProperties:
- type: string
- type: object
- servers:
- description: A list of server specifications.
- items:
- properties:
- bind:
- type: string
- defaultEndpoint:
- type: string
- hosts:
- description: One or more hosts exposed by this gateway.
- items:
- type: string
- type: array
- name:
- description: An optional name of the server, when set must be
- unique across all servers.
- type: string
- port:
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- tls:
- description: Set of TLS related options that govern the server's
- behavior.
- properties:
- caCertificates:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- cipherSuites:
- description: 'Optional: If specified, only support the specified
- cipher list.'
- items:
- type: string
- type: array
- credentialName:
- type: string
- httpsRedirect:
- type: boolean
- maxProtocolVersion:
- description: 'Optional: Maximum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- minProtocolVersion:
- description: 'Optional: Minimum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- mode:
- enum:
- - PASSTHROUGH
- - SIMPLE
- - MUTUAL
- - AUTO_PASSTHROUGH
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- serverCertificate:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- verifyCertificateHash:
- items:
- type: string
- type: array
- verifyCertificateSpki:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting edge load balancer. See more details
- at: https://istio.io/docs/reference/config/networking/gateway.html'
- properties:
- selector:
- additionalProperties:
- type: string
- type: object
- servers:
- description: A list of server specifications.
- items:
- properties:
- bind:
- type: string
- defaultEndpoint:
- type: string
- hosts:
- description: One or more hosts exposed by this gateway.
- items:
- type: string
- type: array
- name:
- description: An optional name of the server, when set must be
- unique across all servers.
- type: string
- port:
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- tls:
- description: Set of TLS related options that govern the server's
- behavior.
- properties:
- caCertificates:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- cipherSuites:
- description: 'Optional: If specified, only support the specified
- cipher list.'
- items:
- type: string
- type: array
- credentialName:
- type: string
- httpsRedirect:
- type: boolean
- maxProtocolVersion:
- description: 'Optional: Maximum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- minProtocolVersion:
- description: 'Optional: Minimum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- mode:
- enum:
- - PASSTHROUGH
- - SIMPLE
- - MUTUAL
- - AUTO_PASSTHROUGH
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- serverCertificate:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- verifyCertificateHash:
- items:
- type: string
- type: array
- verifyCertificateSpki:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: proxyconfigs.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: ProxyConfig
- listKind: ProxyConfigList
- plural: proxyconfigs
- singular: proxyconfig
- scope: Namespaced
- versions:
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Provides configuration for individual workloads. See more
- details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
- properties:
- concurrency:
- description: The number of worker threads to run.
- nullable: true
- type: integer
- environmentVariables:
- additionalProperties:
- type: string
- description: Additional environment variables for the proxy.
- type: object
- image:
- description: Specifies the details of the proxy image.
- properties:
- imageType:
- description: The image type of the image.
- type: string
- type: object
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: serviceentries.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: ServiceEntry
- listKind: ServiceEntryList
- plural: serviceentries
- shortNames:
- - se
- singular: serviceentry
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The hosts associated with the ServiceEntry
- jsonPath: .spec.hosts
- name: Hosts
- type: string
- - description: Whether the service is external to the mesh or part of the mesh
- (MESH_EXTERNAL or MESH_INTERNAL)
- jsonPath: .spec.location
- name: Location
- type: string
- - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
- jsonPath: .spec.resolution
- name: Resolution
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting service registry. See more details
- at: https://istio.io/docs/reference/config/networking/service-entry.html'
- properties:
- addresses:
- description: The virtual IP addresses associated with the service.
- items:
- type: string
- type: array
- endpoints:
- description: One or more endpoints associated with the service.
- items:
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- type: array
- exportTo:
- description: A list of namespaces to which this service is exported.
- items:
- type: string
- type: array
- hosts:
- description: The hosts associated with the ServiceEntry.
- items:
- type: string
- type: array
- location:
- enum:
- - MESH_EXTERNAL
- - MESH_INTERNAL
- type: string
- ports:
- description: The ports associated with the external service.
- items:
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- type: array
- resolution:
- description: Service resolution mode for the hosts.
- enum:
- - NONE
- - STATIC
- - DNS
- - DNS_ROUND_ROBIN
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- workloadSelector:
- description: Applicable only for MESH_INTERNAL services.
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: The hosts associated with the ServiceEntry
- jsonPath: .spec.hosts
- name: Hosts
- type: string
- - description: Whether the service is external to the mesh or part of the mesh
- (MESH_EXTERNAL or MESH_INTERNAL)
- jsonPath: .spec.location
- name: Location
- type: string
- - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
- jsonPath: .spec.resolution
- name: Resolution
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting service registry. See more details
- at: https://istio.io/docs/reference/config/networking/service-entry.html'
- properties:
- addresses:
- description: The virtual IP addresses associated with the service.
- items:
- type: string
- type: array
- endpoints:
- description: One or more endpoints associated with the service.
- items:
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- type: array
- exportTo:
- description: A list of namespaces to which this service is exported.
- items:
- type: string
- type: array
- hosts:
- description: The hosts associated with the ServiceEntry.
- items:
- type: string
- type: array
- location:
- enum:
- - MESH_EXTERNAL
- - MESH_INTERNAL
- type: string
- ports:
- description: The ports associated with the external service.
- items:
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- type: array
- resolution:
- description: Service resolution mode for the hosts.
- enum:
- - NONE
- - STATIC
- - DNS
- - DNS_ROUND_ROBIN
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- workloadSelector:
- description: Applicable only for MESH_INTERNAL services.
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: sidecars.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: Sidecar
- listKind: SidecarList
- plural: sidecars
- singular: sidecar
- scope: Namespaced
- versions:
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting network reachability of a sidecar.
- See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
- properties:
- egress:
- items:
- properties:
- bind:
- type: string
- captureMode:
- enum:
- - DEFAULT
- - IPTABLES
- - NONE
- type: string
- hosts:
- items:
- type: string
- type: array
- port:
- description: The port associated with the listener.
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- type: object
- type: array
- ingress:
- items:
- properties:
- bind:
- description: The IP(IPv4 or IPv6) to which the listener should
- be bound.
- type: string
- captureMode:
- enum:
- - DEFAULT
- - IPTABLES
- - NONE
- type: string
- defaultEndpoint:
- type: string
- port:
- description: The port associated with the listener.
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- tls:
- properties:
- caCertificates:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- cipherSuites:
- description: 'Optional: If specified, only support the specified
- cipher list.'
- items:
- type: string
- type: array
- credentialName:
- type: string
- httpsRedirect:
- type: boolean
- maxProtocolVersion:
- description: 'Optional: Maximum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- minProtocolVersion:
- description: 'Optional: Minimum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- mode:
- enum:
- - PASSTHROUGH
- - SIMPLE
- - MUTUAL
- - AUTO_PASSTHROUGH
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- serverCertificate:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- verifyCertificateHash:
- items:
- type: string
- type: array
- verifyCertificateSpki:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
- properties:
- egressProxy:
- properties:
- host:
- description: The name of a service from the service registry.
- type: string
- port:
- description: Specifies the port on the host that is being
- addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- mode:
- enum:
- - REGISTRY_ONLY
- - ALLOW_ANY
- type: string
- type: object
- workloadSelector:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting network reachability of a sidecar.
- See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
- properties:
- egress:
- items:
- properties:
- bind:
- type: string
- captureMode:
- enum:
- - DEFAULT
- - IPTABLES
- - NONE
- type: string
- hosts:
- items:
- type: string
- type: array
- port:
- description: The port associated with the listener.
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- type: object
- type: array
- ingress:
- items:
- properties:
- bind:
- description: The IP(IPv4 or IPv6) to which the listener should
- be bound.
- type: string
- captureMode:
- enum:
- - DEFAULT
- - IPTABLES
- - NONE
- type: string
- defaultEndpoint:
- type: string
- port:
- description: The port associated with the listener.
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- tls:
- properties:
- caCertificates:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- cipherSuites:
- description: 'Optional: If specified, only support the specified
- cipher list.'
- items:
- type: string
- type: array
- credentialName:
- type: string
- httpsRedirect:
- type: boolean
- maxProtocolVersion:
- description: 'Optional: Maximum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- minProtocolVersion:
- description: 'Optional: Minimum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- mode:
- enum:
- - PASSTHROUGH
- - SIMPLE
- - MUTUAL
- - AUTO_PASSTHROUGH
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- serverCertificate:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- verifyCertificateHash:
- items:
- type: string
- type: array
- verifyCertificateSpki:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
- properties:
- egressProxy:
- properties:
- host:
- description: The name of a service from the service registry.
- type: string
- port:
- description: Specifies the port on the host that is being
- addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- mode:
- enum:
- - REGISTRY_ONLY
- - ALLOW_ANY
- type: string
- type: object
- workloadSelector:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: virtualservices.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: VirtualService
- listKind: VirtualServiceList
- plural: virtualservices
- shortNames:
- - vs
- singular: virtualservice
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The names of gateways and sidecars that should apply these routes
- jsonPath: .spec.gateways
- name: Gateways
- type: string
- - description: The destination hosts to which traffic is being sent
- jsonPath: .spec.hosts
- name: Hosts
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting label/content routing, sni routing,
- etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
- properties:
- exportTo:
- description: A list of namespaces to which this virtual service is
- exported.
- items:
- type: string
- type: array
- gateways:
- description: The names of gateways and sidecars that should apply
- these routes.
- items:
- type: string
- type: array
- hosts:
- description: The destination hosts to which traffic is being sent.
- items:
- type: string
- type: array
- http:
- description: An ordered list of route rules for HTTP traffic.
- items:
- properties:
- corsPolicy:
- description: Cross-Origin Resource Sharing policy (CORS).
- properties:
- allowCredentials:
- nullable: true
- type: boolean
- allowHeaders:
- items:
- type: string
- type: array
- allowMethods:
- description: List of HTTP methods allowed to access the
- resource.
- items:
- type: string
- type: array
- allowOrigin:
- description: The list of origins that are allowed to perform
- CORS requests.
- items:
- type: string
- type: array
- allowOrigins:
- description: String patterns that match allowed origins.
- items:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- type: array
- exposeHeaders:
- items:
- type: string
- type: array
- maxAge:
- type: string
- type: object
- delegate:
- properties:
- name:
- description: Name specifies the name of the delegate VirtualService.
- type: string
- namespace:
- description: Namespace specifies the namespace where the
- delegate VirtualService resides.
- type: string
- type: object
- directResponse:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- properties:
- body:
- description: Specifies the content of the response body.
- oneOf:
- - not:
- anyOf:
- - required:
- - string
- - required:
- - bytes
- - required:
- - string
- - required:
- - bytes
- properties:
- bytes:
- description: response body as base64 encoded bytes.
- format: binary
- type: string
- string:
- type: string
- type: object
- status:
- description: Specifies the HTTP response status to be returned.
- type: integer
- type: object
- fault:
- description: Fault injection policy to apply on HTTP traffic
- at the client side.
- properties:
- abort:
- oneOf:
- - not:
- anyOf:
- - required:
- - httpStatus
- - required:
- - grpcStatus
- - required:
- - http2Error
- - required:
- - httpStatus
- - required:
- - grpcStatus
- - required:
- - http2Error
- properties:
- grpcStatus:
- description: GRPC status code to use to abort the request.
- type: string
- http2Error:
- type: string
- httpStatus:
- description: HTTP status code to use to abort the Http
- request.
- format: int32
- type: integer
- percentage:
- description: Percentage of requests to be aborted with
- the error code provided.
- properties:
- value:
- format: double
- type: number
- type: object
- type: object
- delay:
- oneOf:
- - not:
- anyOf:
- - required:
- - fixedDelay
- - required:
- - exponentialDelay
- - required:
- - fixedDelay
- - required:
- - exponentialDelay
- properties:
- exponentialDelay:
- type: string
- fixedDelay:
- description: Add a fixed delay before forwarding the
- request.
- type: string
- percent:
- description: Percentage of requests on which the delay
- will be injected (0-100).
- format: int32
- type: integer
- percentage:
- description: Percentage of requests on which the delay
- will be injected.
- properties:
- value:
- format: double
- type: number
- type: object
- type: object
- type: object
- headers:
- properties:
- request:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- response:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- match:
- items:
- properties:
- authority:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- headers:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- type: object
- ignoreUriCase:
- description: Flag to specify whether the URI matching
- should be case-insensitive.
- type: boolean
- method:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- name:
- description: The name assigned to a match.
- type: string
- port:
- description: Specifies the ports on the host that is being
- addressed.
- type: integer
- queryParams:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- description: Query parameters for matching.
- type: object
- scheme:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- statPrefix:
- description: The human readable prefix to use when emitting
- statistics for this route.
- type: string
- uri:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- withoutHeaders:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- description: withoutHeader has the same syntax with the
- header, but has opposite meaning.
- type: object
- type: object
- type: array
- mirror:
- properties:
- host:
- description: The name of a service from the service registry.
- type: string
- port:
- description: Specifies the port on the host that is being
- addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- mirror_percent:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- nullable: true
- type: integer
- mirrorPercent:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- nullable: true
- type: integer
- mirrorPercentage:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- properties:
- value:
- format: double
- type: number
- type: object
- name:
- description: The name assigned to the route for debugging purposes.
- type: string
- redirect:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- oneOf:
- - not:
- anyOf:
- - required:
- - port
- - required:
- - derivePort
- - required:
- - port
- - required:
- - derivePort
- properties:
- authority:
- type: string
- derivePort:
- enum:
- - FROM_PROTOCOL_DEFAULT
- - FROM_REQUEST_PORT
- type: string
- port:
- description: On a redirect, overwrite the port portion of
- the URL with this value.
- type: integer
- redirectCode:
- type: integer
- scheme:
- description: On a redirect, overwrite the scheme portion
- of the URL with this value.
- type: string
- uri:
- type: string
- type: object
- retries:
- description: Retry policy for HTTP requests.
- properties:
- attempts:
- description: Number of retries to be allowed for a given
- request.
- format: int32
- type: integer
- perTryTimeout:
- description: Timeout per attempt for a given request, including
- the initial call and any retries.
- type: string
- retryOn:
- description: Specifies the conditions under which retry
- takes place.
- type: string
- retryRemoteLocalities:
- description: Flag to specify whether the retries should
- retry to other localities.
- nullable: true
- type: boolean
- type: object
- rewrite:
- description: Rewrite HTTP URIs and Authority headers.
- properties:
- authority:
- description: rewrite the Authority/Host header with this
- value.
- type: string
- uri:
- type: string
- type: object
- route:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- headers:
- properties:
- request:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- response:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- timeout:
- description: Timeout for HTTP requests, default is disabled.
- type: string
- type: object
- type: array
- tcp:
- description: An ordered list of route rules for opaque TCP traffic.
- items:
- properties:
- match:
- items:
- properties:
- destinationSubnets:
- description: IPv4 or IPv6 ip addresses of destination
- with optional subnet.
- items:
- type: string
- type: array
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- port:
- description: Specifies the port on the host that is being
- addressed.
- type: integer
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- sourceSubnet:
- description: IPv4 or IPv6 ip address of source with optional
- subnet.
- type: string
- type: object
- type: array
- route:
- description: The destination to which the connection should
- be forwarded to.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- type: object
- type: array
- tls:
- items:
- properties:
- match:
- items:
- properties:
- destinationSubnets:
- description: IPv4 or IPv6 ip addresses of destination
- with optional subnet.
- items:
- type: string
- type: array
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- port:
- description: Specifies the port on the host that is being
- addressed.
- type: integer
- sniHosts:
- description: SNI (server name indicator) to match on.
- items:
- type: string
- type: array
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- type: object
- type: array
- route:
- description: The destination to which the connection should
- be forwarded to.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: The names of gateways and sidecars that should apply these routes
- jsonPath: .spec.gateways
- name: Gateways
- type: string
- - description: The destination hosts to which traffic is being sent
- jsonPath: .spec.hosts
- name: Hosts
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting label/content routing, sni routing,
- etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
- properties:
- exportTo:
- description: A list of namespaces to which this virtual service is
- exported.
- items:
- type: string
- type: array
- gateways:
- description: The names of gateways and sidecars that should apply
- these routes.
- items:
- type: string
- type: array
- hosts:
- description: The destination hosts to which traffic is being sent.
- items:
- type: string
- type: array
- http:
- description: An ordered list of route rules for HTTP traffic.
- items:
- properties:
- corsPolicy:
- description: Cross-Origin Resource Sharing policy (CORS).
- properties:
- allowCredentials:
- nullable: true
- type: boolean
- allowHeaders:
- items:
- type: string
- type: array
- allowMethods:
- description: List of HTTP methods allowed to access the
- resource.
- items:
- type: string
- type: array
- allowOrigin:
- description: The list of origins that are allowed to perform
- CORS requests.
- items:
- type: string
- type: array
- allowOrigins:
- description: String patterns that match allowed origins.
- items:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- type: array
- exposeHeaders:
- items:
- type: string
- type: array
- maxAge:
- type: string
- type: object
- delegate:
- properties:
- name:
- description: Name specifies the name of the delegate VirtualService.
- type: string
- namespace:
- description: Namespace specifies the namespace where the
- delegate VirtualService resides.
- type: string
- type: object
- directResponse:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- properties:
- body:
- description: Specifies the content of the response body.
- oneOf:
- - not:
- anyOf:
- - required:
- - string
- - required:
- - bytes
- - required:
- - string
- - required:
- - bytes
- properties:
- bytes:
- description: response body as base64 encoded bytes.
- format: binary
- type: string
- string:
- type: string
- type: object
- status:
- description: Specifies the HTTP response status to be returned.
- type: integer
- type: object
- fault:
- description: Fault injection policy to apply on HTTP traffic
- at the client side.
- properties:
- abort:
- oneOf:
- - not:
- anyOf:
- - required:
- - httpStatus
- - required:
- - grpcStatus
- - required:
- - http2Error
- - required:
- - httpStatus
- - required:
- - grpcStatus
- - required:
- - http2Error
- properties:
- grpcStatus:
- description: GRPC status code to use to abort the request.
- type: string
- http2Error:
- type: string
- httpStatus:
- description: HTTP status code to use to abort the Http
- request.
- format: int32
- type: integer
- percentage:
- description: Percentage of requests to be aborted with
- the error code provided.
- properties:
- value:
- format: double
- type: number
- type: object
- type: object
- delay:
- oneOf:
- - not:
- anyOf:
- - required:
- - fixedDelay
- - required:
- - exponentialDelay
- - required:
- - fixedDelay
- - required:
- - exponentialDelay
- properties:
- exponentialDelay:
- type: string
- fixedDelay:
- description: Add a fixed delay before forwarding the
- request.
- type: string
- percent:
- description: Percentage of requests on which the delay
- will be injected (0-100).
- format: int32
- type: integer
- percentage:
- description: Percentage of requests on which the delay
- will be injected.
- properties:
- value:
- format: double
- type: number
- type: object
- type: object
- type: object
- headers:
- properties:
- request:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- response:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- match:
- items:
- properties:
- authority:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- headers:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- type: object
- ignoreUriCase:
- description: Flag to specify whether the URI matching
- should be case-insensitive.
- type: boolean
- method:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- name:
- description: The name assigned to a match.
- type: string
- port:
- description: Specifies the ports on the host that is being
- addressed.
- type: integer
- queryParams:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- description: Query parameters for matching.
- type: object
- scheme:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- statPrefix:
- description: The human readable prefix to use when emitting
- statistics for this route.
- type: string
- uri:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- withoutHeaders:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- description: withoutHeader has the same syntax with the
- header, but has opposite meaning.
- type: object
- type: object
- type: array
- mirror:
- properties:
- host:
- description: The name of a service from the service registry.
- type: string
- port:
- description: Specifies the port on the host that is being
- addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- mirror_percent:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- nullable: true
- type: integer
- mirrorPercent:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- nullable: true
- type: integer
- mirrorPercentage:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- properties:
- value:
- format: double
- type: number
- type: object
- name:
- description: The name assigned to the route for debugging purposes.
- type: string
- redirect:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- oneOf:
- - not:
- anyOf:
- - required:
- - port
- - required:
- - derivePort
- - required:
- - port
- - required:
- - derivePort
- properties:
- authority:
- type: string
- derivePort:
- enum:
- - FROM_PROTOCOL_DEFAULT
- - FROM_REQUEST_PORT
- type: string
- port:
- description: On a redirect, overwrite the port portion of
- the URL with this value.
- type: integer
- redirectCode:
- type: integer
- scheme:
- description: On a redirect, overwrite the scheme portion
- of the URL with this value.
- type: string
- uri:
- type: string
- type: object
- retries:
- description: Retry policy for HTTP requests.
- properties:
- attempts:
- description: Number of retries to be allowed for a given
- request.
- format: int32
- type: integer
- perTryTimeout:
- description: Timeout per attempt for a given request, including
- the initial call and any retries.
- type: string
- retryOn:
- description: Specifies the conditions under which retry
- takes place.
- type: string
- retryRemoteLocalities:
- description: Flag to specify whether the retries should
- retry to other localities.
- nullable: true
- type: boolean
- type: object
- rewrite:
- description: Rewrite HTTP URIs and Authority headers.
- properties:
- authority:
- description: rewrite the Authority/Host header with this
- value.
- type: string
- uri:
- type: string
- type: object
- route:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- headers:
- properties:
- request:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- response:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- timeout:
- description: Timeout for HTTP requests, default is disabled.
- type: string
- type: object
- type: array
- tcp:
- description: An ordered list of route rules for opaque TCP traffic.
- items:
- properties:
- match:
- items:
- properties:
- destinationSubnets:
- description: IPv4 or IPv6 ip addresses of destination
- with optional subnet.
- items:
- type: string
- type: array
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- port:
- description: Specifies the port on the host that is being
- addressed.
- type: integer
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- sourceSubnet:
- description: IPv4 or IPv6 ip address of source with optional
- subnet.
- type: string
- type: object
- type: array
- route:
- description: The destination to which the connection should
- be forwarded to.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- type: object
- type: array
- tls:
- items:
- properties:
- match:
- items:
- properties:
- destinationSubnets:
- description: IPv4 or IPv6 ip addresses of destination
- with optional subnet.
- items:
- type: string
- type: array
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- port:
- description: Specifies the port on the host that is being
- addressed.
- type: integer
- sniHosts:
- description: SNI (server name indicator) to match on.
- items:
- type: string
- type: array
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- type: object
- type: array
- route:
- description: The destination to which the connection should
- be forwarded to.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: workloadentries.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: WorkloadEntry
- listKind: WorkloadEntryList
- plural: workloadentries
- shortNames:
- - we
- singular: workloadentry
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: Address associated with the network endpoint.
- jsonPath: .spec.address
- name: Address
- type: string
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting VMs onboarded into the mesh. See
- more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: Address associated with the network endpoint.
- jsonPath: .spec.address
- name: Address
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting VMs onboarded into the mesh. See
- more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: workloadgroups.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: WorkloadGroup
- listKind: WorkloadGroupList
- plural: workloadgroups
- shortNames:
- - wg
- singular: workloadgroup
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Describes a collection of workload instances. See more details
- at: https://istio.io/docs/reference/config/networking/workload-group.html'
- properties:
- metadata:
- description: Metadata that will be used for all corresponding `WorkloadEntries`.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- probe:
- description: '`ReadinessProbe` describes the configuration the user
- must provide for healthchecking on their workload.'
- oneOf:
- - not:
- anyOf:
- - required:
- - httpGet
- - required:
- - tcpSocket
- - required:
- - exec
- - required:
- - httpGet
- - required:
- - tcpSocket
- - required:
- - exec
- properties:
- exec:
- description: Health is determined by how the command that is executed
- exited.
- properties:
- command:
- description: Command to run.
- items:
- type: string
- type: array
- type: object
- failureThreshold:
- description: Minimum consecutive failures for the probe to be
- considered failed after having succeeded.
- format: int32
- type: integer
- httpGet:
- properties:
- host:
- description: Host name to connect to, defaults to the pod
- IP.
- type: string
- httpHeaders:
- description: Headers the proxy will pass on to make the request.
- items:
- properties:
- name:
- type: string
- value:
- type: string
- type: object
- type: array
- path:
- description: Path to access on the HTTP server.
- type: string
- port:
- description: Port on which the endpoint lives.
- type: integer
- scheme:
- type: string
- type: object
- initialDelaySeconds:
- description: Number of seconds after the container has started
- before readiness probes are initiated.
- format: int32
- type: integer
- periodSeconds:
- description: How often (in seconds) to perform the probe.
- format: int32
- type: integer
- successThreshold:
- description: Minimum consecutive successes for the probe to be
- considered successful after having failed.
- format: int32
- type: integer
- tcpSocket:
- description: Health is determined by if the proxy is able to connect.
- properties:
- host:
- type: string
- port:
- type: integer
- type: object
- timeoutSeconds:
- description: Number of seconds after which the probe times out.
- format: int32
- type: integer
- type: object
- template:
- description: Template to be used for the generation of `WorkloadEntry`
- resources that belong to this `WorkloadGroup`.
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- metadata:
- description: Metadata that will be used for all corresponding `WorkloadEntries`.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- probe:
- description: '`ReadinessProbe` describes the configuration the user
- must provide for healthchecking on their workload.'
- oneOf:
- - not:
- anyOf:
- - required:
- - httpGet
- - required:
- - tcpSocket
- - required:
- - exec
- - required:
- - httpGet
- - required:
- - tcpSocket
- - required:
- - exec
- properties:
- exec:
- description: Health is determined by how the command that is executed
- exited.
- properties:
- command:
- description: Command to run.
- items:
- type: string
- type: array
- type: object
- failureThreshold:
- description: Minimum consecutive failures for the probe to be
- considered failed after having succeeded.
- format: int32
- type: integer
- httpGet:
- properties:
- host:
- description: Host name to connect to, defaults to the pod
- IP.
- type: string
- httpHeaders:
- description: Headers the proxy will pass on to make the request.
- items:
- properties:
- name:
- type: string
- value:
- type: string
- type: object
- type: array
- path:
- description: Path to access on the HTTP server.
- type: string
- port:
- description: Port on which the endpoint lives.
- type: integer
- scheme:
- type: string
- type: object
- initialDelaySeconds:
- description: Number of seconds after the container has started
- before readiness probes are initiated.
- format: int32
- type: integer
- periodSeconds:
- description: How often (in seconds) to perform the probe.
- format: int32
- type: integer
- successThreshold:
- description: Minimum consecutive successes for the probe to be
- considered successful after having failed.
- format: int32
- type: integer
- tcpSocket:
- description: Health is determined by if the proxy is able to connect.
- properties:
- host:
- type: string
- port:
- type: integer
- type: object
- timeoutSeconds:
- description: Number of seconds after which the probe times out.
- format: int32
- type: integer
- type: object
- template:
- description: Template to be used for the generation of `WorkloadEntry`
- resources that belong to this `WorkloadGroup`.
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
- name: authorizationpolicies.security.istio.io
-spec:
- group: security.istio.io
- names:
- categories:
- - istio-io
- - security-istio-io
- kind: AuthorizationPolicy
- listKind: AuthorizationPolicyList
- plural: authorizationpolicies
- singular: authorizationpolicy
- scope: Namespaced
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration for access control on workloads. See more
- details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
- oneOf:
- - not:
- anyOf:
- - required:
- - provider
- - required:
- - provider
- properties:
- action:
- description: Optional.
- enum:
- - ALLOW
- - DENY
- - AUDIT
- - CUSTOM
- type: string
- provider:
- description: Specifies detailed configuration of the CUSTOM action.
- properties:
- name:
- description: Specifies the name of the extension provider.
- type: string
- type: object
- rules:
- description: Optional.
- items:
- properties:
- from:
- description: Optional.
- items:
- properties:
- source:
- description: Source specifies the source of a request.
- properties:
- ipBlocks:
- description: Optional.
- items:
- type: string
- type: array
- namespaces:
- description: Optional.
- items:
- type: string
- type: array
- notIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- notNamespaces:
- description: Optional.
- items:
- type: string
- type: array
- notPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- notRemoteIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- notRequestPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- principals:
- description: Optional.
- items:
- type: string
- type: array
- remoteIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- requestPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- to:
- description: Optional.
- items:
- properties:
- operation:
- description: Operation specifies the operation of a request.
- properties:
- hosts:
- description: Optional.
- items:
- type: string
- type: array
- methods:
- description: Optional.
- items:
- type: string
- type: array
- notHosts:
- description: Optional.
- items:
- type: string
- type: array
- notMethods:
- description: Optional.
- items:
- type: string
- type: array
- notPaths:
- description: Optional.
- items:
- type: string
- type: array
- notPorts:
- description: Optional.
- items:
- type: string
- type: array
- paths:
- description: Optional.
- items:
- type: string
- type: array
- ports:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- when:
- description: Optional.
- items:
- properties:
- key:
- description: The name of an Istio attribute.
- type: string
- notValues:
- description: Optional.
- items:
- type: string
- type: array
- values:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: array
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration for access control on workloads. See more
- details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
- oneOf:
- - not:
- anyOf:
- - required:
- - provider
- - required:
- - provider
- properties:
- action:
- description: Optional.
- enum:
- - ALLOW
- - DENY
- - AUDIT
- - CUSTOM
- type: string
- provider:
- description: Specifies detailed configuration of the CUSTOM action.
- properties:
- name:
- description: Specifies the name of the extension provider.
- type: string
- type: object
- rules:
- description: Optional.
- items:
- properties:
- from:
- description: Optional.
- items:
- properties:
- source:
- description: Source specifies the source of a request.
- properties:
- ipBlocks:
- description: Optional.
- items:
- type: string
- type: array
- namespaces:
- description: Optional.
- items:
- type: string
- type: array
- notIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- notNamespaces:
- description: Optional.
- items:
- type: string
- type: array
- notPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- notRemoteIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- notRequestPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- principals:
- description: Optional.
- items:
- type: string
- type: array
- remoteIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- requestPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- to:
- description: Optional.
- items:
- properties:
- operation:
- description: Operation specifies the operation of a request.
- properties:
- hosts:
- description: Optional.
- items:
- type: string
- type: array
- methods:
- description: Optional.
- items:
- type: string
- type: array
- notHosts:
- description: Optional.
- items:
- type: string
- type: array
- notMethods:
- description: Optional.
- items:
- type: string
- type: array
- notPaths:
- description: Optional.
- items:
- type: string
- type: array
- notPorts:
- description: Optional.
- items:
- type: string
- type: array
- paths:
- description: Optional.
- items:
- type: string
- type: array
- ports:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- when:
- description: Optional.
- items:
- properties:
- key:
- description: The name of an Istio attribute.
- type: string
- notValues:
- description: Optional.
- items:
- type: string
- type: array
- values:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: array
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
- name: peerauthentications.security.istio.io
-spec:
- group: security.istio.io
- names:
- categories:
- - istio-io
- - security-istio-io
- kind: PeerAuthentication
- listKind: PeerAuthenticationList
- plural: peerauthentications
- shortNames:
- - pa
- singular: peerauthentication
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Defines the mTLS mode used for peer authentication.
- jsonPath: .spec.mtls.mode
- name: Mode
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: PeerAuthentication defines how traffic will be tunneled (or
- not) to the sidecar.
- properties:
- mtls:
- description: Mutual TLS settings for workload.
- properties:
- mode:
- description: Defines the mTLS mode used for peer authentication.
- enum:
- - UNSET
- - DISABLE
- - PERMISSIVE
- - STRICT
- type: string
- type: object
- portLevelMtls:
- additionalProperties:
- properties:
- mode:
- description: Defines the mTLS mode used for peer authentication.
- enum:
- - UNSET
- - DISABLE
- - PERMISSIVE
- - STRICT
- type: string
- type: object
- description: Port specific mutual TLS settings.
- type: object
- selector:
- description: The selector determines the workloads to apply the ChannelAuthentication
- on.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
- name: requestauthentications.security.istio.io
-spec:
- group: security.istio.io
- names:
- categories:
- - istio-io
- - security-istio-io
- kind: RequestAuthentication
- listKind: RequestAuthenticationList
- plural: requestauthentications
- shortNames:
- - ra
- singular: requestauthentication
- scope: Namespaced
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: RequestAuthentication defines what request authentication
- methods are supported by a workload.
- properties:
- jwtRules:
- description: Define the list of JWTs that can be validated at the
- selected workloads' proxy.
- items:
- properties:
- audiences:
- items:
- type: string
- type: array
- forwardOriginalToken:
- description: If set to true, the original token will be kept
- for the upstream request.
- type: boolean
- fromHeaders:
- description: List of header locations from which JWT is expected.
- items:
- properties:
- name:
- description: The HTTP header name.
- type: string
- prefix:
- description: The prefix that should be stripped before
- decoding the token.
- type: string
- type: object
- type: array
- fromParams:
- description: List of query parameters from which JWT is expected.
- items:
- type: string
- type: array
- issuer:
- description: Identifies the issuer that issued the JWT.
- type: string
- jwks:
- description: JSON Web Key Set of public keys to validate signature
- of the JWT.
- type: string
- jwks_uri:
- type: string
- jwksUri:
- type: string
- outputClaimToHeaders:
- description: This field specifies a list of operations to copy
- the claim to HTTP headers on a successfully verified token.
- items:
- properties:
- claim:
- description: The name of the claim to be copied from.
- type: string
- header:
- description: The name of the header to be created.
- type: string
- type: object
- type: array
- outputPayloadToHeader:
- type: string
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: RequestAuthentication defines what request authentication
- methods are supported by a workload.
- properties:
- jwtRules:
- description: Define the list of JWTs that can be validated at the
- selected workloads' proxy.
- items:
- properties:
- audiences:
- items:
- type: string
- type: array
- forwardOriginalToken:
- description: If set to true, the original token will be kept
- for the upstream request.
- type: boolean
- fromHeaders:
- description: List of header locations from which JWT is expected.
- items:
- properties:
- name:
- description: The HTTP header name.
- type: string
- prefix:
- description: The prefix that should be stripped before
- decoding the token.
- type: string
- type: object
- type: array
- fromParams:
- description: List of query parameters from which JWT is expected.
- items:
- type: string
- type: array
- issuer:
- description: Identifies the issuer that issued the JWT.
- type: string
- jwks:
- description: JSON Web Key Set of public keys to validate signature
- of the JWT.
- type: string
- jwks_uri:
- type: string
- jwksUri:
- type: string
- outputClaimToHeaders:
- description: This field specifies a list of operations to copy
- the claim to HTTP headers on a successfully verified token.
- items:
- properties:
- claim:
- description: The name of the claim to be copied from.
- type: string
- header:
- description: The name of the header to be created.
- type: string
- type: object
- type: array
- outputPayloadToHeader:
- type: string
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: telemetry
- release: istio
- name: telemetries.telemetry.istio.io
-spec:
- group: telemetry.istio.io
- names:
- categories:
- - istio-io
- - telemetry-istio-io
- kind: Telemetry
- listKind: TelemetryList
- plural: telemetries
- shortNames:
- - telemetry
- singular: telemetry
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Telemetry configuration for workloads. See more details
- at: https://istio.io/docs/reference/config/telemetry.html'
- properties:
- accessLogging:
- description: Optional.
- items:
- properties:
- disabled:
- description: Controls logging.
- nullable: true
- type: boolean
- filter:
- description: Optional.
- properties:
- expression:
- description: CEL expression for selecting when requests/connections
- should be logged.
- type: string
- type: object
- match:
- description: Allows tailoring of logging behavior to specific
- conditions.
- properties:
- mode:
- enum:
- - CLIENT_AND_SERVER
- - CLIENT
- - SERVER
- type: string
- type: object
- providers:
- description: Optional.
- items:
- properties:
- name:
- description: Required.
- type: string
- type: object
- type: array
- type: object
- type: array
- metrics:
- description: Optional.
- items:
- properties:
- overrides:
- description: Optional.
- items:
- properties:
- disabled:
- description: Optional.
- nullable: true
- type: boolean
- match:
- description: Match allows provides the scope of the override.
- oneOf:
- - not:
- anyOf:
- - required:
- - metric
- - required:
- - customMetric
- - required:
- - metric
- - required:
- - customMetric
- properties:
- customMetric:
- description: Allows free-form specification of a metric.
- type: string
- metric:
- description: One of the well-known Istio Standard
- Metrics.
- enum:
- - ALL_METRICS
- - REQUEST_COUNT
- - REQUEST_DURATION
- - REQUEST_SIZE
- - RESPONSE_SIZE
- - TCP_OPENED_CONNECTIONS
- - TCP_CLOSED_CONNECTIONS
- - TCP_SENT_BYTES
- - TCP_RECEIVED_BYTES
- - GRPC_REQUEST_MESSAGES
- - GRPC_RESPONSE_MESSAGES
- type: string
- mode:
- enum:
- - CLIENT_AND_SERVER
- - CLIENT
- - SERVER
- type: string
- type: object
- tagOverrides:
- additionalProperties:
- properties:
- operation:
- description: Operation controls whether or not to
- update/add a tag, or to remove it.
- enum:
- - UPSERT
- - REMOVE
- type: string
- value:
- description: Value is only considered if the operation
- is `UPSERT`.
- type: string
- type: object
- description: Optional.
- type: object
- type: object
- type: array
- providers:
- description: Optional.
- items:
- properties:
- name:
- description: Required.
- type: string
- type: object
- type: array
- reportingInterval:
- description: Optional.
- type: string
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- tracing:
- description: Optional.
- items:
- properties:
- customTags:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - literal
- - required:
- - environment
- - required:
- - header
- - required:
- - literal
- - required:
- - environment
- - required:
- - header
- properties:
- environment:
- description: Environment adds the value of an environment
- variable to each span.
- properties:
- defaultValue:
- description: Optional.
- type: string
- name:
- description: Name of the environment variable from
- which to extract the tag value.
- type: string
- type: object
- header:
- properties:
- defaultValue:
- description: Optional.
- type: string
- name:
- description: Name of the header from which to extract
- the tag value.
- type: string
- type: object
- literal:
- description: Literal adds the same, hard-coded value to
- each span.
- properties:
- value:
- description: The tag value to use.
- type: string
- type: object
- type: object
- description: Optional.
- type: object
- disableSpanReporting:
- description: Controls span reporting.
- nullable: true
- type: boolean
- match:
- description: Allows tailoring of behavior to specific conditions.
- properties:
- mode:
- enum:
- - CLIENT_AND_SERVER
- - CLIENT
- - SERVER
- type: string
- type: object
- providers:
- description: Optional.
- items:
- properties:
- name:
- description: Required.
- type: string
- type: object
- type: array
- randomSamplingPercentage:
- nullable: true
- type: number
- useRequestIdForTraceSampling:
- nullable: true
- type: boolean
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
diff --git a/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml b/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml
deleted file mode 100644
index 2a80f418..00000000
--- a/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-# SYNC WITH manifests/charts/istio-operator/templates
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: istiooperators.install.istio.io
- labels:
- release: istio
-spec:
- conversion:
- strategy: None
- group: install.istio.io
- names:
- kind: IstioOperator
- listKind: IstioOperatorList
- plural: istiooperators
- singular: istiooperator
- shortNames:
- - iop
- - io
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Istio control plane revision
- jsonPath: .spec.revision
- name: Revision
- type: string
- - description: IOP current state
- jsonPath: .status.status
- name: Status
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- subresources:
- status: {}
- name: v1alpha1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
----
diff --git a/istio-1.18.2/manifests/charts/base/templates/NOTES.txt b/istio-1.18.2/manifests/charts/base/templates/NOTES.txt
deleted file mode 100644
index 00645016..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/NOTES.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Istio base successfully installed!
-
-To learn more about the release, try:
- $ helm status {{ .Release.Name }}
- $ helm get all {{ .Release.Name }}
diff --git a/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml
deleted file mode 100644
index e0cbea8f..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml
+++ /dev/null
@@ -1,181 +0,0 @@
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# DO NOT EDIT!
-# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
-# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istiod-{{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-rules:
- # sidecar injection controller
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update", "patch"]
-
- # configuration validation webhook controller
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
-
- # istio configuration
- # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
- # please proceed with caution
- - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
- verbs: ["get", "watch", "list"]
- resources: ["*"]
-{{- if .Values.global.istiod.enableAnalysis }}
- - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
- verbs: ["update"]
- # TODO: should be on just */status but wildcard is not supported
- resources: ["*"]
-{{- end }}
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "workloadentries" ]
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "workloadentries/status" ]
-
- # auto-detect installed CRD definitions
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch"]
-
- # discovery and routing
- - apiGroups: [""]
- resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["discovery.k8s.io"]
- resources: ["endpointslices"]
- verbs: ["get", "list", "watch"]
-
- # ingress controller
-{{- if .Values.global.istiod.enableAnalysis }}
- - apiGroups: ["extensions", "networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["extensions", "networking.k8s.io"]
- resources: ["ingresses/status"]
- verbs: ["*"]
-{{- end}}
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses", "ingressclasses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses/status"]
- verbs: ["*"]
-
- # required for CA's namespace controller
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create", "get", "list", "watch", "update"]
-
- # Istiod and bootstrap.
- - apiGroups: ["certificates.k8s.io"]
- resources:
- - "certificatesigningrequests"
- - "certificatesigningrequests/approval"
- - "certificatesigningrequests/status"
- verbs: ["update", "create", "get", "delete", "watch"]
- - apiGroups: ["certificates.k8s.io"]
- resources:
- - "signers"
- resourceNames:
- - "kubernetes.io/legacy-unknown"
- verbs: ["approve"]
-
- # Used by Istiod to verify the JWT tokens
- - apiGroups: ["authentication.k8s.io"]
- resources: ["tokenreviews"]
- verbs: ["create"]
-
- # Used by Istiod to verify gateway SDS
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
-
- # Use for Kubernetes Service APIs
- - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
- resources: ["*"]
- verbs: ["get", "watch", "list"]
- - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
- resources: ["*"] # TODO: should be on just */status but wildcard is not supported
- verbs: ["update"]
- - apiGroups: ["gateway.networking.k8s.io"]
- resources: ["gatewayclasses"]
- verbs: ["create", "update", "patch", "delete"]
-
- # Needed for multicluster secret reading, possibly ingress certs in the future
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "watch", "list"]
-
- # Used for MCS serviceexport management
- - apiGroups: ["multicluster.x-k8s.io"]
- resources: ["serviceexports"]
- verbs: ["get", "watch", "list", "create", "delete"]
-
- # Used for MCS serviceimport management
- - apiGroups: ["multicluster.x-k8s.io"]
- resources: ["serviceimports"]
- verbs: ["get", "watch", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istio-reader-{{ .Values.global.istioNamespace }}
- labels:
- app: istio-reader
- release: {{ .Release.Name }}
-rules:
- - apiGroups:
- - "config.istio.io"
- - "security.istio.io"
- - "networking.istio.io"
- - "authentication.istio.io"
- - "rbac.istio.io"
- resources: ["*"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list" ]
- resources: [ "workloadentries" ]
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["discovery.k8s.io"]
- resources: ["endpointslices"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["apps"]
- resources: ["replicasets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["authentication.k8s.io"]
- resources: ["tokenreviews"]
- verbs: ["create"]
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
- - apiGroups: ["multicluster.x-k8s.io"]
- resources: ["serviceexports"]
- verbs: ["get", "watch", "list"]
- - apiGroups: ["multicluster.x-k8s.io"]
- resources: ["serviceimports"]
- verbs: ["get", "watch", "list"]
-{{- if or .Values.global.externalIstiod }}
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create", "get", "list", "watch", "update"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
-{{- end}}
----
diff --git a/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml
deleted file mode 100644
index d61729b2..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# DO NOT EDIT!
-# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
-# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istio-reader-{{ .Values.global.istioNamespace }}
- labels:
- app: istio-reader
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istio-reader-{{ .Values.global.istioNamespace }}
-subjects:
- - kind: ServiceAccount
- name: istio-reader-service-account
- namespace: {{ .Values.global.istioNamespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istiod-{{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istiod-{{ .Values.global.istioNamespace }}
-subjects:
- - kind: ServiceAccount
- name: istiod-service-account
- namespace: {{ .Values.global.istioNamespace }}
----
diff --git a/istio-1.18.2/manifests/charts/base/templates/crds.yaml b/istio-1.18.2/manifests/charts/base/templates/crds.yaml
deleted file mode 100644
index 871ee2a6..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/crds.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-{{- if .Values.base.enableCRDTemplates }}
-{{ .Files.Get "crds/crd-all.gen.yaml" }}
-{{ .Files.Get "crds/crd-operator.yaml" }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/base/templates/default.yaml b/istio-1.18.2/manifests/charts/base/templates/default.yaml
deleted file mode 100644
index f7950de2..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/default.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-{{- if not (eq .Values.defaultRevision "") }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: istiod-default-validator
- labels:
- app: istiod
- release: {{ .Release.Name }}
- istio: istiod
- istio.io/rev: {{ .Values.defaultRevision }}
-webhooks:
- - name: validation.istio.io
- clientConfig:
- {{- if .Values.base.validationURL }}
- url: {{ .Values.base.validationURL }}
- {{- else }}
- service:
- {{- if (eq .Values.defaultRevision "default") }}
- name: istiod
- {{- else }}
- name: istiod-{{ .Values.defaultRevision }}
- {{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- path: "/validate"
- {{- end }}
- rules:
- - operations:
- - CREATE
- - UPDATE
- apiGroups:
- - security.istio.io
- - networking.istio.io
- - telemetry.istio.io
- - extensions.istio.io
- {{- if .Values.base.validateGateway }}
- - gateway.networking.k8s.io
- {{- end }}
- apiVersions:
- - "*"
- resources:
- - "*"
- # Fail open until the validation webhook is ready. The webhook controller
- # will update this to `Fail` and patch in the `caBundle` when the webhook
- # endpoint is ready.
- failurePolicy: Ignore
- sideEffects: None
- admissionReviewVersions: ["v1beta1", "v1"]
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml b/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml
deleted file mode 100644
index 2675b47a..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
-# if the remotePilotAddress is an IP addr
-apiVersion: v1
-kind: Endpoints
-metadata:
- {{- if .Values.pilot.enabled }}
- name: istiod-remote
- {{- else }}
- name: istiod
- {{- end }}
- namespace: {{ .Release.Namespace }}
-subsets:
-- addresses:
- - ip: {{ .Values.global.remotePilotAddress }}
- ports:
- - port: 15012
- name: tcp-istiod
- protocol: TCP
- - port: 15017
- name: tcp-webhook
- protocol: TCP
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml b/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml
deleted file mode 100644
index d9ce18c2..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# This service account aggregates reader permissions for the revisions in a given cluster
-# Should be used for remote secret creation.
-apiVersion: v1
-kind: ServiceAccount
- {{- if .Values.global.imagePullSecrets }}
-imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
-metadata:
- name: istio-reader-service-account
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istio-reader
- release: {{ .Release.Name }}
diff --git a/istio-1.18.2/manifests/charts/base/templates/role.yaml b/istio-1.18.2/manifests/charts/base/templates/role.yaml
deleted file mode 100644
index ca1a4243..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/role.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# DO NOT EDIT!
-# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
-# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: istiod-{{ .Values.global.istioNamespace }}
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-rules:
-# permissions to verify the webhook is ready and rejecting
-# invalid config. We use --server-dry-run so no config is persisted.
-- apiGroups: ["networking.istio.io"]
- verbs: ["create"]
- resources: ["gateways"]
-
-# For storing CA secret
-- apiGroups: [""]
- resources: ["secrets"]
- # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
- verbs: ["create", "get", "watch", "list", "update", "delete"]
diff --git a/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml
deleted file mode 100644
index 2b591fb8..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# DO NOT EDIT!
-# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
-# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: istiod-{{ .Values.global.istioNamespace }}
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: istiod-{{ .Values.global.istioNamespace }}
-subjects:
- - kind: ServiceAccount
- name: istiod-service-account
- namespace: {{ .Values.global.istioNamespace }}
diff --git a/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml
deleted file mode 100644
index ec25fd25..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# DO NOT EDIT!
-# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
-# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-apiVersion: v1
-kind: ServiceAccount
- {{- if .Values.global.imagePullSecrets }}
-imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
-metadata:
- name: istiod-service-account
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
diff --git a/istio-1.18.2/manifests/charts/base/templates/services.yaml b/istio-1.18.2/manifests/charts/base/templates/services.yaml
deleted file mode 100644
index 2bc55e66..00000000
--- a/istio-1.18.2/manifests/charts/base/templates/services.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-{{- if .Values.global.remotePilotAddress }}
-apiVersion: v1
-kind: Service
-metadata:
- {{- if .Values.pilot.enabled }}
- # when local istiod is enabled, we can't use istiod service name to reach the remote control plane
- name: istiod-remote
- {{- else }}
- # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane
- name: istiod
- {{- end }}
- namespace: {{ .Release.Namespace }}
-spec:
- ports:
- - port: 15012
- name: tcp-istiod
- protocol: TCP
- - port: 443
- targetPort: 15017
- name: tcp-webhook
- protocol: TCP
- {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }}
- # if the remotePilotAddress is not an IP addr, we use ExternalName
- type: ExternalName
- externalName: {{ .Values.global.remotePilotAddress }}
- {{- end }}
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/base/values.yaml b/istio-1.18.2/manifests/charts/base/values.yaml
deleted file mode 100644
index 96a74562..00000000
--- a/istio-1.18.2/manifests/charts/base/values.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-global:
-
- # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
- # to use for pulling any images in pods that reference this ServiceAccount.
- # Must be set for any cluster configured with private docker registry.
- imagePullSecrets: []
-
- # Used to locate istiod.
- istioNamespace: istio-system
-
- istiod:
- enableAnalysis: false
-
- configValidation: true
- externalIstiod: false
- remotePilotAddress: ""
-
-base:
- # Used for helm2 to add the CRDs to templates.
- enableCRDTemplates: false
-
- # Validation webhook configuration url
- # For example: https://$remotePilotAddress:15017/validate
- validationURL: ""
-
- # For istioctl usage to disable istio config crds in base
- enableIstioConfigCRDs: true
-
-defaultRevision: "default"
diff --git a/istio-1.18.2/manifests/charts/default/Chart.yaml b/istio-1.18.2/manifests/charts/default/Chart.yaml
deleted file mode 100644
index 90ddf756..00000000
--- a/istio-1.18.2/manifests/charts/default/Chart.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-name: istio-default
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.0.0
-appVersion: 1.0.0
-description: Helm chart for istio default revision components.
-keywords:
- - istio
-sources:
- - https://github.com/istio/istio
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml
deleted file mode 100644
index 5fa635eb..00000000
--- a/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml
+++ /dev/null
@@ -1,125 +0,0 @@
-# Adapted from istio-discovery/templates/mutatingwebhook.yaml
-# Removed paths for legacy and default selectors since a revision tag
-# is inherently created from a specific revision
-{{/* Copy just what we need to avoid expensive deepCopy */}}
-{{- $whv := dict
- "revision" .Values.revision
- "injectionURL" .Values.istiodRemote.injectionURL
- "namespace" .Release.Namespace }}
-{{- define "core" }}
-- name: {{.Prefix}}sidecar-injector.istio.io
- clientConfig:
- {{- if .injectionURL }}
- url: {{ .injectionURL }}
- {{- else }}
- service:
- name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
- namespace: {{ .namespace }}
- path: "/inject"
- {{- end }}
- sideEffects: None
- rules:
- - operations: [ "CREATE" ]
- apiGroups: [""]
- apiVersions: ["v1"]
- resources: ["pods"]
- failurePolicy: Fail
- admissionReviewVersions: ["v1beta1", "v1"]
-{{- end }}
-
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- name: istio-revision-tag-default
- labels:
- istio.io/tag: "default"
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- app: sidecar-injector
- release: {{ .Release.Name }}
-webhooks:
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: In
- values:
- - "default"
- - key: istio-injection
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: DoesNotExist
- - key: istio-injection
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
- - key: istio.io/rev
- operator: In
- values:
- - "default"
-
-{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: In
- values:
- - enabled
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
-
-{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: In
- values:
- - "true"
- - key: istio.io/rev
- operator: DoesNotExist
-
-{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
-{{- /* Special case 3: no labels at all */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
- - key: "kubernetes.io/metadata.name"
- operator: "NotIn"
- values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml b/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml
deleted file mode 100644
index 8ffa277e..00000000
--- a/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: istiod-default-validator
- labels:
- app: istiod
- istio: istiod
- istio.io/rev: {{ .Values.revision | default "default" }}
- istio.io/tag: "default"
- # Required to make sure this resource is removed
- # when purging Istio resources
- operator.istio.io/component: Pilot
-webhooks:
- - name: validation.istio.io
- clientConfig:
- {{- if .Values.base.validationURL }}
- url: {{ .Values.base.validationURL }}
- {{- else }}
- service:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- path: "/validate"
- {{- end }}
- rules:
- - operations:
- - CREATE
- - UPDATE
- apiGroups:
- - security.istio.io
- - networking.istio.io
- - telemetry.istio.io
- - extensions.istio.io
- {{- if .Values.base.validateGateway }}
- - gateway.networking.k8s.io
- {{- end }}
- apiVersions:
- - "*"
- resources:
- - "*"
- failurePolicy: Ignore
- sideEffects: None
- admissionReviewVersions: ["v1beta1", "v1"]
- objectSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: DoesNotExist
----
diff --git a/istio-1.18.2/manifests/charts/default/values.yaml b/istio-1.18.2/manifests/charts/default/values.yaml
deleted file mode 100644
index f0b1c35d..00000000
--- a/istio-1.18.2/manifests/charts/default/values.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-global:
- # Used to locate istiod.
- istioNamespace: "istio-system"
-
-base:
- # Validation webhook configuration url
- # For example: https://$remotePilotAddress:15017/validate
- validationURL: ""
- # If enabled, gateway-api types will be validated using the standard upstream validation logic.
- # This is an alternative to deploying the standalone validation server the project provides.
- # This is disabled by default, as the cluster may already have a validation server; while technically
- # it works to have multiple redundant validations, this adds complexity and operational risks.
- # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers.
- validateGateway: false
-
-istiodRemote:
- # Sidecar injector mutating webhook configuration url
- # For example: https://$remotePilotAddress:15017/inject
- injectionURL: ""
-
-# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
-revision: ""
-
-sidecarInjectorWebhook:
- # This enables injection of sidecar in all namespaces,
- enableNamespacesByDefault: false
-
diff --git a/istio-1.18.2/manifests/charts/gateway/Chart.yaml b/istio-1.18.2/manifests/charts/gateway/Chart.yaml
deleted file mode 100644
index e16d97e6..00000000
--- a/istio-1.18.2/manifests/charts/gateway/Chart.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v2
-name: gateway
-description: Helm chart for deploying Istio gateways
-type: application
-
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-
-sources:
-- https://github.com/istio/istio
-icon: https://istio.io/latest/favicons/android-192x192.png
-keywords:
-- istio
-- gateways
\ No newline at end of file
diff --git a/istio-1.18.2/manifests/charts/gateway/README.md b/istio-1.18.2/manifests/charts/gateway/README.md
deleted file mode 100644
index 0e58c00f..00000000
--- a/istio-1.18.2/manifests/charts/gateway/README.md
+++ /dev/null
@@ -1,148 +0,0 @@
-# Istio Gateway Helm Chart
-
-This chart installs an Istio gateway deployment.
-
-## Setup Repo Info
-
-```console
-helm repo add istio https://istio-release.storage.googleapis.com/charts
-helm repo update
-```
-
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
-
-## Installing the Chart
-
-To install the chart with the release name `istio-ingressgateway`:
-
-```console
-helm install istio-ingressgateway istio/gateway
-```
-
-## Uninstalling the Chart
-
-To uninstall/delete the `istio-ingressgateway` deployment:
-
-```console
-helm delete istio-ingressgateway
-```
-
-## Configuration
-
-To view support configuration options and documentation, run:
-
-```console
-helm show values istio/gateway
-```
-
-### `image: auto` Information
-
-The image used by the chart, `auto`, may be unintuitive.
-This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
-This allows the same configurations and lifecycle to apply to gateways as sidecars.
-
-Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
-See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
-
-### Examples
-
-#### Egress Gateway
-
-Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
-
-```yaml
-service:
- # Egress gateways do not need an external LoadBalancer IP
- type: ClusterIP
-```
-
-#### Multi-network/VM Gateway
-
-Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
-
-```yaml
-networkGateway: network-1
-```
-
-### Migrating from other installation methods
-
-Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
-following the guidance below.
-If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
-
-WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
-
-#### Legacy Gateway Helm charts
-
-Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
-These are replaced by this chart.
-While not required, it is recommended all new users use this chart, and existing users migrate when possible.
-
-This chart has the following benefits and differences:
-* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
-* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
-* Published to official Istio Helm repository.
-* Single chart for all gateways (Ingress, Egress, East West).
-
-#### General concerns
-
-For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
-
-If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
-
-```yaml
-app: istio-gateway
-istio: gateway # the release name with leading istio- prefix stripped
-```
-
-If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
-`foo=bar,istio=ingressgateway`:
-
-```yaml
-name: my-custom-gateway # Override the name to match existing resources
-labels:
- app: "" # Unset default app selector label
- istio: ingressgateway # override default istio selector label
- foo: bar # Add the existing custom selector label
-```
-
-#### Migrating an existing Helm release
-
-An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
-installation was done like:
-
-```console
-helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
-```
-
-It could be upgraded with
-
-```console
-helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
-```
-
-Note the name and labels are overridden to match the names of the existing installation.
-
-Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
-If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
-or customize the ports to match the old defaults.
-See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
-
-#### Other migrations
-
-If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
-
-The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
-
-```console
-KINDS=(service deployment)
-RELEASE=istio-ingressgateway
-NAMESPACE=istio-system
-for KIND in "${KINDS[@]}"; do
- kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
- kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
- kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
-done
-```
-
-You may ignore errors about resources not being found.
diff --git a/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt b/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt
deleted file mode 100644
index 78451d33..00000000
--- a/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-"{{ include "gateway.name" . }}" successfully installed!
-
-To learn more about the release, try:
- $ helm status {{ .Release.Name }}
- $ helm get all {{ .Release.Name }}
-
-Next steps:
- * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
- * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl
deleted file mode 100644
index a777d43b..00000000
--- a/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl
+++ /dev/null
@@ -1,61 +0,0 @@
-{{- define "gateway.name" -}}
-{{- if eq .Release.Name "RELEASE-NAME" -}}
- {{- .Values.name | default "istio-ingressgateway" -}}
-{{- else -}}
- {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
-{{- end -}}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "gateway.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{- define "gateway.labels" -}}
-helm.sh/chart: {{ include "gateway.chart" . }}
-{{ include "gateway.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-app.kubernetes.io/name: {{ include "gateway.name" . }}
-{{- range $key, $val := .Values.labels }}
-{{- if not (or (eq $key "app") (eq $key "istio")) }}
-{{ $key | quote }}: {{ $val | quote }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{- define "gateway.podLabels" -}}
-{{ include "gateway.selectorLabels" . }}
-{{- range $key, $val := .Values.labels }}
-{{- if not (or (eq $key "app") (eq $key "istio")) }}
-{{ $key | quote }}: {{ $val | quote }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{- define "gateway.selectorLabels" -}}
-{{- if hasKey .Values.labels "app" }}
-{{- with .Values.labels.app }}app: {{.|quote}}
-{{- end}}
-{{- else }}app: {{ include "gateway.name" . }}
-{{- end }}
-{{- if hasKey .Values.labels "istio" }}
-{{- with .Values.labels.istio }}
-istio: {{.|quote}}
-{{- end}}
-{{- else }}
-istio: {{ include "gateway.name" . | trimPrefix "istio-" }}
-{{- end }}
-{{- end }}
-
-{{- define "gateway.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
-{{- else }}
-{{- .Values.serviceAccount.name | default "default" }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml
deleted file mode 100644
index da0fa270..00000000
--- a/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml
+++ /dev/null
@@ -1,107 +0,0 @@
-apiVersion: apps/v1
-kind: {{ .Values.kind | default "Deployment" }}
-metadata:
- name: {{ include "gateway.name" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "gateway.labels" . | nindent 4}}
- annotations:
- {{- .Values.annotations | toYaml | nindent 4 }}
-spec:
- {{- if not .Values.autoscaling.enabled }}
- replicas: {{ .Values.replicaCount }}
- {{- end }}
- selector:
- matchLabels:
- {{- include "gateway.selectorLabels" . | nindent 6 }}
- template:
- metadata:
- {{- with .Values.podAnnotations }}
- annotations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- labels:
- sidecar.istio.io/inject: "true"
- {{- with .Values.revision }}
- istio.io/rev: {{ . }}
- {{- end }}
- {{- include "gateway.podLabels" . | nindent 8 }}
- spec:
- {{- with .Values.imagePullSecrets }}
- imagePullSecrets:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- serviceAccountName: {{ include "gateway.serviceAccountName" . }}
- securityContext:
- {{- if .Values.securityContext }}
- {{- toYaml .Values.securityContext | nindent 8 }}
- {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
- # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
- sysctls:
- - name: net.ipv4.ip_unprivileged_port_start
- value: "0"
- {{- end }}
- containers:
- - name: istio-proxy
- # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
- image: auto
- {{- with .Values.imagePullPolicy }}
- imagePullPolicy: {{ . }}
- {{- end }}
- securityContext:
- {{- if .Values.containerSecurityContext }}
- {{- toYaml .Values.containerSecurityContext | nindent 12 }}
- {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
- # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
- capabilities:
- drop:
- - ALL
- allowPrivilegeEscalation: false
- privileged: false
- readOnlyRootFilesystem: true
- runAsUser: 1337
- runAsGroup: 1337
- runAsNonRoot: true
- {{- else }}
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- runAsUser: 0
- runAsGroup: 1337
- runAsNonRoot: false
- allowPrivilegeEscalation: true
- readOnlyRootFilesystem: true
- {{- end }}
- env:
- {{- with .Values.networkGateway }}
- - name: ISTIO_META_REQUESTED_NETWORK_VIEW
- value: "{{.}}"
- {{- end }}
- {{- range $key, $val := .Values.env }}
- - name: {{ $key }}
- value: {{ $val | quote }}
- {{- end }}
- ports:
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- resources:
- {{- toYaml .Values.resources | nindent 12 }}
- {{- with .Values.nodeSelector }}
- nodeSelector:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.affinity }}
- affinity:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.tolerations }}
- tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.topologySpreadConstraints }}
- topologySpreadConstraints:
- {{- toYaml . | nindent 8 }}
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml b/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml
deleted file mode 100644
index e287406c..00000000
--- a/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
-{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
-apiVersion: autoscaling/v2
-{{- else }}
-apiVersion: autoscaling/v2beta2
-{{- end }}
-kind: HorizontalPodAutoscaler
-metadata:
- name: {{ include "gateway.name" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "gateway.labels" . | nindent 4 }}
- annotations:
- {{- .Values.annotations | toYaml | nindent 4 }}
-spec:
- scaleTargetRef:
- apiVersion: apps/v1
- kind: {{ .Values.kind | default "Deployment" }}
- name: {{ include "gateway.name" . }}
- minReplicas: {{ .Values.autoscaling.minReplicas }}
- maxReplicas: {{ .Values.autoscaling.maxReplicas }}
- metrics:
- {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- - type: Resource
- resource:
- name: cpu
- target:
- averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Utilization
- {{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml
deleted file mode 100644
index 77f71e7f..00000000
--- a/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{- if .Values.podDisruptionBudget }}
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: {{ include "gateway.name" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "gateway.labels" . | nindent 4}}
-spec:
- selector:
- matchLabels:
- {{- include "gateway.selectorLabels" . | nindent 6 }}
- {{- with .Values.podDisruptionBudget }}
- {{- toYaml . | nindent 2 }}
- {{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateway/templates/role.yaml b/istio-1.18.2/manifests/charts/gateway/templates/role.yaml
deleted file mode 100644
index c8a25cb7..00000000
--- a/istio-1.18.2/manifests/charts/gateway/templates/role.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
-{{- if .Values.rbac.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ include "gateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "gateway.labels" . | nindent 4}}
- annotations:
- {{- .Values.annotations | toYaml | nindent 4 }}
-rules:
-- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "watch", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ include "gateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "gateway.labels" . | nindent 4}}
- annotations:
- {{- .Values.annotations | toYaml | nindent 4 }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ include "gateway.serviceAccountName" . }}
-subjects:
-- kind: ServiceAccount
- name: {{ include "gateway.serviceAccountName" . }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateway/templates/service.yaml b/istio-1.18.2/manifests/charts/gateway/templates/service.yaml
deleted file mode 100644
index b96a52b9..00000000
--- a/istio-1.18.2/manifests/charts/gateway/templates/service.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-{{- if not (eq .Values.service.type "None") }}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "gateway.name" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "gateway.labels" . | nindent 4 }}
- {{- with .Values.networkGateway }}
- topology.istio.io/network: "{{.}}"
- {{- end }}
- annotations:
- {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
-spec:
-{{- with .Values.service.loadBalancerIP }}
- loadBalancerIP: "{{ . }}"
-{{- end }}
-{{- with .Values.service.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
-{{ toYaml . | indent 4 }}
-{{- end }}
-{{- with .Values.service.externalTrafficPolicy }}
- externalTrafficPolicy: "{{ . }}"
-{{- end }}
- type: {{ .Values.service.type }}
- ports:
-{{- if .Values.networkGateway }}
- - name: status-port
- port: 15021
- targetPort: 15021
- - name: tls
- port: 15443
- targetPort: 15443
- - name: tls-istiod
- port: 15012
- targetPort: 15012
- - name: tls-webhook
- port: 15017
- targetPort: 15017
-{{- else }}
-{{ .Values.service.ports | toYaml | indent 4 }}
-{{- end }}
-{{- if .Values.service.externalIPs }}
- externalIPs: {{- range .Values.service.externalIPs }}
- - {{.}}
- {{- end }}
-{{- end }}
- selector:
- {{- include "gateway.selectorLabels" . | nindent 4 }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml
deleted file mode 100644
index e5b2304d..00000000
--- a/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-{{- if .Values.serviceAccount.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "gateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "gateway.labels" . | nindent 4 }}
- {{- with .Values.serviceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateway/values.schema.json b/istio-1.18.2/manifests/charts/gateway/values.schema.json
deleted file mode 100644
index d0878a2c..00000000
--- a/istio-1.18.2/manifests/charts/gateway/values.schema.json
+++ /dev/null
@@ -1,219 +0,0 @@
-{
- "$schema": "http://json-schema.org/schema#",
- "type": "object",
- "additionalProperties": false,
- "properties": {
- "global": {
- "type": "object"
- },
- "affinity": {
- "type": "object"
- },
- "securityContext": {
- "type": ["object", "null"]
- },
- "containerSecurityContext": {
- "type": ["object", "null"]
- },
- "kind":{
- "type": "string",
- "enum": ["Deployment", "DaemonSet"]
- },
- "annotations": {
- "additionalProperties": {
- "type": [
- "string",
- "integer"
- ]
- },
- "type": "object"
- },
- "autoscaling": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean"
- },
- "maxReplicas": {
- "type": "integer"
- },
- "minReplicas": {
- "type": "integer"
- },
- "targetCPUUtilizationPercentage": {
- "type": "integer"
- }
- }
- },
- "env": {
- "type": "object"
- },
- "labels": {
- "type": "object"
- },
- "name": {
- "type": "string"
- },
- "nodeSelector": {
- "type": "object"
- },
- "podAnnotations": {
- "type": "object",
- "properties": {
- "inject.istio.io/templates": {
- "type": "string"
- },
- "prometheus.io/path": {
- "type": "string"
- },
- "prometheus.io/port": {
- "type": "string"
- },
- "prometheus.io/scrape": {
- "type": "string"
- }
- }
- },
- "replicaCount": {
- "type": "integer"
- },
- "resources": {
- "type": "object",
- "properties": {
- "limits": {
- "type": "object",
- "properties": {
- "cpu": {
- "type": "string"
- },
- "memory": {
- "type": "string"
- }
- }
- },
- "requests": {
- "type": "object",
- "properties": {
- "cpu": {
- "type": "string"
- },
- "memory": {
- "type": "string"
- }
- }
- }
- }
- },
- "revision": {
- "type": "string"
- },
- "runAsRoot": {
- "type": "boolean"
- },
- "unprivilegedPort": {
- "type": ["string", "boolean"],
- "enum": [true, false, "auto"]
- },
- "service": {
- "type": "object",
- "properties": {
- "annotations": {
- "type": "object"
- },
- "externalTrafficPolicy": {
- "type": "string"
- },
- "loadBalancerIP": {
- "type": "string"
- },
- "loadBalancerSourceRanges": {
- "type": "array"
- },
- "ports": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string"
- },
- "port": {
- "type": "integer"
- },
- "protocol": {
- "type": "string"
- },
- "targetPort": {
- "type": "integer"
- }
- }
- }
- },
- "type": {
- "type": "string"
- }
- }
- },
- "serviceAccount": {
- "type": "object",
- "properties": {
- "annotations": {
- "type": "object"
- },
- "name": {
- "type": "string"
- },
- "create": {
- "type": "boolean"
- }
- }
- },
- "rbac": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- }
- },
- "tolerations": {
- "type": "array"
- },
- "topologySpreadConstraints": {
- "type": "array"
- },
- "networkGateway": {
- "type": "string"
- },
- "imagePullPolicy": {
- "type": "string",
- "enum": ["", "Always", "IfNotPresent", "Never"]
- },
- "imagePullSecrets": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string"
- }
- }
- }
- },
- "podDisruptionBudget": {
- "type": "object",
- "properties": {
- "minAvailable": {
- "type": ["integer", "string"]
- },
- "maxUnavailable": {
- "type": ["integer", "string"]
- },
- "unhealthyPodEvictionPolicy": {
- "type": "string",
- "enum": ["", "IfHealthyBudget", "AlwaysAllow"]
- }
- }
- }
- }
-}
diff --git a/istio-1.18.2/manifests/charts/gateway/values.yaml b/istio-1.18.2/manifests/charts/gateway/values.yaml
deleted file mode 100644
index 81e757e9..00000000
--- a/istio-1.18.2/manifests/charts/gateway/values.yaml
+++ /dev/null
@@ -1,127 +0,0 @@
-# Name allows overriding the release name. Generally this should not be set
-name: ""
-# revision declares which revision this gateway is a part of
-revision: ""
-
-replicaCount: 1
-
-kind: Deployment
-
-rbac:
- # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
- # when using http://gateway-api.org/.
- enabled: true
-
-serviceAccount:
- # If set, a service account will be created. Otherwise, the default is used
- create: true
- # Annotations to add to the service account
- annotations: {}
- # The name of the service account to use.
- # If not set, the release name is used
- name: ""
-
-podAnnotations:
- prometheus.io/port: "15020"
- prometheus.io/scrape: "true"
- prometheus.io/path: "/stats/prometheus"
- inject.istio.io/templates: "gateway"
- sidecar.istio.io/inject: "true"
-
-# Define the security context for the pod.
-# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
-# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
-securityContext: ~
-containerSecurityContext: ~
-
-service:
- # Type of service. Set to "None" to disable the service entirely
- type: LoadBalancer
- ports:
- - name: status-port
- port: 15021
- protocol: TCP
- targetPort: 15021
- - name: http2
- port: 80
- protocol: TCP
- targetPort: 80
- - name: https
- port: 443
- protocol: TCP
- targetPort: 443
- annotations: {}
- loadBalancerIP: ""
- loadBalancerSourceRanges: []
- externalTrafficPolicy: ""
- externalIPs: []
-
-resources:
- requests:
- cpu: 100m
- memory: 128Mi
- limits:
- cpu: 2000m
- memory: 1024Mi
-
-autoscaling:
- enabled: true
- minReplicas: 1
- maxReplicas: 5
- targetCPUUtilizationPercentage: 80
-
-# Pod environment variables
-env: {}
-
-# Labels to apply to all resources
-labels: {}
-
-# Annotations to apply to all resources
-annotations: {}
-
-nodeSelector: {}
-
-tolerations: []
-
-topologySpreadConstraints: []
-
-affinity: {}
-
-# If specified, the gateway will act as a network gateway for the given network.
-networkGateway: ""
-
-# Specify image pull policy if default behavior isn't desired.
-# Default behavior: latest images will be Always else IfNotPresent
-imagePullPolicy: ""
-
-imagePullSecrets: []
-
-# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
-#
-# By default, the `podDisruptionBudget` is disabled (set to `{}`),
-# which means that no PodDisruptionBudget resource will be created.
-#
-# To enable the PodDisruptionBudget, configure it by specifying the
-# `minAvailable` or `maxUnavailable`. For example, to set the
-# minimum number of available replicas to 1, you can update this value as follows:
-#
-# podDisruptionBudget:
-# minAvailable: 1
-#
-# Or, to allow a maximum of 1 unavailable replica, you can set:
-#
-# podDisruptionBudget:
-# maxUnavailable: 1
-#
-# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
-# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
-#
-# podDisruptionBudget:
-# minAvailable: 1
-# unhealthyPodEvictionPolicy: AlwaysAllow
-#
-# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
-#
-# podDisruptionBudget: {}
-#
-podDisruptionBudget: {}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml
deleted file mode 100644
index b42ee221..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-name: istio-egress
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-description: Helm chart for deploying Istio gateways
-keywords:
- - istio
- - egressgateway
- - gateways
-sources:
- - https://github.com/istio/istio
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt b/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt
deleted file mode 100644
index 9baacc0e..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt
+++ /dev/null
@@ -1,45 +0,0 @@
-
-Changes:
-- separate namespace allows:
--- easier reconfig of just the gateway
--- TLS secrets and domain name management is isolated, for better security
--- simplified configuration
--- multiple versions of the ingress can be used, to minize upgrade risks
-
-- the new chart uses the default namespace service account, and doesn't require
-additional RBAC permissions.
-
-- simplified label structure. Label change is not supported on upgrade.
-
-- for 'internal load balancer' you should deploy a separate gateway, in a different
-namespace.
-
-All ingress gateway have a "app:ingressgateway" label, used to identify it as an
-ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection.
-
-The Gateways use "istio: ingressgateway$SUFFIX" selectors.
-
-
-# Multiple gateway versions
-
-
-
-# Using different pilot versions
-
-
-
-# Migration from istio-system
-
-Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
-with the Service and bound to the namespace, it is recommended to:
-
-1. Install the new gateway in a new namespace.
-2. Copy any TLS certificate to the new namespace, and configure the domains.
-3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
-4. Modify the DNS server to add the A record of the new namespace
-5. Check traffic
-6. Delete the A record corresponding to the gateway in istio-system
-7. Upgrade istio-system, disabling the ingressgateway
-8. Delete the domain TLS certs from istio-system.
-
-If using certmanager, all Certificate and associated configs must be moved as well.
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl
deleted file mode 100644
index fc1ec540..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl
+++ /dev/null
@@ -1,104 +0,0 @@
-{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
-
-{{ define "nodeaffinity" }}
-nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- {{- include "nodeAffinityRequiredDuringScheduling" . }}
- preferredDuringSchedulingIgnoredDuringExecution:
- {{- include "nodeAffinityPreferredDuringScheduling" . }}
-{{- end }}
-
-{{- define "nodeAffinityRequiredDuringScheduling" }}
- {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
- {{- if or .global.arch $nodeSelector }}
- nodeSelectorTerms:
- - matchExpressions:
- {{- if .global.arch }}
- - key: kubernetes.io/arch
- operator: In
- values:
- {{- range $key, $val := .global.arch }}
- {{- if gt ($val | int) 0 }}
- - {{ $key | quote }}
- {{- end }}
- {{- end }}
- {{- end }}
- {{- range $key, $val := $nodeSelector }}
- - key: {{ $key }}
- operator: In
- values:
- - {{ $val | quote }}
- {{- end }}
- {{- end }}
-{{- end }}
-
-{{- define "nodeAffinityPreferredDuringScheduling" }}
- {{- range $key, $val := .global.arch }}
- {{- if gt ($val | int) 0 }}
- - weight: {{ $val | int }}
- preference:
- matchExpressions:
- - key: kubernetes.io/arch
- operator: In
- values:
- - {{ $key | quote }}
- {{- end }}
- {{- end }}
-{{- end }}
-
-{{- define "podAntiAffinity" }}
-{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
- podAntiAffinity:
- {{- if .podAntiAffinityLabelSelector }}
- requiredDuringSchedulingIgnoredDuringExecution:
- {{- include "podAntiAffinityRequiredDuringScheduling" . }}
- {{- end }}
- {{- if .podAntiAffinityTermLabelSelector }}
- preferredDuringSchedulingIgnoredDuringExecution:
- {{- include "podAntiAffinityPreferredDuringScheduling" . }}
- {{- end }}
-{{- end }}
-{{- end }}
-
-{{- define "podAntiAffinityRequiredDuringScheduling" }}
- {{- range $index, $item := .podAntiAffinityLabelSelector }}
- - labelSelector:
- matchExpressions:
- - key: {{ $item.key }}
- operator: {{ $item.operator }}
- {{- if $item.values }}
- values:
- {{- $vals := split "," $item.values }}
- {{- range $i, $v := $vals }}
- - {{ $v | quote }}
- {{- end }}
- {{- end }}
- topologyKey: {{ $item.topologyKey }}
- {{- if $item.namespaces }}
- namespaces:
- {{- $ns := split "," $item.namespaces }}
- {{- range $i, $n := $ns }}
- - {{ $n | quote }}
- {{- end }}
- {{- end }}
- {{- end }}
-{{- end }}
-
-{{- define "podAntiAffinityPreferredDuringScheduling" }}
- {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- - podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: {{ $item.key }}
- operator: {{ $item.operator }}
- {{- if $item.values }}
- values:
- {{- $vals := split "," $item.values }}
- {{- range $i, $v := $vals }}
- - {{ $v | quote }}
- {{- end }}
- {{- end }}
- topologyKey: {{ $item.topologyKey }}
- weight: 100
- {{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml
deleted file mode 100644
index aa901685..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
-{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
-{{- if not .Values.global.autoscalingv2API }}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
-spec:
- maxReplicas: {{ $gateway.autoscaleMax }}
- minReplicas: {{ $gateway.autoscaleMin }}
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: {{ $gateway.name }}
- metrics:
- - type: Resource
- resource:
- name: cpu
- targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
----
-{{- else }}
-{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
-apiVersion: autoscaling/v2
-{{- else }}
-apiVersion: autoscaling/v2beta2
-{{- end }}
-kind: HorizontalPodAutoscaler
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
-spec:
- maxReplicas: {{ $gateway.autoscaleMax }}
- minReplicas: {{ $gateway.autoscaleMin }}
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: {{ $gateway.name }}
- metrics:
- - type: Resource
- resource:
- name: cpu
- target:
- type: Utilization
- averageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
----
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml
deleted file mode 100644
index 60dec8b3..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml
+++ /dev/null
@@ -1,348 +0,0 @@
-{{- $gateway := index .Values "gateways" "istio-egressgateway" }}
-{{- if eq $gateway.injectionTemplate "" }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
-spec:
-{{- if not $gateway.autoscaleEnabled }}
-{{- if $gateway.replicaCount }}
- replicas: {{ $gateway.replicaCount }}
-{{- end }}
-{{- end }}
- selector:
- matchLabels:
-{{ $gateway.labels | toYaml | indent 6 }}
- strategy:
- rollingUpdate:
- maxSurge: {{ $gateway.rollingMaxSurge }}
- maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
- template:
- metadata:
- labels:
-{{ $gateway.labels | toYaml | indent 8 }}
-{{- if eq .Release.Namespace "istio-system"}}
- heritage: Tiller
- release: istio
- chart: gateways
-{{- end }}
- service.istio.io/canonical-name: {{ $gateway.name }}
- {{- if not (eq .Values.revision "") }}
- service.istio.io/canonical-revision: {{ .Values.revision }}
- {{- else}}
- service.istio.io/canonical-revision: latest
- {{- end }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
- sidecar.istio.io/inject: "false"
- annotations:
- istio.io/rev: {{ .Values.revision | default "default" }}
- {{- if .Values.meshConfig.enablePrometheusMerge }}
- prometheus.io/port: "15020"
- prometheus.io/scrape: "true"
- prometheus.io/path: "/stats/prometheus"
- {{- end }}
- sidecar.istio.io/inject: "false"
-{{- if $gateway.podAnnotations }}
-{{ toYaml $gateway.podAnnotations | indent 8 }}
-{{ end }}
- spec:
-{{- if not $gateway.runAsRoot }}
- securityContext:
- runAsUser: 1337
- runAsGroup: 1337
- runAsNonRoot: true
- fsGroup: 1337
-{{- end }}
- serviceAccountName: {{ $gateway.name }}-service-account
-{{- if .Values.global.priorityClassName }}
- priorityClassName: "{{ .Values.global.priorityClassName }}"
-{{- end }}
-{{- if .Values.global.proxy.enableCoreDump }}
- initContainers:
- - name: enable-core-dump
-{{- if contains "/" .Values.global.proxy.image }}
- image: "{{ .Values.global.proxy.image }}"
-{{- else }}
- image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
-{{- end }}
-{{- if .Values.global.imagePullPolicy }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-{{- end }}
- command:
- - /bin/sh
- args:
- - -c
- - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
- securityContext:
- runAsUser: 0
- runAsGroup: 0
- runAsNonRoot: false
- privileged: true
-{{- end }}
- containers:
- - name: istio-proxy
-{{- if contains "/" .Values.global.proxy.image }}
- image: "{{ .Values.global.proxy.image }}"
-{{- else }}
- image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
-{{- end }}
-{{- if .Values.global.imagePullPolicy }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-{{- end }}
- ports:
- {{- range $key, $val := $gateway.ports }}
- - containerPort: {{ $val.targetPort | default $val.port }}
- protocol: {{ $val.protocol | default "TCP" }}
- {{- end }}
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- args:
- - proxy
- - router
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- {{- if .Values.global.proxy.logLevel }}
- - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
- {{- end}}
- {{- if .Values.global.proxy.componentLogLevel }}
- - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
- {{- end}}
- {{- if .Values.global.logging.level }}
- - --log_output_level={{ .Values.global.logging.level }}
- {{- end}}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- {{- if .Values.global.sts.servicePort }}
- - --stsPort={{ .Values.global.sts.servicePort }}
- {{- end }}
- {{- if not $gateway.runAsRoot }}
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- {{- end }}
- readinessProbe:
- failureThreshold: 30
- httpGet:
- path: /healthz/ready
- port: 15021
- scheme: HTTP
- initialDelaySeconds: 1
- periodSeconds: 2
- successThreshold: 1
- timeoutSeconds: 1
- resources:
-{{- if $gateway.resources }}
-{{ toYaml $gateway.resources | indent 12 }}
-{{- else }}
-{{ toYaml .Values.global.defaultResources | indent 12 }}
-{{- end }}
- env:
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- - name: HOST_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ISTIO_META_WORKLOAD_NAME
- value: {{ $gateway.name }}
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
- {{- if $.Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ $.Values.global.meshID }}"
- {{- else if .Values.meshConfig.trustDomain }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.meshConfig.trustDomain }}"
- {{- end }}
- {{- if .Values.meshConfig.trustDomain }}
- - name: TRUST_DOMAIN
- value: "{{ .Values.meshConfig.trustDomain }}"
- {{- end }}
- {{- if not $gateway.runAsRoot }}
- - name: ISTIO_META_UNPRIVILEGED_POD
- value: "true"
- {{- end }}
- {{- range $key, $val := $gateway.env }}
- - name: {{ $key }}
- value: "{{ $val }}"
- {{- end }}
- {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
- {{- if and (not $network_set) .Values.global.network }}
- - name: ISTIO_META_NETWORK
- value: "{{ .Values.global.network }}"
- {{- end }}
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
- - name: credential-socket
- mountPath: /var/run/secrets/credential-uds
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- - name: istio-envoy
- mountPath: /etc/istio/proxy
- - name: config-volume
- mountPath: /etc/istio/config
-{{- if eq .Values.global.pilotCertProvider "istiod" }}
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
-{{- end }}
-{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- mountPath: /var/run/secrets/tokens
- readOnly: true
-{{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- mountPath: /etc/certs
- readOnly: true
- {{- end }}
- - mountPath: /var/lib/istio/data
- name: istio-data
- - name: podinfo
- mountPath: /etc/istio/pod
- {{- range $gateway.secretVolumes }}
- - name: {{ .name }}
- mountPath: {{ .mountPath | quote }}
- readOnly: true
- {{- end }}
- {{- range $gateway.configVolumes }}
- {{- if .mountPath }}
- - name: {{ .name }}
- mountPath: {{ .mountPath | quote }}
- readOnly: true
- {{- end }}
- {{- end }}
-{{- if $gateway.additionalContainers }}
-{{ toYaml $gateway.additionalContainers | indent 8 }}
-{{- end }}
- volumes:
- - emptyDir: {}
- name: workload-socket
- - emptyDir: {}
- name: credential-socket
- - emptyDir: {}
- name: workload-certs
-{{- if eq .Values.global.pilotCertProvider "istiod" }}
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
-{{- end }}
- - name: podinfo
- downwardAPI:
- items:
- - path: "labels"
- fieldRef:
- fieldPath: metadata.labels
- - path: "annotations"
- fieldRef:
- fieldPath: metadata.annotations
- - name: istio-envoy
- emptyDir: {}
- - name: istio-data
- emptyDir: {}
-{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: {{ .Values.global.sds.token.aud }}
-{{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- secret:
- secretName: istio.istio-egressgateway-service-account
- optional: true
- {{- end }}
- - name: config-volume
- configMap:
- name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- optional: true
- {{- range $gateway.secretVolumes }}
- - name: {{ .name }}
- secret:
- secretName: {{ .secretName | quote }}
- optional: true
- {{- end }}
- {{- range $gateway.configVolumes }}
- - name: {{ .name }}
- configMap:
- name: {{ .configMapName | quote }}
- optional: true
- {{- end }}
- affinity:
-{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
- {{- include "podAntiAffinity" $gateway | indent 6 }}
-{{- if $gateway.tolerations }}
- tolerations:
-{{ toYaml $gateway.tolerations | indent 6 }}
-{{- else if .Values.global.defaultTolerations }}
- tolerations:
-{{ toYaml .Values.global.defaultTolerations | indent 6 }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml
deleted file mode 100644
index 150a5bd1..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml
+++ /dev/null
@@ -1,146 +0,0 @@
-{{- $gateway := index .Values "gateways" "istio-egressgateway" }}
-{{- if ne $gateway.injectionTemplate "" }}
-{{/* This provides a minimal gateway, ready to be injected.
- Any settings from values.gateways should be here - these are options specific to the gateway.
- Global settings, like the image, various env vars and volumes, etc will be injected.
- The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ $gateway.name | default "istio-egressgateway" }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
-spec:
-{{- if not $gateway.autoscaleEnabled }}
-{{- if $gateway.replicaCount }}
- replicas: {{ $gateway.replicaCount }}
-{{- end }}
-{{- end }}
- selector:
- matchLabels:
-{{ $gateway.labels | toYaml | indent 6 }}
- strategy:
- rollingUpdate:
- maxSurge: {{ $gateway.rollingMaxSurge }}
- maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
- template:
- metadata:
- labels:
-{{ $gateway.labels | toYaml | indent 8 }}
-{{- if eq .Release.Namespace "istio-system"}}
- heritage: Tiller
- release: istio
- chart: gateways
-{{- end }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
- sidecar.istio.io/inject: "true"
- {{- with .Values.revision }}
- istio.io/rev: {{ . }}
- {{- end }}
- annotations:
- {{- if .Values.meshConfig.enablePrometheusMerge }}
- prometheus.io/port: "15020"
- prometheus.io/scrape: "true"
- prometheus.io/path: "/stats/prometheus"
- {{- end }}
- sidecar.istio.io/inject: "true"
- inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
-{{- if $gateway.podAnnotations }}
-{{ toYaml $gateway.podAnnotations | indent 8 }}
-{{ end }}
- spec:
-{{- if not $gateway.runAsRoot }}
- securityContext:
- runAsUser: 1337
- runAsGroup: 1337
- runAsNonRoot: true
- fsGroup: 1337
-{{- end }}
- serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account
-{{- if .Values.global.priorityClassName }}
- priorityClassName: "{{ .Values.global.priorityClassName }}"
-{{- end }}
- containers:
- - name: istio-proxy
- image: auto
-{{- if .Values.global.imagePullPolicy }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-{{- end }}
- ports:
- {{- range $key, $val := $gateway.ports }}
- - containerPort: {{ $val.targetPort | default $val.port }}
- protocol: {{ $val.protocol | default "TCP" }}
- {{- end }}
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- {{- if not $gateway.runAsRoot }}
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- {{- end }}
- resources:
-{{- if $gateway.resources }}
-{{ toYaml $gateway.resources | indent 12 }}
-{{- else }}
-{{ toYaml .Values.global.defaultResources | indent 12 }}
-{{- end }}
- env:
- {{- if not $gateway.runAsRoot }}
- - name: ISTIO_META_UNPRIVILEGED_POD
- value: "true"
- {{- end }}
- {{- range $key, $val := $gateway.env }}
- - name: {{ $key }}
- value: {{ $val | quote }}
- {{- end }}
- volumeMounts:
- {{- range $gateway.secretVolumes }}
- - name: {{ .name }}
- mountPath: {{ .mountPath | quote }}
- readOnly: true
- {{- end }}
- {{- range $gateway.configVolumes }}
- {{- if .mountPath }}
- - name: {{ .name }}
- mountPath: {{ .mountPath | quote }}
- readOnly: true
- {{- end }}
- {{- end }}
-{{- if $gateway.additionalContainers }}
-{{ toYaml $gateway.additionalContainers | indent 8 }}
-{{- end }}
- volumes:
- {{- range $gateway.secretVolumes }}
- - name: {{ .name }}
- secret:
- secretName: {{ .secretName | quote }}
- optional: true
- {{- end }}
- {{- range $gateway.configVolumes }}
- - name: {{ .name }}
- configMap:
- name: {{ .configMapName | quote }}
- optional: true
- {{- end }}
- affinity:
-{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
- {{- include "podAntiAffinity" $gateway | indent 6 }}
-{{- if $gateway.tolerations }}
- tolerations:
-{{ toYaml $gateway.tolerations | indent 6 }}
-{{- else if .Values.global.defaultTolerations }}
- tolerations:
-{{ toYaml .Values.global.defaultTolerations | indent 6 }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml
deleted file mode 100644
index ba3c6d24..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
-{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
-{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }}
-apiVersion: policy/v1
-{{- else }}
-apiVersion: policy/v1beta1
-{{- end }}
-kind: PodDisruptionBudget
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | trim | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
-spec:
- minAvailable: 1
- selector:
- matchLabels:
-{{ $gateway.labels | toYaml | trim | indent 6 }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml
deleted file mode 100644
index c472fcef..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ $gateway.name }}-sds
- namespace: {{ .Release.Namespace }}
- labels:
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
-rules:
-- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "watch", "list"]
----
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml
deleted file mode 100644
index fd1ffcd7..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ $gateway.name }}-sds
- namespace: {{ .Release.Namespace }}
- labels:
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ $gateway.name }}-sds
-subjects:
-- kind: ServiceAccount
- name: {{ $gateway.name }}-service-account
----
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml
deleted file mode 100644
index 2f8ce959..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
-{{- if not $gateway.customService }}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- annotations:
- {{- range $key, $val := $gateway.serviceAnnotations }}
- {{ $key }}: {{ $val | quote }}
- {{- end }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
-spec:
-{{- if $gateway.loadBalancerIP }}
- loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
-{{- end }}
-{{- if $gateway.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
-{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
-{{- end }}
-{{- if $gateway.externalTrafficPolicy }}
- externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
-{{- end }}
- type: {{ $gateway.type }}
- selector:
-{{ $gateway.labels | toYaml | indent 4 }}
- ports:
-
- {{- range $key, $val := $gateway.ports }}
- -
- {{- range $pkey, $pval := $val }}
- {{ $pkey}}: {{ $pval }}
- {{- end }}
- {{- end }}
-
- {{ range $app := $gateway.egressPorts }}
- -
- port: {{ $app.port }}
- name: {{ $app.name }}
- {{- end }}
----
-{{ end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml
deleted file mode 100644
index b6a3eb40..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
-apiVersion: v1
-kind: ServiceAccount
-{{- if .Values.global.imagePullSecrets }}
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
-{{- end }}
-{{- end }}
-metadata:
- name: {{ $gateway.name }}-service-account
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | trim | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "EgressGateways"
- {{- with $gateway.serviceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml
deleted file mode 100644
index dd8588ef..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml
+++ /dev/null
@@ -1,299 +0,0 @@
-# Standalone istio egress gateway.
-# Should be installed in a separate namespace, to minimize access to config
-gateways:
- istio-egressgateway:
- name: istio-egressgateway
- ports:
- - port: 80
- targetPort: 8080
- name: http2
- protocol: TCP
- - port: 443
- name: https
- targetPort: 8443
- protocol: TCP
-
- labels:
- app: istio-egressgateway
- istio: egressgateway
-
- # Scalability tuning
- # replicaCount: 1
- rollingMaxSurge: 100%
- rollingMaxUnavailable: 25%
- autoscaleEnabled: true
- autoscaleMin: 1
- autoscaleMax: 5
- resources:
- requests:
- cpu: 100m
- memory: 128Mi
- limits:
- cpu: 2000m
- memory: 1024Mi
- cpu:
- targetAverageUtilization: 80
-
- serviceAnnotations: {}
- podAnnotations: {}
- type: ClusterIP # change to NodePort or LoadBalancer if need be
-
- secretVolumes:
- - name: egressgateway-certs
- secretName: istio-egressgateway-certs
- mountPath: /etc/istio/egressgateway-certs
- - name: egressgateway-ca-certs
- secretName: istio-egressgateway-ca-certs
- mountPath: /etc/istio/egressgateway-ca-certs
-
- configVolumes: []
- additionalContainers: []
-
- serviceAccount:
- # Annotations to add to the service account
- annotations: {}
-
- ### Advanced options ############
- # TODO: convert to real options, env should not be exposed
- env: {}
- # Set this to "external" if and only if you want the egress gateway to
- # act as a transparent SNI gateway that routes mTLS/TLS traffic to
- # external services defined using service entries, where the service
- # entry has resolution set to DNS, has one or more endpoints with
- # network field set to "external". By default its set to "" so that
- # the egress gateway sees the same set of endpoints as the sidecars
- # preserving backward compatibility
- # ISTIO_META_REQUESTED_NETWORK_VIEW: ""
-
- nodeSelector: {}
- tolerations: []
-
- # Specify the pod anti-affinity that allows you to constrain which nodes
- # your pod is eligible to be scheduled based on labels on pods that are
- # already running on the node rather than based on labels on nodes.
- # There are currently two types of anti-affinity:
- # "requiredDuringSchedulingIgnoredDuringExecution"
- # "preferredDuringSchedulingIgnoredDuringExecution"
- # which denote "hard" vs. "soft" requirements, you can define your values
- # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
- # correspondingly.
- # For example:
- # podAntiAffinityLabelSelector:
- # - key: security
- # operator: In
- # values: S1,S2
- # topologyKey: "kubernetes.io/hostname"
- # This pod anti-affinity rule says that the pod requires not to be scheduled
- # onto a node if that node is already running a pod with label having key
- # "security" and value "S1".
- podAntiAffinityLabelSelector: []
- podAntiAffinityTermLabelSelector: []
-
- # whether to run the gateway in a privileged container
- runAsRoot: false
-
- # The injection template to use for the gateway. If not set, no injection will be performed.
- injectionTemplate: ""
-
-# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
-revision: ""
-
-# For Helm compatibility.
-ownerName: ""
-
-global:
- # set the default set of namespaces to which services, service entries, virtual services, destination
- # rules should be exported to. Currently only one value can be provided in this list. This value
- # should be one of the following two options:
- # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
- # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
- defaultConfigVisibilitySettings: []
-
- # Default node selector to be applied to all deployments so that all pods can be
- # constrained to run a particular nodes. Each component can overwrite these default
- # values by adding its node selector block in the relevant section below and setting
- # the desired values.
- defaultNodeSelector: {}
-
- # enable pod disruption budget for the control plane, which is used to
- # ensure Istio control plane components are gradually upgraded or recovered.
- defaultPodDisruptionBudget:
- enabled: true
-
- # A minimal set of requested resources to applied to all deployments so that
- # Horizontal Pod Autoscaler will be able to function (if set).
- # Each component can overwrite these default values by adding its own resources
- # block in the relevant section below and setting the desired resources values.
- defaultResources:
- requests:
- cpu: 10m
- # memory: 128Mi
- # limits:
- # cpu: 100m
- # memory: 128Mi
-
- # Default node tolerations to be applied to all deployments so that all pods can be
- # scheduled to a particular nodes with matching taints. Each component can overwrite
- # these default values by adding its tolerations block in the relevant section below
- # and setting the desired values.
- # Configure this field in case that all pods of Istio control plane are expected to
- # be scheduled to particular nodes with specified taints.
- defaultTolerations: []
-
- # Default hub for Istio images.
- # Releases are published to docker hub under 'istio' project.
- # Dev builds from prow are on gcr.io
- hub: docker.io/istio
-
- # Default tag for Istio images.
- tag: 1.18.2
-
- # Specify image pull policy if default behavior isn't desired.
- # Default behavior: latest images will be Always else IfNotPresent.
- imagePullPolicy: ""
-
- # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
- # to use for pulling any images in pods that reference this ServiceAccount.
- # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
- # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
- # Must be set for any cluster configured with private docker registry.
- imagePullSecrets: []
- # - private-registry-key
-
- # To output all istio components logs in json format by adding --log_as_json argument to each container argument
- logAsJson: false
-
- # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:
- # 0 - Never scheduled
- # 1 - Least preferred
- # 2 - No preference
- # 3 - Most preferred
- arch: {}
-
- # Comma-separated minimum per-scope logging level of messages to output, in the form of :,:
- # The control plane has different scopes depending on component, but can configure default log level across all components
- # If empty, default scope and level will be used as configured in code
- logging:
- level: "default:info"
-
- # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
- # system-node-critical, it is better to configure this in order to make sure your Istio pods
- # will not be killed because of low priority class.
- # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- # for more detail.
- priorityClassName: ""
-
- proxy:
- image: proxyv2
-
- # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
- # cluster domain. Default value is "cluster.local".
- clusterDomain: "cluster.local"
-
- # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
- # not set, then the global "logLevel" will be used.
- componentLogLevel: "misc:error"
-
- # If set, newly injected sidecars will have core dumps enabled.
- enableCoreDump: false
-
- # Log level for proxy, applies to gateways and sidecars.
- # Expected values are: trace|debug|info|warning|error|critical|off
- logLevel: warning
-
- ##############################################################################################
- # The following values are found in other charts. To effectively modify these values, make #
- # make sure they are consistent across your Istio helm charts #
- ##############################################################################################
-
- # The customized CA address to retrieve certificates for the pods in the cluster.
- # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
- caAddress: ""
-
- # Used to locate istiod.
- istioNamespace: istio-system
-
- # Configure the policy for validating JWT.
- # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
- jwtPolicy: "third-party-jwt"
-
- # Mesh ID means Mesh Identifier. It should be unique within the scope where
- # meshes will interact with each other, but it is not required to be
- # globally/universally unique. For example, if any of the following are true,
- # then two meshes must have different Mesh IDs:
- # - Meshes will have their telemetry aggregated in one place
- # - Meshes will be federated together
- # - Policy will be written referencing one mesh from the other
- #
- # If an administrator expects that any of these conditions may become true in
- # the future, they should ensure their meshes have different Mesh IDs
- # assigned.
- #
- # Within a multicluster mesh, each cluster must be (manually or auto)
- # configured to have the same Mesh ID value. If an existing cluster 'joins' a
- # multicluster mesh, it will need to be migrated to the new mesh ID. Details
- # of migration TBD, and it may be a disruptive operation to change the Mesh
- # ID post-install.
- #
- # If the mesh admin does not specify a value, Istio will use the value of the
- # mesh's Trust Domain. The best practice is to select a proper Trust Domain
- # value.
- meshID: ""
-
- # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
- mountMtlsCerts: false
-
- multiCluster:
- # Set to true to connect two kubernetes clusters via their respective
- # ingressgateway services when pods in each cluster cannot directly
- # talk to one another. All clusters should be using Istio mTLS and must
- # have a shared root CA for this model to work.
- enabled: false
- # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
- # to properly label proxies
- clusterName: ""
-
- # Network defines the network this cluster belong to. This name
- # corresponds to the networks in the map of mesh networks.
- network: ""
-
- # Configure the certificate provider for control plane communication.
- # Currently, two providers are supported: "kubernetes" and "istiod".
- # As some platforms may not have kubernetes signing APIs,
- # Istiod is the default
- pilotCertProvider: istiod
-
- sds:
- # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
- # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
- # JWT is intended for the CA.
- token:
- aud: istio-ca
-
- sts:
- # The service port used by Security Token Service (STS) server to handle token exchange requests.
- # Setting this port to a non-zero value enables STS server.
- servicePort: 0
-
- # whether to use autoscaling/v2 template for HPA settings
- # for internal usage only, not to be configured by users.
- autoscalingv2API: true
-
-meshConfig:
- enablePrometheusMerge: true
-
- # The trust domain corresponds to the trust root of a system
- # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
- trustDomain: "cluster.local"
-
- defaultConfig:
- proxyMetadata: {}
- tracing:
- # tlsSettings:
- # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
- # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
- # privateKey: # example: /etc/istio/tracer/key.pem
- # caCertificates: # example: /etc/istio/tracer/root-cert.pem
- # sni: # example: tracer.somedomain
- # subjectAltNames: []
- # - tracer.somedomain
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml
deleted file mode 100644
index fd1e5f88..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-name: istio-ingress
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-tillerVersion: ">=2.7.2"
-description: Helm chart for deploying Istio gateways
-keywords:
- - istio
- - ingressgateway
- - gateways
-sources:
- - http://github.com/istio/istio
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt b/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt
deleted file mode 100644
index 221ee560..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt
+++ /dev/null
@@ -1,43 +0,0 @@
-
-Changes:
-- separate namespace allows:
--- easier reconfig of just the gateway
--- TLS secrets and domain name management is isolated, for better security
--- simplified configuration
--- multiple versions of the ingress can be used, to minimize upgrade risks
-
-- the new chart uses the default namespace service account, and doesn't require
-additional RBAC permissions.
-
-- simplified label and chart structure.
-- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
-and allows a bit more flexibility.
-- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
-
-# Port and basic host configuration
-
-In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
-In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
-both in upgrade, Gateway and VirtualService.
-
-The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
-Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
-config for the rest.
-
-All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
-
-# Migration from istio-system
-
-Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
-with the Service and bound to the namespace, it is recommended to:
-
-1. Install the new gateway in a new namespace.
-2. Copy any TLS certificate to the new namespace, and configure the domains.
-3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
-4. Modify the DNS server to add the A record of the new namespace
-5. Check traffic
-6. Delete the A record corresponding to the gateway in istio-system
-7. Upgrade istio-system, disabling the ingressgateway
-8. Delete the domain TLS certs from istio-system.
-
-If using certmanager, all Certificate and associated configs must be moved as well.
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl
deleted file mode 100644
index fc1ec540..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl
+++ /dev/null
@@ -1,104 +0,0 @@
-{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
-
-{{ define "nodeaffinity" }}
-nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- {{- include "nodeAffinityRequiredDuringScheduling" . }}
- preferredDuringSchedulingIgnoredDuringExecution:
- {{- include "nodeAffinityPreferredDuringScheduling" . }}
-{{- end }}
-
-{{- define "nodeAffinityRequiredDuringScheduling" }}
- {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
- {{- if or .global.arch $nodeSelector }}
- nodeSelectorTerms:
- - matchExpressions:
- {{- if .global.arch }}
- - key: kubernetes.io/arch
- operator: In
- values:
- {{- range $key, $val := .global.arch }}
- {{- if gt ($val | int) 0 }}
- - {{ $key | quote }}
- {{- end }}
- {{- end }}
- {{- end }}
- {{- range $key, $val := $nodeSelector }}
- - key: {{ $key }}
- operator: In
- values:
- - {{ $val | quote }}
- {{- end }}
- {{- end }}
-{{- end }}
-
-{{- define "nodeAffinityPreferredDuringScheduling" }}
- {{- range $key, $val := .global.arch }}
- {{- if gt ($val | int) 0 }}
- - weight: {{ $val | int }}
- preference:
- matchExpressions:
- - key: kubernetes.io/arch
- operator: In
- values:
- - {{ $key | quote }}
- {{- end }}
- {{- end }}
-{{- end }}
-
-{{- define "podAntiAffinity" }}
-{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
- podAntiAffinity:
- {{- if .podAntiAffinityLabelSelector }}
- requiredDuringSchedulingIgnoredDuringExecution:
- {{- include "podAntiAffinityRequiredDuringScheduling" . }}
- {{- end }}
- {{- if .podAntiAffinityTermLabelSelector }}
- preferredDuringSchedulingIgnoredDuringExecution:
- {{- include "podAntiAffinityPreferredDuringScheduling" . }}
- {{- end }}
-{{- end }}
-{{- end }}
-
-{{- define "podAntiAffinityRequiredDuringScheduling" }}
- {{- range $index, $item := .podAntiAffinityLabelSelector }}
- - labelSelector:
- matchExpressions:
- - key: {{ $item.key }}
- operator: {{ $item.operator }}
- {{- if $item.values }}
- values:
- {{- $vals := split "," $item.values }}
- {{- range $i, $v := $vals }}
- - {{ $v | quote }}
- {{- end }}
- {{- end }}
- topologyKey: {{ $item.topologyKey }}
- {{- if $item.namespaces }}
- namespaces:
- {{- $ns := split "," $item.namespaces }}
- {{- range $i, $n := $ns }}
- - {{ $n | quote }}
- {{- end }}
- {{- end }}
- {{- end }}
-{{- end }}
-
-{{- define "podAntiAffinityPreferredDuringScheduling" }}
- {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- - podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: {{ $item.key }}
- operator: {{ $item.operator }}
- {{- if $item.values }}
- values:
- {{- $vals := split "," $item.values }}
- {{- range $i, $v := $vals }}
- - {{ $v | quote }}
- {{- end }}
- {{- end }}
- topologyKey: {{ $item.topologyKey }}
- weight: 100
- {{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml
deleted file mode 100644
index 0a6299bf..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
-{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
-{{- if not .Values.global.autoscalingv2API }}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
-spec:
- maxReplicas: {{ $gateway.autoscaleMax }}
- minReplicas: {{ $gateway.autoscaleMin }}
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: {{ $gateway.name }}
- metrics:
- - type: Resource
- resource:
- name: cpu
- targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
----
-{{- else }}
-{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
-apiVersion: autoscaling/v2
-{{- else }}
-apiVersion: autoscaling/v2beta2
-{{- end }}
-kind: HorizontalPodAutoscaler
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
-spec:
- maxReplicas: {{ $gateway.autoscaleMax }}
- minReplicas: {{ $gateway.autoscaleMin }}
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: {{ $gateway.name }}
- metrics:
- - type: Resource
- resource:
- name: cpu
- target:
- type: Utilization
- averageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
----
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
deleted file mode 100644
index 243545a5..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
+++ /dev/null
@@ -1,348 +0,0 @@
-{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
-{{- if eq $gateway.injectionTemplate "" }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
-spec:
-{{- if not $gateway.autoscaleEnabled }}
-{{- if $gateway.replicaCount }}
- replicas: {{ $gateway.replicaCount }}
-{{- end }}
-{{- end }}
- selector:
- matchLabels:
-{{ $gateway.labels | toYaml | indent 6 }}
- strategy:
- rollingUpdate:
- maxSurge: {{ $gateway.rollingMaxSurge }}
- maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
- template:
- metadata:
- labels:
-{{ $gateway.labels | toYaml | indent 8 }}
-{{- if eq .Release.Namespace "istio-system"}}
- heritage: Tiller
- release: istio
- chart: gateways
-{{- end }}
- service.istio.io/canonical-name: {{ $gateway.name }}
- {{- if not (eq .Values.revision "") }}
- service.istio.io/canonical-revision: {{ .Values.revision }}
- {{- else}}
- service.istio.io/canonical-revision: latest
- {{- end }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
- sidecar.istio.io/inject: "false"
- annotations:
- istio.io/rev: {{ .Values.revision | default "default" }}
- {{- if .Values.meshConfig.enablePrometheusMerge }}
- prometheus.io/port: "15020"
- prometheus.io/scrape: "true"
- prometheus.io/path: "/stats/prometheus"
- {{- end }}
- sidecar.istio.io/inject: "false"
-{{- if $gateway.podAnnotations }}
-{{ toYaml $gateway.podAnnotations | indent 8 }}
-{{ end }}
- spec:
-{{- if not $gateway.runAsRoot }}
- securityContext:
- runAsUser: 1337
- runAsGroup: 1337
- runAsNonRoot: true
- fsGroup: 1337
-{{- end }}
- serviceAccountName: {{ $gateway.name }}-service-account
-{{- if .Values.global.priorityClassName }}
- priorityClassName: "{{ .Values.global.priorityClassName }}"
-{{- end }}
-{{- if .Values.global.proxy.enableCoreDump }}
- initContainers:
- - name: enable-core-dump
-{{- if contains "/" .Values.global.proxy.image }}
- image: "{{ .Values.global.proxy.image }}"
-{{- else }}
- image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
-{{- end }}
-{{- if .Values.global.imagePullPolicy }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-{{- end }}
- command:
- - /bin/sh
- args:
- - -c
- - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
- securityContext:
- runAsUser: 0
- runAsGroup: 0
- runAsNonRoot: false
- privileged: true
-{{- end }}
- containers:
- - name: istio-proxy
-{{- if contains "/" .Values.global.proxy.image }}
- image: "{{ .Values.global.proxy.image }}"
-{{- else }}
- image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
-{{- end }}
-{{- if .Values.global.imagePullPolicy }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-{{- end }}
- ports:
- {{- range $key, $val := $gateway.ports }}
- - containerPort: {{ $val.targetPort | default $val.port }}
- protocol: {{ $val.protocol | default "TCP" }}
- {{- end }}
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- args:
- - proxy
- - router
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- {{- if .Values.global.proxy.logLevel }}
- - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
- {{- end}}
- {{- if .Values.global.proxy.componentLogLevel }}
- - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
- {{- end}}
- {{- if .Values.global.logging.level }}
- - --log_output_level={{ .Values.global.logging.level }}
- {{- end}}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- {{- if .Values.global.sts.servicePort }}
- - --stsPort={{ .Values.global.sts.servicePort }}
- {{- end }}
- {{- if not $gateway.runAsRoot }}
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- {{- end }}
- readinessProbe:
- failureThreshold: 30
- httpGet:
- path: /healthz/ready
- port: 15021
- scheme: HTTP
- initialDelaySeconds: 1
- periodSeconds: 2
- successThreshold: 1
- timeoutSeconds: 1
- resources:
-{{- if $gateway.resources }}
-{{ toYaml $gateway.resources | indent 12 }}
-{{- else }}
-{{ toYaml .Values.global.defaultResources | indent 12 }}
-{{- end }}
- env:
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- - name: HOST_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ISTIO_META_WORKLOAD_NAME
- value: {{ $gateway.name }}
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
- {{- if $.Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ $.Values.global.meshID }}"
- {{- else if .Values.meshConfig.trustDomain }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.meshConfig.trustDomain }}"
- {{- end }}
- {{- if .Values.meshConfig.trustDomain }}
- - name: TRUST_DOMAIN
- value: "{{ .Values.meshConfig.trustDomain }}"
- {{- end }}
- {{- if not $gateway.runAsRoot }}
- - name: ISTIO_META_UNPRIVILEGED_POD
- value: "true"
- {{- end }}
- {{- range $key, $val := $gateway.env }}
- - name: {{ $key }}
- value: "{{ $val }}"
- {{- end }}
- {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
- {{- if and (not $network_set) .Values.global.network }}
- - name: ISTIO_META_NETWORK
- value: "{{ .Values.global.network }}"
- {{- end }}
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
- - name: credential-socket
- mountPath: /var/run/secrets/credential-uds
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- - name: istio-envoy
- mountPath: /etc/istio/proxy
- - name: config-volume
- mountPath: /etc/istio/config
-{{- if eq .Values.global.pilotCertProvider "istiod" }}
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
-{{- end }}
-{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- mountPath: /var/run/secrets/tokens
- readOnly: true
-{{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- mountPath: /etc/certs
- readOnly: true
- {{- end }}
- - mountPath: /var/lib/istio/data
- name: istio-data
- - name: podinfo
- mountPath: /etc/istio/pod
- {{- range $gateway.secretVolumes }}
- - name: {{ .name }}
- mountPath: {{ .mountPath | quote }}
- readOnly: true
- {{- end }}
- {{- range $gateway.configVolumes }}
- {{- if .mountPath }}
- - name: {{ .name }}
- mountPath: {{ .mountPath | quote }}
- readOnly: true
- {{- end }}
- {{- end }}
-{{- if $gateway.additionalContainers }}
-{{ toYaml $gateway.additionalContainers | indent 8 }}
-{{- end }}
- volumes:
- - emptyDir: {}
- name: workload-socket
- - emptyDir: {}
- name: credential-socket
- - emptyDir: {}
- name: workload-certs
-{{- if eq .Values.global.pilotCertProvider "istiod" }}
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
-{{- end }}
- - name: podinfo
- downwardAPI:
- items:
- - path: "labels"
- fieldRef:
- fieldPath: metadata.labels
- - path: "annotations"
- fieldRef:
- fieldPath: metadata.annotations
- - name: istio-envoy
- emptyDir: {}
- - name: istio-data
- emptyDir: {}
-{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: {{ .Values.global.sds.token.aud }}
-{{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- secret:
- secretName: istio.istio-ingressgateway-service-account
- optional: true
- {{- end }}
- - name: config-volume
- configMap:
- name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- optional: true
- {{- range $gateway.secretVolumes }}
- - name: {{ .name }}
- secret:
- secretName: {{ .secretName | quote }}
- optional: true
- {{- end }}
- {{- range $gateway.configVolumes }}
- - name: {{ .name }}
- configMap:
- name: {{ .configMapName | quote }}
- optional: true
- {{- end }}
- affinity:
-{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
- {{- include "podAntiAffinity" $gateway | indent 6 }}
-{{- if $gateway.tolerations }}
- tolerations:
-{{ toYaml $gateway.tolerations | indent 6 }}
-{{- else if .Values.global.defaultTolerations }}
- tolerations:
-{{ toYaml .Values.global.defaultTolerations | indent 6 }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml
deleted file mode 100644
index bc666a8b..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml
+++ /dev/null
@@ -1,146 +0,0 @@
-{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
-{{- if ne $gateway.injectionTemplate "" }}
-{{/* This provides a minimal gateway, ready to be injected.
- Any settings from values.gateways should be here - these are options specific to the gateway.
- Global settings, like the image, various env vars and volumes, etc will be injected.
- The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ $gateway.name | default "istio-ingressgateway" }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
-spec:
-{{- if not $gateway.autoscaleEnabled }}
-{{- if $gateway.replicaCount }}
- replicas: {{ $gateway.replicaCount }}
-{{- end }}
-{{- end }}
- selector:
- matchLabels:
-{{ $gateway.labels | toYaml | indent 6 }}
- strategy:
- rollingUpdate:
- maxSurge: {{ $gateway.rollingMaxSurge }}
- maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
- template:
- metadata:
- labels:
-{{ $gateway.labels | toYaml | indent 8 }}
-{{- if eq .Release.Namespace "istio-system"}}
- heritage: Tiller
- release: istio
- chart: gateways
-{{- end }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
- sidecar.istio.io/inject: "true"
- {{- with .Values.revision }}
- istio.io/rev: {{ . }}
- {{- end }}
- annotations:
- {{- if .Values.meshConfig.enablePrometheusMerge }}
- prometheus.io/port: "15020"
- prometheus.io/scrape: "true"
- prometheus.io/path: "/stats/prometheus"
- {{- end }}
- sidecar.istio.io/inject: "true"
- inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
-{{- if $gateway.podAnnotations }}
-{{ toYaml $gateway.podAnnotations | indent 8 }}
-{{ end }}
- spec:
-{{- if not $gateway.runAsRoot }}
- securityContext:
- runAsUser: 1337
- runAsGroup: 1337
- runAsNonRoot: true
- fsGroup: 1337
-{{- end }}
- serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
-{{- if .Values.global.priorityClassName }}
- priorityClassName: "{{ .Values.global.priorityClassName }}"
-{{- end }}
- containers:
- - name: istio-proxy
- image: auto
-{{- if .Values.global.imagePullPolicy }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-{{- end }}
- ports:
- {{- range $key, $val := $gateway.ports }}
- - containerPort: {{ $val.targetPort | default $val.port }}
- protocol: {{ $val.protocol | default "TCP" }}
- {{- end }}
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- {{- if not $gateway.runAsRoot }}
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- {{- end }}
- resources:
-{{- if $gateway.resources }}
-{{ toYaml $gateway.resources | indent 12 }}
-{{- else }}
-{{ toYaml .Values.global.defaultResources | indent 12 }}
-{{- end }}
- env:
- {{- if not $gateway.runAsRoot }}
- - name: ISTIO_META_UNPRIVILEGED_POD
- value: "true"
- {{- end }}
- {{- range $key, $val := $gateway.env }}
- - name: {{ $key }}
- value: {{ $val | quote }}
- {{- end }}
- volumeMounts:
- {{- range $gateway.secretVolumes }}
- - name: {{ .name }}
- mountPath: {{ .mountPath | quote }}
- readOnly: true
- {{- end }}
- {{- range $gateway.configVolumes }}
- {{- if .mountPath }}
- - name: {{ .name }}
- mountPath: {{ .mountPath | quote }}
- readOnly: true
- {{- end }}
- {{- end }}
-{{- if $gateway.additionalContainers }}
-{{ toYaml $gateway.additionalContainers | indent 8 }}
-{{- end }}
- volumes:
- {{- range $gateway.secretVolumes }}
- - name: {{ .name }}
- secret:
- secretName: {{ .secretName | quote }}
- optional: true
- {{- end }}
- {{- range $gateway.configVolumes }}
- - name: {{ .name }}
- configMap:
- name: {{ .configMapName | quote }}
- optional: true
- {{- end }}
- affinity:
-{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
- {{- include "podAntiAffinity" $gateway | indent 6 }}
-{{- if $gateway.tolerations }}
- tolerations:
-{{ toYaml $gateway.tolerations | indent 6 }}
-{{- else if .Values.global.defaultTolerations }}
- tolerations:
-{{ toYaml .Values.global.defaultTolerations | indent 6 }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml
deleted file mode 100644
index 8b368895..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
-{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
-{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }}
-apiVersion: policy/v1
-{{- else }}
-apiVersion: policy/v1beta1
-{{- end }}
-kind: PodDisruptionBudget
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | trim | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
-spec:
- minAvailable: 1
- selector:
- matchLabels:
-{{ $gateway.labels | toYaml | trim | indent 6 }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml
deleted file mode 100644
index 3e21bca5..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ $gateway.name }}-sds
- namespace: {{ .Release.Namespace }}
- labels:
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
-rules:
-- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "watch", "list"]
----
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml
deleted file mode 100644
index d4525579..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ $gateway.name }}-sds
- namespace: {{ .Release.Namespace }}
- labels:
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ $gateway.name }}-sds
-subjects:
-- kind: ServiceAccount
- name: {{ $gateway.name }}-service-account
----
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml
deleted file mode 100644
index a3b97be1..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
-{{- if not $gateway.customService }}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ $gateway.name }}
- namespace: {{ .Release.Namespace }}
- annotations:
- {{- range $key, $val := $gateway.serviceAnnotations }}
- {{ $key }}: {{ $val | quote }}
- {{- end }}
- labels:
-{{ $gateway.labels | toYaml | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
-spec:
-{{- if $gateway.loadBalancerIP }}
- loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
-{{- end }}
-{{- if $gateway.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
-{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
-{{- end }}
-{{- if $gateway.externalTrafficPolicy }}
- externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
-{{- end }}
- type: {{ $gateway.type }}
- selector:
-{{ $gateway.labels | toYaml | indent 4 }}
- ports:
-
- {{- range $key, $val := $gateway.ports }}
- -
- {{- range $pkey, $pval := $val }}
- {{ $pkey}}: {{ $pval }}
- {{- end }}
- {{- end }}
-
- {{ range $app := $gateway.ingressPorts }}
- -
- port: {{ $app.port }}
- name: {{ $app.name }}
- {{- end }}
----
-{{ end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml
deleted file mode 100644
index 9cf3034c..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
-apiVersion: v1
-kind: ServiceAccount
-{{- if .Values.global.imagePullSecrets }}
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
-{{- end }}
-{{- end }}
-metadata:
- name: {{ $gateway.name }}-service-account
- namespace: {{ .Release.Namespace }}
- labels:
-{{ $gateway.labels | toYaml | trim | indent 4 }}
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "IngressGateways"
- {{- with $gateway.serviceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml
deleted file mode 100644
index 89c24a0c..00000000
--- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml
+++ /dev/null
@@ -1,319 +0,0 @@
-# A-la-carte istio ingress gateway.
-# Must be installed in a separate namespace, to minimize access to secrets.
-
-gateways:
- istio-ingressgateway:
- name: istio-ingressgateway
- labels:
- app: istio-ingressgateway
- istio: ingressgateway
- ports:
- ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
- # Note that AWS ELB will by default perform health checks on the first port
- # on this list. Setting this to the health check port will ensure that health
- # checks always work. https://github.com/istio/istio/issues/12503
- - port: 15021
- targetPort: 15021
- name: status-port
- protocol: TCP
- - port: 80
- targetPort: 8080
- name: http2
- protocol: TCP
- - port: 443
- targetPort: 8443
- name: https
- protocol: TCP
-
- # Scalability tuning
- # replicaCount: 1
- rollingMaxSurge: 100%
- rollingMaxUnavailable: 25%
- autoscaleEnabled: true
- autoscaleMin: 1
- autoscaleMax: 5
-
- cpu:
- targetAverageUtilization: 80
-
- resources:
- requests:
- cpu: 100m
- memory: 128Mi
- limits:
- cpu: 2000m
- memory: 1024Mi
-
- loadBalancerIP: ""
- loadBalancerSourceRanges: []
- serviceAnnotations: {}
-
- # To generate an internal load balancer:
- # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
- #serviceAnnotations:
- # cloud.google.com/load-balancer-type: "internal"
-
- podAnnotations: {}
- type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
-
- ##############
- secretVolumes:
- - name: ingressgateway-certs
- secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-certs
- - name: ingressgateway-ca-certs
- secretName: istio-ingressgateway-ca-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
-
- customService: false
- externalTrafficPolicy: ""
-
- ingressPorts: []
- additionalContainers: []
- configVolumes: []
-
- serviceAccount:
- # Annotations to add to the service account
- annotations: {}
-
- ### Advanced options ############
- env: {}
- nodeSelector: {}
- tolerations: []
-
- # Specify the pod anti-affinity that allows you to constrain which nodes
- # your pod is eligible to be scheduled based on labels on pods that are
- # already running on the node rather than based on labels on nodes.
- # There are currently two types of anti-affinity:
- # "requiredDuringSchedulingIgnoredDuringExecution"
- # "preferredDuringSchedulingIgnoredDuringExecution"
- # which denote "hard" vs. "soft" requirements, you can define your values
- # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
- # correspondingly.
- # For example:
- # podAntiAffinityLabelSelector:
- # - key: security
- # operator: In
- # values: S1,S2
- # topologyKey: "kubernetes.io/hostname"
- # This pod anti-affinity rule says that the pod requires not to be scheduled
- # onto a node if that node is already running a pod with label having key
- # "security" and value "S1".
- podAntiAffinityLabelSelector: []
- podAntiAffinityTermLabelSelector: []
-
- # whether to run the gateway in a privileged container
- runAsRoot: false
-
- # The injection template to use for the gateway. If not set, no injection will be performed.
- injectionTemplate: ""
-
-# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
-revision: ""
-
-# For Helm compatibility.
-ownerName: ""
-
-global:
- # set the default set of namespaces to which services, service entries, virtual services, destination
- # rules should be exported to. Currently only one value can be provided in this list. This value
- # should be one of the following two options:
- # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
- # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
- defaultConfigVisibilitySettings: []
-
- # Default node selector to be applied to all deployments so that all pods can be
- # constrained to run a particular nodes. Each component can overwrite these default
- # values by adding its node selector block in the relevant section below and setting
- # the desired values.
- defaultNodeSelector: {}
-
- # enable pod disruption budget for the control plane, which is used to
- # ensure Istio control plane components are gradually upgraded or recovered.
- defaultPodDisruptionBudget:
- enabled: true
-
- # A minimal set of requested resources to applied to all deployments so that
- # Horizontal Pod Autoscaler will be able to function (if set).
- # Each component can overwrite these default values by adding its own resources
- # block in the relevant section below and setting the desired resources values.
- defaultResources:
- requests:
- cpu: 10m
- # memory: 128Mi
- # limits:
- # cpu: 100m
- # memory: 128Mi
-
- # Default node tolerations to be applied to all deployments so that all pods can be
- # scheduled to a particular nodes with matching taints. Each component can overwrite
- # these default values by adding its tolerations block in the relevant section below
- # and setting the desired values.
- # Configure this field in case that all pods of Istio control plane are expected to
- # be scheduled to particular nodes with specified taints.
- defaultTolerations: []
-
- # Default hub for Istio images.
- # Releases are published to docker hub under 'istio' project.
- # Dev builds from prow are on gcr.io
- hub: docker.io/istio
-
- # Default tag for Istio images.
- tag: 1.18.2
-
- # Variant of the image to use.
- # Currently supported are: [debug, distroless]
- variant: ""
-
- # Specify image pull policy if default behavior isn't desired.
- # Default behavior: latest images will be Always else IfNotPresent.
- imagePullPolicy: ""
-
- # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
- # to use for pulling any images in pods that reference this ServiceAccount.
- # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
- # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
- # Must be set for any cluster configured with private docker registry.
- imagePullSecrets: []
- # - private-registry-key
-
- # To output all istio components logs in json format by adding --log_as_json argument to each container argument
- logAsJson: false
-
- # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:
- # 0 - Never scheduled
- # 1 - Least preferred
- # 2 - No preference
- # 3 - Most preferred
- arch: {}
-
- # Comma-separated minimum per-scope logging level of messages to output, in the form of :,:
- # The control plane has different scopes depending on component, but can configure default log level across all components
- # If empty, default scope and level will be used as configured in code
- logging:
- level: "default:info"
-
- # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
- # system-node-critical, it is better to configure this in order to make sure your Istio pods
- # will not be killed because of low priority class.
- # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- # for more detail.
- priorityClassName: ""
-
- proxy:
- image: proxyv2
-
- # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
- # cluster domain. Default value is "cluster.local".
- clusterDomain: "cluster.local"
-
- # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
- # not set, then the global "logLevel" will be used.
- componentLogLevel: "misc:error"
-
- # If set, newly injected sidecars will have core dumps enabled.
- enableCoreDump: false
-
- # Log level for proxy, applies to gateways and sidecars.
- # Expected values are: trace|debug|info|warning|error|critical|off
- logLevel: warning
-
- ##############################################################################################
- # The following values are found in other charts. To effectively modify these values, make #
- # make sure they are consistent across your Istio helm charts #
- ##############################################################################################
-
- # The customized CA address to retrieve certificates for the pods in the cluster.
- # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
- caAddress: ""
-
- # Used to locate istiod.
- istioNamespace: istio-system
-
- # Configure the policy for validating JWT.
- # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
- jwtPolicy: "third-party-jwt"
-
- # Mesh ID means Mesh Identifier. It should be unique within the scope where
- # meshes will interact with each other, but it is not required to be
- # globally/universally unique. For example, if any of the following are true,
- # then two meshes must have different Mesh IDs:
- # - Meshes will have their telemetry aggregated in one place
- # - Meshes will be federated together
- # - Policy will be written referencing one mesh from the other
- #
- # If an administrator expects that any of these conditions may become true in
- # the future, they should ensure their meshes have different Mesh IDs
- # assigned.
- #
- # Within a multicluster mesh, each cluster must be (manually or auto)
- # configured to have the same Mesh ID value. If an existing cluster 'joins' a
- # multicluster mesh, it will need to be migrated to the new mesh ID. Details
- # of migration TBD, and it may be a disruptive operation to change the Mesh
- # ID post-install.
- #
- # If the mesh admin does not specify a value, Istio will use the value of the
- # mesh's Trust Domain. The best practice is to select a proper Trust Domain
- # value.
- meshID: ""
-
- # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
- mountMtlsCerts: false
-
- multiCluster:
- # Set to true to connect two kubernetes clusters via their respective
- # ingressgateway services when pods in each cluster cannot directly
- # talk to one another. All clusters should be using Istio mTLS and must
- # have a shared root CA for this model to work.
- enabled: false
- # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
- # to properly label proxies
- clusterName: ""
- # The suffix for global service names
- globalDomainSuffix: "global"
- # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
- includeEnvoyFilter: true
-
- # Network defines the network this cluster belong to. This name
- # corresponds to the networks in the map of mesh networks.
- network: ""
-
- # Configure the certificate provider for control plane communication.
- # Currently, two providers are supported: "kubernetes" and "istiod".
- # As some platforms may not have kubernetes signing APIs,
- # Istiod is the default
- pilotCertProvider: istiod
-
- sds:
- # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
- # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
- # JWT is intended for the CA.
- token:
- aud: istio-ca
-
- sts:
- # The service port used by Security Token Service (STS) server to handle token exchange requests.
- # Setting this port to a non-zero value enables STS server.
- servicePort: 0
- # whether to use autoscaling/v2 template for HPA settings
- # for internal usage only, not to be configured by users.
- autoscalingv2API: true
-
-meshConfig:
- enablePrometheusMerge: true
-
- # The trust domain corresponds to the trust root of a system
- # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
- trustDomain: "cluster.local"
-
- defaultConfig:
- proxyMetadata: {}
- tracing:
- # tlsSettings:
- # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
- # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
- # privateKey: # example: /etc/istio/tracer/key.pem
- # caCertificates: # example: /etc/istio/tracer/root-cert.pem
- # sni: # example: tracer.somedomain
- # subjectAltNames: []
- # - tracer.somedomain
diff --git a/istio-1.18.2/manifests/charts/install-OpenShift.md b/istio-1.18.2/manifests/charts/install-OpenShift.md
deleted file mode 100644
index 0417c07a..00000000
--- a/istio-1.18.2/manifests/charts/install-OpenShift.md
+++ /dev/null
@@ -1,43 +0,0 @@
-# Installing Istio on OpenShift using Helm
-
-> Note: Be aware of the [platform setup required for OpenShift](https://istio.io/latest/docs/setup/platform-setup/openshift/) when installing Istio.
-
-To install with Helm, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows:
-
-```console
-kubectl create namespace istio-system
-```
-
-The installation process using the Helm charts is as follows:
-
-1) `base` chart creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended.
-
-```console
-helm install istio-base -n istio-system manifests/charts/base
-```
-
-2) `istio-cni` chart installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod` chart. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage.
-
-```console
-helm install istio-cni -n kube-system manifests/charts/istio-cni --set cni.cniBinDir="/var/lib/cni/bin" --set cni.cniConfDir="/etc/cni/multus/net.d" --set cni.chained=false --set cni.cniConfFileName="istio-cni.conf" --set cni.excludeNamespaces[0]="istio-system" --set cni.excludeNamespaces[1]="kube-system" --set cni.repair.enabled=false --set cni.logLevel=info
-```
-
-3) `istio-control/istio-discovery` chart installs a revision of istiod.
-
-```console
- helm install -n istio-system istio-17 manifests/charts/istio-control/istio-discovery --set istio_cni.enabled=true --set global.jwtPolicy=first-party-jwt --set sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"="istio-cni"
-```
-
-4) `gateways` charts install a load balancer with `ingress` and `egress`.
-
-Ingress secrets and access should be separated from the control plane.
-
-```console
-helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress --set global.jwtPolicy=first-party-jwt
-```
-
-Egress secrets and access should be separated from the control plane.
-
-```console
-helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress --set global.jwtPolicy=first-party-jwt
-```
diff --git a/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml b/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml
deleted file mode 100644
index 2d61757c..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-name: cni
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-description: Helm chart for istio-cni components
-keywords:
- - istio-cni
- - istio
-sources:
- - https://github.com/istio/istio/tree/master/cni
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/istio-cni/README.md b/istio-1.18.2/manifests/charts/istio-cni/README.md
deleted file mode 100644
index 215051ae..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/README.md
+++ /dev/null
@@ -1,43 +0,0 @@
-# Istio CNI Helm Chart
-
-This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
-for more information.
-
-## Setup Repo Info
-
-```console
-helm repo add istio https://istio-release.storage.googleapis.com/charts
-helm repo update
-```
-
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
-
-## Installing the Chart
-
-To install the chart with the release name `istio-cni`:
-
-```console
-helm install istio-cni istio/cni -n kube-system
-```
-
-Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
-`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
-'system-node-critical' outside of kube-system.
-
-## Ambient
-
-To enable ambient, you need to to add `--set cni.ambient.enabled=true`.
-
-### Calico
-
-For Calico, you must also modify the settings to allow source spoofing:
-
-- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
-- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
-
-## GKE notes
-
-On GKE, 'kube-system' is required.
-
-If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
-it is auto-detected.
diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt b/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt
deleted file mode 100644
index 99462824..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-"{{ .Release.Name }}" successfully installed!
-
-To learn more about the release, try:
- $ helm status {{ .Release.Name }}
- $ helm get all {{ .Release.Name }}
diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml
deleted file mode 100644
index 4f930e2e..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istio-cni
- labels:
- app: istio-cni
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Cni"
-rules:
-- apiGroups: [""]
- resources: ["pods","nodes","namespaces"]
- verbs: ["get", "list", "watch"]
----
-{{- if .Values.cni.repair.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istio-cni-repair-role
- labels:
- app: istio-cni
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Cni"
-rules:
-- apiGroups: [""]
- resources: ["pods"]
- verbs: ["get", "list", "watch", "delete", "patch", "update" ]
-- apiGroups: [""]
- resources: ["events"]
- verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ]
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml
deleted file mode 100644
index d7e4a861..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istio-cni
- labels:
- app: istio-cni
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Cni"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istio-cni
-subjects:
-- kind: ServiceAccount
- name: istio-cni
- namespace: {{ .Release.Namespace }}
----
-{{- if .Values.cni.repair.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istio-cni-repair-rolebinding
- labels:
- k8s-app: istio-cni-repair
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Cni"
-subjects:
-- kind: ServiceAccount
- name: istio-cni
- namespace: {{ .Release.Namespace}}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istio-cni-repair-role
-{{- end }}
----
-{{- if ne .Values.cni.psp_cluster_role "" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: istio-cni-psp
- namespace: {{ .Release.Namespace }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Cni"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: {{ .Values.cni.psp_cluster_role }}
-subjects:
-- kind: ServiceAccount
- name: istio-cni
- namespace: {{ .Release.Namespace }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml
deleted file mode 100644
index de62a0c7..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-{{- $defaultBinDir :=
- (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
- "/home/kubernetes/bin"
- "/opt/cni/bin"
-}}
-kind: ConfigMap
-apiVersion: v1
-metadata:
- name: istio-cni-config
- namespace: {{ .Release.Namespace }}
- labels:
- app: istio-cni
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Cni"
-data:
- # The CNI network configuration to add to the plugin chain on each node. The special
- # values in this config will be automatically populated.
- cni_network_config: |-
- {
- "cniVersion": "0.3.1",
- "name": "istio-cni",
- "type": "istio-cni",
- "log_level": {{ quote .Values.cni.logLevel }},
- "log_uds_address": "__LOG_UDS_ADDRESS__",
- {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}}
- "kubernetes": {
- "kubeconfig": "__KUBECONFIG_FILEPATH__",
- "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }},
- "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ]
- }
- }
diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml
deleted file mode 100644
index 6ce0e16a..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
-# This manifest installs the Istio install-cni container, as well
-# as the Istio CNI plugin and config on
-# each master and worker node in a Kubernetes cluster.
-{{- $defaultBinDir :=
- (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
- "/home/kubernetes/bin"
- "/opt/cni/bin"
-}}
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
- name: istio-cni-node
- namespace: {{ .Release.Namespace }}
- labels:
- k8s-app: istio-cni-node
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Cni"
-spec:
- selector:
- matchLabels:
- k8s-app: istio-cni-node
- updateStrategy:
- type: RollingUpdate
- rollingUpdate:
- maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }}
- template:
- metadata:
- labels:
- k8s-app: istio-cni-node
- sidecar.istio.io/inject: "false"
- annotations:
- sidecar.istio.io/inject: "false"
- ambient.istio.io/redirection: disabled
- # Add Prometheus Scrape annotations
- prometheus.io/scrape: 'true'
- prometheus.io/port: "15014"
- prometheus.io/path: '/metrics'
- # Custom annotations
- {{- if .Values.cni.podAnnotations }}
-{{ toYaml .Values.cni.podAnnotations | indent 8 }}
- {{- end }}
- spec:
- {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }}
- nodeSelector:
- kubernetes.io/os: linux
- # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes
- {{- with .Values.cni.affinity }}
- affinity:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- tolerations:
- # Make sure istio-cni-node gets scheduled on all nodes.
- - effect: NoSchedule
- operator: Exists
- # Mark the pod as a critical add-on for rescheduling.
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoExecute
- operator: Exists
- priorityClassName: system-node-critical
- serviceAccountName: istio-cni
- # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
- # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
- terminationGracePeriodSeconds: 5
- containers:
- # This container installs the Istio CNI binaries
- # and CNI network config file on each node.
- - name: install-cni
-{{- if contains "/" .Values.cni.image }}
- image: "{{ .Values.cni.image }}"
-{{- else }}
- image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}"
-{{- end }}
-{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }}
- imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }}
-{{- end }}
- readinessProbe:
- httpGet:
- path: /readyz
- port: 8000
- securityContext:
- runAsGroup: 0
- runAsUser: 0
- runAsNonRoot: false
- privileged: {{ .Values.cni.privileged }}
-{{- if .Values.cni.seccompProfile }}
- seccompProfile:
-{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }}
-{{- end }}
- command: ["install-cni"]
- args:
- {{- if .Values.global.logging.level }}
- - --log_output_level={{ .Values.global.logging.level }}
- {{- end}}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end}}
- env:
-{{- if .Values.cni.cniConfFileName }}
- # Name of the CNI config file to create.
- - name: CNI_CONF_NAME
- value: "{{ .Values.cni.cniConfFileName }}"
-{{- end }}
- # The CNI network config to install on each node.
- - name: CNI_NETWORK_CONFIG
- valueFrom:
- configMapKeyRef:
- name: istio-cni-config
- key: cni_network_config
- - name: CNI_NET_DIR
- value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }}
- # Deploy as a standalone CNI plugin or as chained?
- - name: CHAINED_CNI_PLUGIN
- value: "{{ .Values.cni.chained }}"
- - name: REPAIR_ENABLED
- value: "{{ .Values.cni.repair.enabled }}"
- - name: REPAIR_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: REPAIR_LABEL_PODS
- value: "{{.Values.cni.repair.labelPods}}"
- # Set to true to enable pod deletion
- - name: REPAIR_DELETE_PODS
- value: "{{.Values.cni.repair.deletePods}}"
- - name: REPAIR_RUN_AS_DAEMON
- value: "true"
- - name: REPAIR_SIDECAR_ANNOTATION
- value: "sidecar.istio.io/status"
- - name: REPAIR_INIT_CONTAINER_NAME
- value: "{{ .Values.cni.repair.initContainerName }}"
- - name: REPAIR_BROKEN_POD_LABEL_KEY
- value: "{{.Values.cni.repair.brokenPodLabelKey}}"
- - name: REPAIR_BROKEN_POD_LABEL_VALUE
- value: "{{.Values.cni.repair.brokenPodLabelValue}}"
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: LOG_LEVEL
- value: {{ .Values.cni.logLevel | quote }}
- {{- if .Values.cni.ambient.enabled }}
- - name: AMBIENT_ENABLED
- value: "true"
- {{- if eq .Values.cni.ambient.redirectMode "ebpf"}}
- - name: EBPF_ENABLED
- value: "true"
- {{- end }}
- {{- end }}
- volumeMounts:
- - mountPath: /host/opt/cni/bin
- name: cni-bin-dir
- - mountPath: /host/etc/cni/net.d
- name: cni-net-dir
- - mountPath: /var/run/istio-cni
- name: cni-log-dir
- {{- if .Values.cni.ambient.enabled }}
- - mountPath: /etc/ambient-config
- name: cni-ambientconfig
- - mountPath: /var/run/netns
- mountPropagation: HostToContainer
- name: cni-netns-dir
- {{- if eq .Values.cni.ambient.redirectMode "ebpf"}}
- - mountPath: /sys/fs/bpf
- mountPropagation: Bidirectional
- name: cni-bpffs-dir
- {{- end }}
- {{ end }}
- resources:
-{{- if .Values.cni.resources }}
-{{ toYaml .Values.cni.resources | trim | indent 12 }}
-{{- else }}
-{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
-{{- end }}
- volumes:
- # Used to install CNI.
- - name: cni-bin-dir
- hostPath:
- path: {{ .Values.cni.cniBinDir | default $defaultBinDir }}
- {{- if .Values.cni.ambient.enabled }}
- - name: cni-ambientconfig
- hostPath:
- path: /etc/ambient-config
- {{- end }}
- - name: cni-net-dir
- hostPath:
- path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }}
- # Used for UDS log
- - name: cni-log-dir
- hostPath:
- path: /var/run/istio-cni
- - name: cni-netns-dir
- hostPath:
- path: /var/run/netns
- {{- if eq .Values.cni.ambient.redirectMode "ebpf"}}
- - name: cni-bpffs-dir
- hostPath:
- path: /sys/fs/bpf
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml
deleted file mode 100644
index 15946ae7..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{- if .Values.cni.resourceQuotas.enabled }}
-apiVersion: v1
-kind: ResourceQuota
-metadata:
- name: istio-cni-resource-quota
- namespace: {{ .Release.Namespace }}
-spec:
- hard:
- pods: {{ .Values.cni.resourceQuotas.pods | quote }}
- scopeSelector:
- matchExpressions:
- - operator: In
- scopeName: PriorityClass
- values:
- - system-node-critical
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml
deleted file mode 100644
index 4645db63..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-{{- if .Values.global.imagePullSecrets }}
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
-{{- end }}
-{{- end }}
-metadata:
- name: istio-cni
- namespace: {{ .Release.Namespace }}
- labels:
- app: istio-cni
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Cni"
diff --git a/istio-1.18.2/manifests/charts/istio-cni/values.yaml b/istio-1.18.2/manifests/charts/istio-cni/values.yaml
deleted file mode 100644
index 157a9ee6..00000000
--- a/istio-1.18.2/manifests/charts/istio-cni/values.yaml
+++ /dev/null
@@ -1,127 +0,0 @@
-cni:
- hub: ""
- tag: ""
- variant: ""
- image: install-cni
- pullPolicy: ""
-
- # Configuration log level of istio-cni binary
- # by default istio-cni send all logs to UDS server
- # if want to see them you need change global.logging.level with cni:debug
- logLevel: debug
-
- # Configuration file to insert istio-cni plugin configuration
- # by default this will be the first file found in the cni-conf-dir
- # Example
- # cniConfFileName: 10-calico.conflist
-
- # CNI bin and conf dir override settings
- # defaults:
- cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin.
- cniConfDir: /etc/cni/net.d
- cniConfFileName: ""
-
- excludeNamespaces:
- - istio-system
- - kube-system
-
- # Allows user to set custom affinity for the DaemonSet
- affinity: {}
-
- # Custom annotations on pod level, if you need them
- podAnnotations: {}
-
- # If this value is set a RoleBinding will be created
- # in the same namespace as the istio-cni DaemonSet is created.
- # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount
- # e.g. if you use PodSecurityPolicies
- psp_cluster_role: ""
-
- # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
- # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
- chained: true
-
- # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift)
- privileged: false
-
- # Configure ambient settings
- ambient:
- # If enabled, ambient redirection will be enabled
- enabled: false
- # Set ambient redirection mode: "iptables" or "ebpf"
- redirectMode: "iptables"
-
- repair:
- enabled: true
- hub: ""
- tag: ""
-
- labelPods: true
- deletePods: true
-
- initContainerName: "istio-validation"
-
- brokenPodLabelKey: "cni.istio.io/uninitialized"
- brokenPodLabelValue: "true"
-
- # Set to `type: RuntimeDefault` to use the default profile if available.
- seccompProfile: {}
-
- resources:
- requests:
- cpu: 100m
- memory: 100Mi
-
- resourceQuotas:
- enabled: false
- pods: 5000
-
- # The number of pods that can be unavailable during rolling update (see
- # `updateStrategy.rollingUpdate.maxUnavailable` here:
- # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
- # May be specified as a number of pods or as a percent of the total number
- # of pods at the start of the update.
- rollingMaxUnavailable: 1
-
-# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
-revision: ""
-
-# For Helm compatibility.
-ownerName: ""
-
-global:
- # Default hub for Istio images.
- # Releases are published to docker hub under 'istio' project.
- # Dev builds from prow are on gcr.io
- hub: docker.io/istio
-
- # Default tag for Istio images.
- tag: 1.18.2
-
- # Variant of the image to use.
- # Currently supported are: [debug, distroless]
- variant: ""
-
- # Specify image pull policy if default behavior isn't desired.
- # Default behavior: latest images will be Always else IfNotPresent.
- imagePullPolicy: ""
-
- # change cni scope level to control logging out of istio-cni-node DaemonSet
- logging:
- level: default:info,cni:info
-
- logAsJson: false
-
- # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
- # to use for pulling any images in pods that reference this ServiceAccount.
- # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
- # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
- # Must be set for any cluster configured with private docker registry.
- imagePullSecrets: []
- # - private-registry-key
-
- # Default resources allocated
- defaultResources:
- requests:
- cpu: 100m
- memory: 100Mi
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml
deleted file mode 100644
index 321d0f12..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-name: istiod
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-tillerVersion: ">=2.7.2"
-description: Helm chart for istio control plane
-keywords:
- - istio
- - istiod
- - istio-discovery
-sources:
- - https://github.com/istio/istio
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md
deleted file mode 100644
index 9d4d07a4..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md
+++ /dev/null
@@ -1,59 +0,0 @@
-# Istiod Helm Chart
-
-This chart installs an Istiod deployment.
-
-## Setup Repo Info
-
-```console
-helm repo add istio https://istio-release.storage.googleapis.com/charts
-helm repo update
-```
-
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
-
-## Installing the Chart
-
-Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
-
-To install the chart with the release name `istiod`:
-
-```console
-kubectl create namespace istio-system
-helm install istiod istio/istiod --namespace istio-system
-```
-
-## Uninstalling the Chart
-
-To uninstall/delete the `istiod` deployment:
-
-```console
-helm delete istiod --namespace istio-system
-```
-
-## Configuration
-
-To view support configuration options and documentation, run:
-
-```console
-helm show values istio/istiod
-```
-
-### Examples
-
-#### Configuring mesh configuration settings
-
-Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
-
-```yaml
-meshConfig:
- accessLogFile: /dev/stdout
-```
-
-#### Revisions
-
-Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
-This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
-
-```yaml
-revision: my-revision-name
-```
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml
deleted file mode 100644
index 5002c03f..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml
+++ /dev/null
@@ -1,237 +0,0 @@
-{{- $containers := list }}
-{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
-metadata:
- labels:
- service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
- service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
- annotations: {
- istio.io/rev: {{ .Revision | default "default" | quote }},
- {{- if eq (len $containers) 1 }}
- kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
- kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
- {{ end }}
- }
-spec:
- containers:
- - name: istio-proxy
- {{- if contains "/" .Values.global.proxy.image }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- ports:
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- args:
- - proxy
- - router
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
- {{- if .Values.global.sts.servicePort }}
- - --stsPort={{ .Values.global.sts.servicePort }}
- {{- end }}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- {{- if .Values.global.proxy.lifecycle }}
- lifecycle:
- {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
- {{- end }}
- env:
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: HOST_IP
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: PROXY_CONFIG
- value: |
- {{ protoToJSON .ProxyConfig }}
- - name: ISTIO_META_POD_PORTS
- value: |-
- [
- {{- $first := true }}
- {{- range $index1, $c := .Spec.Containers }}
- {{- range $index2, $p := $c.Ports }}
- {{- if (structToJSON $p) }}
- {{if not $first}},{{end}}{{ structToJSON $p }}
- {{- $first = false }}
- {{- end }}
- {{- end}}
- {{- end}}
- ]
- - name: ISTIO_META_APP_CONTAINERS
- value: "{{ $containers | join "," }}"
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: ISTIO_META_INTERCEPTION_MODE
- value: "{{ .ProxyConfig.InterceptionMode.String }}"
- {{- if .Values.global.network }}
- - name: ISTIO_META_NETWORK
- value: "{{ .Values.global.network }}"
- {{- end }}
- {{- if .DeploymentMeta.Name }}
- - name: ISTIO_META_WORKLOAD_NAME
- value: "{{ .DeploymentMeta.Name }}"
- {{ end }}
- {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
- {{- end}}
- {{- if .Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.global.meshID }}"
- {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: ISTIO_META_MESH_ID
- value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
- {{- end }}
- {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: TRUST_DOMAIN
- value: "{{ . }}"
- {{- end }}
- {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- readinessProbe:
- httpGet:
- path: /healthz/ready
- port: 15021
- initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
- periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
- timeoutSeconds: 3
- failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
- volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
- - name: credential-socket
- mountPath: /var/run/secrets/credential-uds
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- mountPath: /var/run/secrets/workload-spiffe-credentials
- readOnly: true
- {{- else }}
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- {{- end }}
- - mountPath: /var/lib/istio/data
- name: istio-data
- # SDS channel between istioagent and Envoy
- - mountPath: /etc/istio/proxy
- name: istio-envoy
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - mountPath: /etc/certs/
- name: istio-certs
- readOnly: true
- {{- end }}
- - name: istio-podinfo
- mountPath: /etc/istio/pod
- volumes:
- - emptyDir: {}
- name: workload-socket
- - emptyDir: {}
- name: credential-socket
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- csi:
- driver: workloadcertificates.security.cloud.google.com
- {{- else}}
- - emptyDir: {}
- name: workload-certs
- {{- end }}
- # SDS channel between istioagent and Envoy
- - emptyDir:
- medium: Memory
- name: istio-envoy
- - name: istio-data
- emptyDir: {}
- - name: istio-podinfo
- downwardAPI:
- items:
- - path: "labels"
- fieldRef:
- fieldPath: metadata.labels
- - path: "annotations"
- fieldRef:
- fieldPath: metadata.annotations
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: {{ .Values.global.sds.token.aud }}
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- secret:
- optional: true
- {{ if eq .Spec.ServiceAccountName "" }}
- secretName: istio.default
- {{ else -}}
- secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
- {{ end -}}
- {{- end }}
- {{- if .Values.global.imagePullSecrets }}
- imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
- {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
- securityContext:
- fsGroup: 1337
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml
deleted file mode 100644
index 2bd67367..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml
+++ /dev/null
@@ -1,320 +0,0 @@
-{{- define "resources" }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
- requests:
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
- {{ end }}
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
- {{ end }}
- {{- end }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
- limits:
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
- {{ end }}
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
- {{ end }}
- {{- end }}
- {{- else }}
- {{- if .Values.global.proxy.resources }}
- {{ toYaml .Values.global.proxy.resources | indent 6 }}
- {{- end }}
- {{- end }}
-{{- end }}
-{{- $containers := list }}
-{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
-metadata:
- labels:
- {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
- service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
- service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
- annotations: {
- istio.io/rev: {{ .Revision | default "default" }},
- {{- if ge (len $containers) 1 }}
- {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
- kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
- {{- end }}
- {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
- kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
- {{- end }}
- {{- end }}
- sidecar.istio.io/rewriteAppHTTPProbers: "false",
- }
-spec:
- containers:
- - name: istio-proxy
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- ports:
- - containerPort: 15020
- protocol: TCP
- name: mesh-metrics
- args:
- - proxy
- - sidecar
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
- {{- if .Values.global.sts.servicePort }}
- - --stsPort={{ .Values.global.sts.servicePort }}
- {{- end }}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- lifecycle:
- postStart:
- exec:
- command:
- - pilot-agent
- - wait
- - --url=http://localhost:15020/healthz/ready
- env:
- - name: ISTIO_META_GENERATOR
- value: grpc
- - name: OUTPUT_CERTS
- value: /var/lib/istio/data
- {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
- value: "true"
- {{- end }}
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: HOST_IP
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: PROXY_CONFIG
- value: |
- {{ protoToJSON .ProxyConfig }}
- - name: ISTIO_META_POD_PORTS
- value: |-
- [
- {{- $first := true }}
- {{- range $index1, $c := .Spec.Containers }}
- {{- range $index2, $p := $c.Ports }}
- {{- if (structToJSON $p) }}
- {{if not $first}},{{end}}{{ structToJSON $p }}
- {{- $first = false }}
- {{- end }}
- {{- end}}
- {{- end}}
- ]
- - name: ISTIO_META_APP_CONTAINERS
- value: "{{ $containers | join "," }}"
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- {{- if .Values.global.network }}
- - name: ISTIO_META_NETWORK
- value: "{{ .Values.global.network }}"
- {{- end }}
- {{- if .DeploymentMeta.Name }}
- - name: ISTIO_META_WORKLOAD_NAME
- value: "{{ .DeploymentMeta.Name }}"
- {{ end }}
- {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
- {{- end}}
- {{- if .Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.global.meshID }}"
- {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: ISTIO_META_MESH_ID
- value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
- {{- end }}
- {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: TRUST_DOMAIN
- value: "{{ . }}"
- {{- end }}
- {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- # grpc uses xds:/// to resolve – no need to resolve VIP
- - name: ISTIO_META_DNS_CAPTURE
- value: "false"
- - name: DISABLE_ENVOY
- value: "true"
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
- readinessProbe:
- httpGet:
- path: /healthz/ready
- port: 15020
- initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
- periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
- timeoutSeconds: 3
- failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
- resources:
- {{ template "resources" . }}
- volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- mountPath: /var/run/secrets/workload-spiffe-credentials
- readOnly: true
- {{- else }}
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- {{- end }}
- - mountPath: /var/lib/istio/data
- name: istio-data
- # UDS channel between istioagent and gRPC client for XDS/SDS
- - mountPath: /etc/istio/proxy
- name: istio-xds
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - mountPath: /etc/certs/
- name: istio-certs
- readOnly: true
- {{- end }}
- - name: istio-podinfo
- mountPath: /etc/istio/pod
- {{- end }}
- {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
- {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- - name: "{{ $index }}"
- {{ toYaml $value | indent 6 }}
- {{ end }}
- {{- end }}
-{{- range $index, $container := .Spec.Containers }}
-{{ if not (eq $container.Name "istio-proxy") }}
- - name: {{ $container.Name }}
- env:
- - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
- value: "true"
- - name: "GRPC_XDS_BOOTSTRAP"
- value: "/etc/istio/proxy/grpc-bootstrap.json"
- volumeMounts:
- - mountPath: /var/lib/istio/data
- name: istio-data
- # UDS channel between istioagent and gRPC client for XDS/SDS
- - mountPath: /etc/istio/proxy
- name: istio-xds
- {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- mountPath: /var/run/secrets/workload-spiffe-credentials
- readOnly: true
- {{- else }}
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- {{- end }}
-{{- end }}
-{{- end }}
- volumes:
- - emptyDir:
- name: workload-socket
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- csi:
- driver: workloadcertificates.security.cloud.google.com
- {{- else }}
- - emptyDir:
- name: workload-certs
- {{- end }}
- {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- - name: custom-bootstrap-volume
- configMap:
- name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
- {{- end }}
- # SDS channel between istioagent and Envoy
- - emptyDir:
- medium: Memory
- name: istio-xds
- - name: istio-data
- emptyDir: {}
- - name: istio-podinfo
- downwardAPI:
- items:
- - path: "labels"
- fieldRef:
- fieldPath: metadata.labels
- - path: "annotations"
- fieldRef:
- fieldPath: metadata.annotations
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: {{ .Values.global.sds.token.aud }}
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- secret:
- optional: true
- {{ if eq .Spec.ServiceAccountName "" }}
- secretName: istio.default
- {{ else -}}
- secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
- {{ end -}}
- {{- end }}
- {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
- {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- - name: "{{ $index }}"
- {{ toYaml $value | indent 4 }}
- {{ end }}
- {{ end }}
- {{- if .Values.global.imagePullSecrets }}
- imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
- {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
- securityContext:
- fsGroup: 1337
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml
deleted file mode 100644
index 9ba0c7a4..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml
+++ /dev/null
@@ -1,65 +0,0 @@
-metadata:
- annotations:
- sidecar.istio.io/rewriteAppHTTPProbers: "false"
-spec:
- initContainers:
- - name: grpc-bootstrap-init
- image: busybox:1.28
- volumeMounts:
- - mountPath: /var/lib/grpc/data/
- name: grpc-io-proxyless-bootstrap
- env:
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: ISTIO_NAMESPACE
- value: |
- {{ .Values.global.istioNamespace }}
- command:
- - sh
- - "-c"
- - |-
- NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
- SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
- echo '
- {
- "xds_servers": [
- {
- "server_uri": "'${SERVER_URI}'",
- "channel_creds": [{"type": "insecure"}],
- "server_features" : ["xds_v3"]
- }
- ],
- "node": {
- "id": "'${NODE_ID}'",
- "metadata": {
- "GENERATOR": "grpc"
- }
- }
- }' > /var/lib/grpc/data/bootstrap.json
- containers:
- {{- range $index, $container := .Spec.Containers }}
- - name: {{ $container.Name }}
- env:
- - name: GRPC_XDS_BOOTSTRAP
- value: /var/lib/grpc/data/bootstrap.json
- - name: GRPC_GO_LOG_VERBOSITY_LEVEL
- value: "99"
- - name: GRPC_GO_LOG_SEVERITY_LEVEL
- value: info
- volumeMounts:
- - mountPath: /var/lib/grpc/data/
- name: grpc-io-proxyless-bootstrap
- {{- end }}
- volumes:
- - name: grpc-io-proxyless-bootstrap
- emptyDir: {}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml
deleted file mode 100644
index a05fd576..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml
+++ /dev/null
@@ -1,513 +0,0 @@
-{{- define "resources" }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
- requests:
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
- {{ end }}
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
- {{ end }}
- {{- end }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
- limits:
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
- {{ end }}
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
- {{ end }}
- {{- end }}
- {{- else }}
- {{- if .Values.global.proxy.resources }}
- {{ toYaml .Values.global.proxy.resources | indent 6 }}
- {{- end }}
- {{- end }}
-{{- end }}
-{{- $containers := list }}
-{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
-metadata:
- labels:
- security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
- {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
- networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }}
- {{- end }}
- service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
- service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
- annotations: {
- istio.io/rev: {{ .Revision | default "default" | quote }},
- {{- if ge (len $containers) 1 }}
- {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
- kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
- {{- end }}
- {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
- kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
- {{- end }}
- {{- end }}
-{{- if .Values.istio_cni.enabled }}
- {{- if not .Values.istio_cni.chained }}
- k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
- {{- end }}
- sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
- {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
- {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
- {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }}
- traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
- {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
- traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
- {{- end }}
- {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
- traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
- {{- end }}
- {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
- {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
-{{- end }}
- }
-spec:
- {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
- initContainers:
- {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
- {{ if .Values.istio_cni.enabled -}}
- - name: istio-validation
- {{ else -}}
- - name: istio-init
- {{ end -}}
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- args:
- - istio-iptables
- - "-p"
- - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
- - "-z"
- - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
- - "-u"
- - "1337"
- - "-m"
- - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- - "-i"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- - "-x"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- - "-b"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
- - "-d"
- {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
- {{- else }}
- - "15090,15021"
- {{- end }}
- {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
- - "-q"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
- {{ end -}}
- {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- - "-o"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
- {{ end -}}
- {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- - "-k"
- - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
- {{ end -}}
- {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
- - "-c"
- - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
- {{ end -}}
- - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
- {{ if .Values.global.logAsJson -}}
- - "--log_as_json"
- {{ end -}}
- {{ if .Values.istio_cni.enabled -}}
- - "--run-validation"
- - "--skip-rule-apply"
- {{ end -}}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- {{- if .ProxyConfig.ProxyMetadata }}
- env:
- {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{- end }}
- resources:
- {{ template "resources" . }}
- securityContext:
- allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
- privileged: {{ .Values.global.proxy.privileged }}
- capabilities:
- {{- if not .Values.istio_cni.enabled }}
- add:
- - NET_ADMIN
- - NET_RAW
- {{- end }}
- drop:
- - ALL
- {{- if not .Values.istio_cni.enabled }}
- readOnlyRootFilesystem: false
- runAsGroup: 0
- runAsNonRoot: false
- runAsUser: 0
- {{- else }}
- readOnlyRootFilesystem: true
- runAsGroup: 1337
- runAsUser: 1337
- runAsNonRoot: true
- {{- end }}
- {{ end -}}
- {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- - name: enable-core-dump
- args:
- - -c
- - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
- command:
- - /bin/sh
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- resources:
- {{ template "resources" . }}
- securityContext:
- allowPrivilegeEscalation: true
- capabilities:
- add:
- - SYS_ADMIN
- drop:
- - ALL
- privileged: true
- readOnlyRootFilesystem: false
- runAsGroup: 0
- runAsNonRoot: false
- runAsUser: 0
- {{ end }}
- containers:
- - name: istio-proxy
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- ports:
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- args:
- - proxy
- - sidecar
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
- {{- if .Values.global.sts.servicePort }}
- - --stsPort={{ .Values.global.sts.servicePort }}
- {{- end }}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- {{- if .Values.global.proxy.lifecycle }}
- lifecycle:
- {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
- {{- else if $holdProxy }}
- lifecycle:
- postStart:
- exec:
- command:
- - pilot-agent
- - wait
- {{- end }}
- env:
- {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
- value: "true"
- {{- end }}
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: HOST_IP
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: PROXY_CONFIG
- value: |
- {{ protoToJSON .ProxyConfig }}
- - name: ISTIO_META_POD_PORTS
- value: |-
- [
- {{- $first := true }}
- {{- range $index1, $c := .Spec.Containers }}
- {{- range $index2, $p := $c.Ports }}
- {{- if (structToJSON $p) }}
- {{if not $first}},{{end}}{{ structToJSON $p }}
- {{- $first = false }}
- {{- end }}
- {{- end}}
- {{- end}}
- ]
- - name: ISTIO_META_APP_CONTAINERS
- value: "{{ $containers | join "," }}"
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: ISTIO_META_INTERCEPTION_MODE
- value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
- {{- if .Values.global.network }}
- - name: ISTIO_META_NETWORK
- value: "{{ .Values.global.network }}"
- {{- end }}
- {{- if .DeploymentMeta.Name }}
- - name: ISTIO_META_WORKLOAD_NAME
- value: "{{ .DeploymentMeta.Name }}"
- {{ end }}
- {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
- {{- end}}
- {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- - name: ISTIO_BOOTSTRAP_OVERRIDE
- value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
- {{- end }}
- {{- if .Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.global.meshID }}"
- {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: ISTIO_META_MESH_ID
- value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
- {{- end }}
- {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: TRUST_DOMAIN
- value: "{{ . }}"
- {{- end }}
- {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{- end }}
- {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
- readinessProbe:
- httpGet:
- path: /healthz/ready
- port: 15021
- initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
- periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
- timeoutSeconds: 3
- failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
- {{ end -}}
- securityContext:
- {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
- allowPrivilegeEscalation: true
- capabilities:
- add:
- - NET_ADMIN
- drop:
- - ALL
- privileged: true
- readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- runAsGroup: 1337
- runAsNonRoot: false
- runAsUser: 0
- {{- else }}
- allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
- capabilities:
- {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
- add:
- {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- - NET_ADMIN
- {{- end }}
- {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- - NET_BIND_SERVICE
- {{- end }}
- {{- end }}
- drop:
- - ALL
- privileged: {{ .Values.global.proxy.privileged }}
- readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- runAsGroup: 1337
- {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
- runAsNonRoot: false
- runAsUser: 0
- {{- else -}}
- runAsNonRoot: true
- runAsUser: 1337
- {{- end }}
- {{- end }}
- resources:
- {{ template "resources" . }}
- volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
- - name: credential-socket
- mountPath: /var/run/secrets/credential-uds
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- mountPath: /var/run/secrets/workload-spiffe-credentials
- readOnly: true
- {{- else }}
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
- - mountPath: /var/run/secrets/istio/kubernetes
- name: kube-ca-cert
- {{- end }}
- - mountPath: /var/lib/istio/data
- name: istio-data
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- - mountPath: /etc/istio/custom-bootstrap
- name: custom-bootstrap-volume
- {{- end }}
- # SDS channel between istioagent and Envoy
- - mountPath: /etc/istio/proxy
- name: istio-envoy
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - mountPath: /etc/certs/
- name: istio-certs
- readOnly: true
- {{- end }}
- - name: istio-podinfo
- mountPath: /etc/istio/pod
- {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
- name: lightstep-certs
- readOnly: true
- {{- end }}
- {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
- {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- - name: "{{ $index }}"
- {{ toYaml $value | indent 6 }}
- {{ end }}
- {{- end }}
- volumes:
- - emptyDir:
- name: workload-socket
- - emptyDir:
- name: credential-socket
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- csi:
- driver: workloadcertificates.security.cloud.google.com
- {{- else }}
- - emptyDir:
- name: workload-certs
- {{- end }}
- {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- - name: custom-bootstrap-volume
- configMap:
- name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
- {{- end }}
- # SDS channel between istioagent and Envoy
- - emptyDir:
- medium: Memory
- name: istio-envoy
- - name: istio-data
- emptyDir: {}
- - name: istio-podinfo
- downwardAPI:
- items:
- - path: "labels"
- fieldRef:
- fieldPath: metadata.labels
- - path: "annotations"
- fieldRef:
- fieldPath: metadata.annotations
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: {{ .Values.global.sds.token.aud }}
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
- - name: kube-ca-cert
- configMap:
- name: kube-root-ca.crt
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- secret:
- optional: true
- {{ if eq .Spec.ServiceAccountName "" }}
- secretName: istio.default
- {{ else -}}
- secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
- {{ end -}}
- {{- end }}
- {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
- {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- - name: "{{ $index }}"
- {{ toYaml $value | indent 4 }}
- {{ end }}
- {{ end }}
- {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- - name: lightstep-certs
- secret:
- optional: true
- secretName: lightstep.cacert
- {{- end }}
- {{- if .Values.global.imagePullSecrets }}
- imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
- {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
- securityContext:
- fsGroup: 1337
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml
deleted file mode 100644
index ec80744c..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml
+++ /dev/null
@@ -1,312 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{.ServiceAccount | quote}}
- namespace: {{.Namespace | quote}}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{.DeploymentName | quote}}
- namespace: {{.Namespace | quote}}
- annotations:
- {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
- labels:
- {{- toJsonMap .Labels | nindent 4 }}
- ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
- kind: Gateway
- name: {{.Name}}
- uid: "{{.UID}}"
-spec:
- selector:
- matchLabels:
- istio.io/gateway-name: {{.Name}}
- template:
- metadata:
- annotations:
- {{- toJsonMap
- (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
- (strdict "istio.io/rev" (.Revision | default "default"))
- (strdict
- "prometheus.io/path" "/stats/prometheus"
- "prometheus.io/port" "15020"
- "prometheus.io/scrape" "true"
- ) | nindent 8 }}
- labels:
- {{- toJsonMap
- (strdict
- "sidecar.istio.io/inject" "false"
- "service.istio.io/canonical-name" .DeploymentName
- "service.istio.io/canonical-revision" "latest"
- )
- .Labels
- (strdict "istio.io/gateway-name" .Name) | nindent 8}}
- spec:
- {{- if .KubeVersion122 }}
- {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}}
- securityContext:
- sysctls:
- - name: net.ipv4.ip_unprivileged_port_start
- value: "0"
- {{- end }}
- serviceAccountName: {{.ServiceAccount | quote}}
- containers:
- - name: istio-proxy
- image: "{{ .ProxyImage }}"
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- securityContext:
- {{- if .KubeVersion122 }}
- # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
- capabilities:
- drop:
- - ALL
- allowPrivilegeEscalation: false
- privileged: false
- readOnlyRootFilesystem: true
- runAsUser: 1337
- runAsGroup: 1337
- runAsNonRoot: true
- {{- else }}
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- runAsUser: 0
- runAsGroup: 1337
- runAsNonRoot: false
- allowPrivilegeEscalation: true
- readOnlyRootFilesystem: true
- {{- end }}
- ports:
- - containerPort: 15021
- name: status-port
- protocol: TCP
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- args:
- - proxy
- - router
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- - --proxyLogLevel
- - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
- - --proxyComponentLogLevel
- - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
- - --log_output_level
- - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
- {{- if .Values.global.sts.servicePort }}
- - --stsPort={{ .Values.global.sts.servicePort }}
- {{- end }}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- {{- if .Values.global.proxy.lifecycle }}
- lifecycle:
- {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
- {{- end }}
- env:
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: HOST_IP
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: PROXY_CONFIG
- value: |
- {{ protoToJSON .ProxyConfig }}
- - name: ISTIO_META_POD_PORTS
- value: "[]"
- - name: ISTIO_META_APP_CONTAINERS
- value: ""
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: ISTIO_META_INTERCEPTION_MODE
- value: "{{ .ProxyConfig.InterceptionMode.String }}"
- {{- if .Values.global.network }}
- - name: ISTIO_META_NETWORK
- value: "{{ .Values.global.network }}"
- {{- end }}
- - name: ISTIO_META_WORKLOAD_NAME
- value: {{.DeploymentName|quote}}
- - name: ISTIO_META_OWNER
- value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
- {{- if .Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.global.meshID }}"
- {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: ISTIO_META_MESH_ID
- value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
- {{- end }}
- {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: TRUST_DOMAIN
- value: "{{ . }}"
- {{- end }}
- {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{- with (index .Labels "topology.istio.io/network") }}
- - name: ISTIO_META_REQUESTED_NETWORK_VIEW
- value: {{.|quote}}
- {{- end }}
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthz/ready
- port: 15021
- scheme: HTTP
- initialDelaySeconds: 1
- periodSeconds: 1
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 4
- httpGet:
- path: /healthz/ready
- port: 15021
- scheme: HTTP
- initialDelaySeconds: 0
- periodSeconds: 15
- successThreshold: 1
- timeoutSeconds: 1
- volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
- - name: credential-socket
- mountPath: /var/run/secrets/credential-uds
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- mountPath: /var/run/secrets/workload-spiffe-credentials
- readOnly: true
- {{- else }}
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- {{- end }}
- - mountPath: /var/lib/istio/data
- name: istio-data
- # SDS channel between istioagent and Envoy
- - mountPath: /etc/istio/proxy
- name: istio-envoy
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- {{- end }}
- - name: istio-podinfo
- mountPath: /etc/istio/pod
- volumes:
- - emptyDir: {}
- name: workload-socket
- - emptyDir: {}
- name: credential-socket
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- csi:
- driver: workloadcertificates.security.cloud.google.com
- {{- else}}
- - emptyDir: {}
- name: workload-certs
- {{- end }}
- # SDS channel between istioagent and Envoy
- - emptyDir:
- medium: Memory
- name: istio-envoy
- - name: istio-data
- emptyDir: {}
- - name: istio-podinfo
- downwardAPI:
- items:
- - path: "labels"
- fieldRef:
- fieldPath: metadata.labels
- - path: "annotations"
- fieldRef:
- fieldPath: metadata.annotations
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: {{ .Values.global.sds.token.aud }}
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
- {{- end }}
- {{- if .Values.global.imagePullSecrets }}
- imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
- labels:
- {{ toJsonMap .Labels | nindent 4}}
- name: {{.DeploymentName | quote}}
- namespace: {{.Namespace | quote}}
- ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
- kind: Gateway
- name: {{.Name}}
- uid: {{.UID}}
-spec:
- ports:
- {{- range $key, $val := .Ports }}
- - name: {{ $val.Name | quote }}
- port: {{ $val.Port }}
- protocol: TCP
- appProtocol: {{ $val.AppProtocol }}
- {{- end }}
- selector:
- istio.io/gateway-name: {{.Name}}
- {{- if .Spec.Addresses }}
- loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
- {{- end }}
- type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }}
----
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml
deleted file mode 100644
index aa5374cd..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml
+++ /dev/null
@@ -1,238 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{.ServiceAccount | quote}}
- namespace: {{.Namespace | quote}}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{.DeploymentName | quote}}
- namespace: {{.Namespace | quote}}
- annotations:
- {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
- labels:
- {{- toJsonMap .Labels | nindent 4 }}
- ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
- kind: Gateway
- name: "{{.Name}}"
- uid: "{{.UID}}"
-spec:
- selector:
- matchLabels:
- istio.io/gateway-name: "{{.Name}}"
- template:
- metadata:
- annotations:
- {{- toJsonMap
- (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
- (strdict "istio.io/rev" (.Revision | default "default"))
- (strdict
- "ambient.istio.io/redirection" "disabled"
- "prometheus.io/path" "/stats/prometheus"
- "prometheus.io/port" "15020"
- "prometheus.io/scrape" "true"
- ) | nindent 8 }}
- labels:
- {{- toJsonMap
- (strdict
- "sidecar.istio.io/inject" "false"
- "service.istio.io/canonical-name" .DeploymentName
- "service.istio.io/canonical-revision" "latest"
- )
- .Labels
- (strdict
- "istio.io/gateway-name" .Name
- "gateway.istio.io/managed" "istio.io-mesh-controller"
- ) | nindent 8}}
- spec:
- terminationGracePeriodSeconds: 2
- serviceAccountName: {{.ServiceAccount | quote}}
- containers:
- - args:
- - proxy
- - waypoint
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- - --serviceCluster
- - {{.ServiceAccount}}.$(POD_NAMESPACE)
- - --proxyLogLevel
- - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
- - --proxyComponentLogLevel
- - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
- - --log_output_level
- - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- env:
- - name: ISTIO_META_SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: HOST_IP
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: PROXY_CONFIG
- value: |
- {{ protoToJSON .ProxyConfig }}
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- - name: ISTIO_META_INTERCEPTION_MODE
- value: REDIRECT
- - name: ISTIO_META_WORKLOAD_NAME
- value: {{.DeploymentName}}
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
- {{- if .Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.global.meshID }}"
- {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: ISTIO_META_MESH_ID
- value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
- {{- end }}
- image: {{.ProxyImage}}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- name: istio-proxy
- resources:
- limits:
- cpu: "2"
- memory: 1Gi
- requests:
- cpu: 100m
- memory: 128Mi
- startupProbe:
- failureThreshold: 30
- httpGet:
- path: /healthz/ready
- port: 15021
- scheme: HTTP
- initialDelaySeconds: 1
- periodSeconds: 1
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 4
- httpGet:
- path: /healthz/ready
- port: 15021
- scheme: HTTP
- initialDelaySeconds: 0
- periodSeconds: 15
- successThreshold: 1
- timeoutSeconds: 1
- securityContext:
- privileged: true
- runAsGroup: 1337
- runAsUser: 0
- capabilities:
- add:
- - NET_ADMIN
- - NET_RAW
- volumeMounts:
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- - mountPath: /var/lib/istio/data
- name: istio-data
- - mountPath: /etc/istio/proxy
- name: istio-envoy
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- - mountPath: /etc/istio/pod
- name: istio-podinfo
- volumes:
- - emptyDir:
- medium: Memory
- name: istio-envoy
- - emptyDir:
- medium: Memory
- name: go-proxy-envoy
- - emptyDir: {}
- name: istio-data
- - emptyDir: {}
- name: go-proxy-data
- - downwardAPI:
- items:
- - fieldRef:
- fieldPath: metadata.labels
- path: labels
- - fieldRef:
- fieldPath: metadata.annotations
- path: annotations
- name: istio-podinfo
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- audience: istio-ca
- expirationSeconds: 43200
- path: istio-token
- - configMap:
- name: istio-ca-root-cert
- name: istiod-ca-cert
- {{- if .Values.global.imagePullSecrets }}
- imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
- labels:
- {{ toJsonMap .Labels | nindent 4}}
- name: {{.DeploymentName | quote}}
- namespace: {{.Namespace | quote}}
- ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
- kind: Gateway
- name: "{{.Name}}"
- uid: "{{.UID}}"
-spec:
- ports:
- - name: https-hbone
- port: 15008
- protocol: TCP
- appProtocol: https
- selector:
- istio.io/gateway-name: "{{.Name}}"
----
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt
deleted file mode 100644
index 03cb8192..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt
+++ /dev/null
@@ -1,56 +0,0 @@
-"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
-
-To learn more about the release, try:
- $ helm status {{ .Release.Name }}
- $ helm get all {{ .Release.Name }}
-
-Next steps:
- * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
- * Try out our tasks to get started on common configurations:
- * https://istio.io/latest/docs/tasks/traffic-management
- * https://istio.io/latest/docs/tasks/security/
- * https://istio.io/latest/docs/tasks/policy-enforcement/
- * https://istio.io/latest/docs/tasks/policy-enforcement/
- * Review the list of actively supported releases, CVE publications and our hardening guide:
- * https://istio.io/latest/docs/releases/supported-releases/
- * https://istio.io/latest/news/security/
- * https://istio.io/latest/docs/ops/best-practices/security/
-
-For further documentation see https://istio.io website
-
-{{-
- $deps := dict
- "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
- "global.certificates" "meshConfig.certificates"
- "global.localityLbSetting" "meshConfig.localityLbSetting"
- "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
- "global.enableTracing" "meshConfig.enableTracing"
- "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
- "global.proxy.accessLogFile" "meshConfig.accessLogFile"
- "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
- "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
- "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
- "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
- "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
- "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
- "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
- "global.mtls.enabled" "the PeerAuthentication resource"
- "global.mtls.auto" "meshConfig.enableAutoMtls"
- "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
- "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
- "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
- "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
- "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
- "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
- "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
- "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
- "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
- "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
-}}
-{{- range $dep, $replace := $deps }}
-{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
-{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}}
-{{- if not (eq $res "")}}
-WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl
deleted file mode 100644
index ccf8a077..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl
+++ /dev/null
@@ -1,35 +0,0 @@
-{{/* Prometheus is enabled if its enabled and there are no config overrides set */}}
-{{ define "prometheus" }}
-{{- and
- (not .Values.meshConfig.defaultProviders)
- .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
- (not (or
- .Values.telemetry.v2.prometheus.configOverride.gateway
- .Values.telemetry.v2.prometheus.configOverride.inboundSidecar
- .Values.telemetry.v2.prometheus.configOverride.outboundSidecar
- )) }}
-{{- end }}
-
-{{/* SD has metrics and logging split. Metrics are enabled if SD is enabled and there are no config overrides set */}}
-{{ define "sd-metrics" }}
-{{- and
- (not .Values.meshConfig.defaultProviders)
- .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
- (not (or
- .Values.telemetry.v2.stackdriver.configOverride
- .Values.telemetry.v2.stackdriver.disableOutbound ))
-}}
-{{- end }}
-
-{{/* SD has metrics and logging split. */}}
-{{ define "sd-logs" }}
-{{- and
- (not .Values.meshConfig.defaultProviders)
- .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
- (not (or
- .Values.telemetry.v2.stackdriver.configOverride
- (has .Values.telemetry.v2.stackdriver.outboundAccessLogging (list "" "ERRORS_ONLY"))
- (has .Values.telemetry.v2.stackdriver.inboundAccessLogging (list "" "ALL"))
- .Values.telemetry.v2.stackdriver.disableOutbound ))
-}}
-{{- end }}
\ No newline at end of file
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml
deleted file mode 100644
index 4069bbde..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
-{{- if not .Values.global.autoscalingv2API }}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
-spec:
- maxReplicas: {{ .Values.pilot.autoscaleMax }}
- minReplicas: {{ .Values.pilot.autoscaleMin }}
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- metrics:
- - type: Resource
- resource:
- name: cpu
- targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
----
-{{- else }}
-{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
-apiVersion: autoscaling/v2
-{{- else }}
-apiVersion: autoscaling/v2beta2
-{{- end }}
-kind: HorizontalPodAutoscaler
-metadata:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
-spec:
- maxReplicas: {{ .Values.pilot.autoscaleMax }}
- minReplicas: {{ .Values.pilot.autoscaleMin }}
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- metrics:
- - type: Resource
- resource:
- name: cpu
- target:
- type: Utilization
- averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
----
-{{- end }}
-{{- end }}
\ No newline at end of file
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml
deleted file mode 100644
index e910a317..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml
+++ /dev/null
@@ -1,147 +0,0 @@
-{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-rules:
- # sidecar injection controller
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update", "patch"]
-
- # configuration validation webhook controller
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
-
- # istio configuration
- # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
- # please proceed with caution
- - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
- verbs: ["get", "watch", "list"]
- resources: ["*"]
-{{- if .Values.global.istiod.enableAnalysis }}
- - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
- verbs: ["update"]
- # TODO: should be on just */status but wildcard is not supported
- resources: ["*"]
-{{- end }}
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "workloadentries" ]
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "workloadentries/status" ]
-
- # auto-detect installed CRD definitions
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch"]
-
- # discovery and routing
- - apiGroups: [""]
- resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["discovery.k8s.io"]
- resources: ["endpointslices"]
- verbs: ["get", "list", "watch"]
-
- # ingress controller
-{{- if .Values.global.istiod.enableAnalysis }}
- - apiGroups: ["extensions", "networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["extensions", "networking.k8s.io"]
- resources: ["ingresses/status"]
- verbs: ["*"]
-{{- end}}
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses", "ingressclasses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses/status"]
- verbs: ["*"]
-
- # required for CA's namespace controller
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create", "get", "list", "watch", "update"]
-
- # Istiod and bootstrap.
-{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
-{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
- - apiGroups: ["certificates.k8s.io"]
- resources:
- - "certificatesigningrequests"
- - "certificatesigningrequests/approval"
- - "certificatesigningrequests/status"
- verbs: ["update", "create", "get", "delete", "watch"]
- - apiGroups: ["certificates.k8s.io"]
- resources:
- - "signers"
- resourceNames:
- - "kubernetes.io/legacy-unknown"
-{{- range .Values.global.certSigners }}
- - {{ . | quote }}
-{{- end }}
- verbs: ["approve"]
-{{- end}}
-
- # Used by Istiod to verify the JWT tokens
- - apiGroups: ["authentication.k8s.io"]
- resources: ["tokenreviews"]
- verbs: ["create"]
-
- # Used by Istiod to verify gateway SDS
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
-
- # Use for Kubernetes Service APIs
- - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
- resources: ["*"]
- verbs: ["get", "watch", "list"]
- - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
- resources: ["*"] # TODO: should be on just */status but wildcard is not supported
- verbs: ["update", "patch"]
- - apiGroups: ["gateway.networking.k8s.io"]
- resources: ["gatewayclasses"]
- verbs: ["create", "update", "patch", "delete"]
-
- # Needed for multicluster secret reading, possibly ingress certs in the future
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "watch", "list"]
-
- # Used for MCS serviceexport management
- - apiGroups: ["{{ $mcsAPIGroup }}"]
- resources: ["serviceexports"]
- verbs: [ "get", "watch", "list", "create", "delete"]
-
- # Used for MCS serviceimport management
- - apiGroups: ["{{ $mcsAPIGroup }}"]
- resources: ["serviceimports"]
- verbs: ["get", "watch", "list"]
----
-{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-rules:
- - apiGroups: ["apps"]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "deployments" ]
- - apiGroups: [""]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "services" ]
- - apiGroups: [""]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "serviceaccounts"]
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml
deleted file mode 100644
index f6e42521..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-subjects:
- - kind: ServiceAccount
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
----
-{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-subjects:
-- kind: ServiceAccount
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
-{{- end }}
\ No newline at end of file
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml
deleted file mode 100644
index 7b719ac7..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-{{- if .Values.pilot.jwksResolverExtraRootCA }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- release: {{ .Release.Name }}
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
-data:
- extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml
deleted file mode 100644
index d5504047..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
-{{- define "mesh" }}
- # The trust domain corresponds to the trust root of a system.
- # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
- trustDomain: "cluster.local"
-
- # The namespace to treat as the administrative root namespace for Istio configuration.
- # When processing a leaf namespace Istio will search for declarations in that namespace first
- # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
- # is processed as if it were declared in the leaf namespace.
- rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
-
- {{ $prom := include "prometheus" . | eq "true" }}
- {{ $sdMetrics := include "sd-metrics" . | eq "true" }}
- {{ $sdLogs := include "sd-logs" . | eq "true" }}
- {{- if or $prom $sdMetrics $sdLogs }}
- defaultProviders:
- {{- if or $prom $sdMetrics }}
- metrics:
- {{ if $prom }}- prometheus{{ end }}
- {{ if $sdMetrics }}- stackdriver{{ end }}
- {{- end }}
- {{- if $sdLogs }}
- accessLogging:
- - stackdriver
- {{- end }}
- {{- end }}
-
- defaultConfig:
- {{- if .Values.global.meshID }}
- meshId: "{{ .Values.global.meshID }}"
- {{- end }}
- {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
- image:
- imageType: {{. | quote}}
- {{- end }}
- tracing:
- {{- if eq .Values.global.proxy.tracer "lightstep" }}
- lightstep:
- # Address of the LightStep Satellite pool
- address: {{ .Values.global.tracer.lightstep.address }}
- # Access Token used to communicate with the Satellite pool
- accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
- {{- else if eq .Values.global.proxy.tracer "zipkin" }}
- zipkin:
- # Address of the Zipkin collector
- address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
- {{- else if eq .Values.global.proxy.tracer "datadog" }}
- datadog:
- # Address of the Datadog Agent
- address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
- {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
- stackdriver:
- # enables trace output to stdout.
- {{- if $.Values.global.tracer.stackdriver.debug }}
- debug: {{ $.Values.global.tracer.stackdriver.debug }}
- {{- end }}
- {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
- # The global default max number of attributes per span.
- maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
- {{- end }}
- {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
- # The global default max number of annotation events per span.
- maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
- {{- end }}
- {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
- # The global default max number of message events per span.
- maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
- {{- end }}
- {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
- {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
-{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
- {{- else }}
- {}
- {{- end }}
- {{- if .Values.global.remotePilotAddress }}
- {{- if .Values.pilot.enabled }}
- discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
- {{- else }}
- discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
- {{- end }}
- {{- else }}
- discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
- {{- end }}
-{{- end }}
-
-{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
-{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
-{{- $originalMesh := include "mesh" . | fromYaml }}
-{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
-
-{{- if .Values.pilot.configMap }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- release: {{ .Release.Name }}
-data:
-
- # Configuration file for the mesh networks to be used by the Split Horizon EDS.
- meshNetworks: |-
- {{- if .Values.global.meshNetworks }}
- networks:
-{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
- {{- else }}
- networks: {}
- {{- end }}
-
- mesh: |-
-{{- if .Values.meshConfig }}
-{{ $mesh | toYaml | indent 4 }}
-{{- else }}
-{{- include "mesh" . }}
-{{- end }}
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
deleted file mode 100644
index 1aa80206..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
+++ /dev/null
@@ -1,258 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- app: istiod
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- istio: pilot
- release: {{ .Release.Name }}
-{{- range $key, $val := .Values.pilot.deploymentLabels }}
- {{ $key }}: "{{ $val }}"
-{{- end }}
-spec:
-{{- if not .Values.pilot.autoscaleEnabled }}
-{{- if .Values.pilot.replicaCount }}
- replicas: {{ .Values.pilot.replicaCount }}
-{{- end }}
-{{- end }}
- strategy:
- rollingUpdate:
- maxSurge: {{ .Values.pilot.rollingMaxSurge }}
- maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
- selector:
- matchLabels:
- {{- if ne .Values.revision "" }}
- app: istiod
- istio.io/rev: {{ .Values.revision | default "default" }}
- {{- else }}
- istio: pilot
- {{- end }}
- template:
- metadata:
- labels:
- app: istiod
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- sidecar.istio.io/inject: "false"
- operator.istio.io/component: "Pilot"
- {{- if ne .Values.revision "" }}
- istio: istiod
- {{- else }}
- istio: pilot
- {{- end }}
- {{- range $key, $val := .Values.pilot.podLabels }}
- {{ $key }}: "{{ $val }}"
- {{- end }}
- annotations:
- {{- if .Values.meshConfig.enablePrometheusMerge }}
- prometheus.io/port: "15014"
- prometheus.io/scrape: "true"
- {{- end }}
- ambient.istio.io/redirection: disabled
- sidecar.istio.io/inject: "false"
- {{- if .Values.pilot.podAnnotations }}
-{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
- {{- end }}
- spec:
-{{- if .Values.pilot.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.pilot.nodeSelector | indent 8 }}
-{{- end }}
-{{- with .Values.pilot.affinity }}
- affinity:
-{{- toYaml . | nindent 8 }}
-{{- end }}
-{{- with .Values.pilot.tolerations }}
- tolerations:
-{{- toYaml . | nindent 8 }}
-{{- end }}
- serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-{{- if .Values.global.priorityClassName }}
- priorityClassName: "{{ .Values.global.priorityClassName }}"
-{{- end }}
- securityContext:
- fsGroup: 1337
- containers:
- - name: discovery
-{{- if contains "/" .Values.pilot.image }}
- image: "{{ .Values.pilot.image }}"
-{{- else }}
- image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}"
-{{- end }}
-{{- if .Values.global.imagePullPolicy }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-{{- end }}
- args:
- - "discovery"
- - --monitoringAddr=:15014
-{{- if .Values.global.logging.level }}
- - --log_output_level={{ .Values.global.logging.level }}
-{{- end}}
-{{- if .Values.global.logAsJson }}
- - --log_as_json
-{{- end }}
- - --domain
- - {{ .Values.global.proxy.clusterDomain }}
-{{- if .Values.global.oneNamespace }}
- - "-a"
- - {{ .Release.Namespace }}
-{{- end }}
-{{- if .Values.pilot.plugins }}
- - --plugins={{ .Values.pilot.plugins }}
-{{- end }}
- - --keepaliveMaxServerConnectionAge
- - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
- ports:
- - containerPort: 8080
- protocol: TCP
- - containerPort: 15010
- protocol: TCP
- - containerPort: 15017
- protocol: TCP
- readinessProbe:
- httpGet:
- path: /ready
- port: 8080
- initialDelaySeconds: 1
- periodSeconds: 3
- timeoutSeconds: 5
- env:
- - name: REVISION
- value: "{{ .Values.revision | default `default` }}"
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.serviceAccountName
- - name: KUBECONFIG
- value: /var/run/secrets/remote/config
- {{- if .Values.pilot.env }}
- {{- range $key, $val := .Values.pilot.env }}
- - name: {{ $key }}
- value: "{{ $val }}"
- {{- end }}
- {{- end }}
-{{- if semverCompare "<1.19" .Capabilities.KubeVersion.GitVersion }}
- - name: ENABLE_LEGACY_FSGROUP_INJECTION
- value: "true"
-{{- end }}
-{{- if .Values.pilot.traceSampling }}
- - name: PILOT_TRACE_SAMPLING
- value: "{{ .Values.pilot.traceSampling }}"
-{{- end }}
- - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
- value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
- - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
- value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
- - name: ISTIOD_ADDR
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
- - name: PILOT_ENABLE_ANALYSIS
- value: "{{ .Values.global.istiod.enableAnalysis }}"
- - name: CLUSTER_ID
- value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
- - name: GOMEMLIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.memory
- resources:
-{{- if .Values.pilot.resources }}
-{{ toYaml .Values.pilot.resources | trim | indent 12 }}
-{{- else }}
-{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
-{{- end }}
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsUser: 1337
- runAsGroup: 1337
- runAsNonRoot: true
- capabilities:
- drop:
- - ALL
-{{- if .Values.pilot.seccompProfile }}
- seccompProfile:
-{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }}
-{{- end }}
- volumeMounts:
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- mountPath: /var/run/secrets/tokens
- readOnly: true
- {{- end }}
- - name: local-certs
- mountPath: /var/run/secrets/istio-dns
- - name: cacerts
- mountPath: /etc/cacerts
- readOnly: true
- - name: istio-kubeconfig
- mountPath: /var/run/secrets/remote
- readOnly: true
- {{- if .Values.pilot.jwksResolverExtraRootCA }}
- - name: extracacerts
- mountPath: /cacerts
- {{- end }}
- - name: istio-csr-dns-cert
- mountPath: /var/run/secrets/istiod/tls
- readOnly: true
- - name: istio-csr-ca-configmap
- mountPath: /var/run/secrets/istiod/ca
- readOnly: true
- volumes:
- # Technically not needed on this pod - but it helps debugging/testing SDS
- # Should be removed after everything works.
- - emptyDir:
- medium: Memory
- name: local-certs
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- audience: {{ .Values.global.sds.token.aud }}
- expirationSeconds: 43200
- path: istio-token
- {{- end }}
- # Optional: user-generated root
- - name: cacerts
- secret:
- secretName: cacerts
- optional: true
- - name: istio-kubeconfig
- secret:
- secretName: istio-kubeconfig
- optional: true
- # Optional: istio-csr dns pilot certs
- - name: istio-csr-dns-cert
- secret:
- secretName: istiod-tls
- optional: true
- - name: istio-csr-ca-configmap
- configMap:
- name: istio-ca-root-cert
- defaultMode: 420
- optional: true
- {{- if .Values.pilot.jwksResolverExtraRootCA }}
- - name: extracacerts
- configMap:
- name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- end }}
-
----
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml
deleted file mode 100644
index 69522c67..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml
+++ /dev/null
@@ -1,75 +0,0 @@
-{{- if not .Values.global.omitSidecarInjectorConfigMap }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- release: {{ .Release.Name }}
-data:
-{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
- values: |-
-{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
-
- # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
- # and istiod webhook functionality.
- #
- # New fields should not use Values - it is a 'primary' config object, users should be able
- # to fine tune it or use it with kube-inject.
- config: |-
- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
- {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
- defaultTemplates:
-{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
- - {{ . }}
-{{- end }}
- {{- else }}
- defaultTemplates: [sidecar]
- {{- end }}
- policy: {{ .Values.global.proxy.autoInject }}
- alwaysInjectSelector:
-{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
- neverInjectSelector:
-{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
- injectedAnnotations:
- {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
- "{{ $key }}": {{ $val | quote }}
- {{- end }}
- {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
- which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
- This should make it obvious that their installation is broken.
- */}}
- template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
- templates:
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
- sidecar: |
-{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
- gateway: |
-{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
- grpc-simple: |
-{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
- grpc-agent: |
-{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
- waypoint: |
-{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
- kube-gateway: |
-{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
-{{- end }}
-{{- with .Values.sidecarInjectorWebhook.templates }}
-{{ toYaml . | trim | indent 6 }}
-{{- end }}
-
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml
deleted file mode 100644
index fbffdd65..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml
+++ /dev/null
@@ -1,152 +0,0 @@
-{{- /* Core defines the common configuration used by all webhook segments */}}
-{{/* Copy just what we need to avoid expensive deepCopy */}}
-{{- $whv := dict
- "revision" .Values.revision
- "injectionPath" .Values.istiodRemote.injectionPath
- "injectionURL" .Values.istiodRemote.injectionURL
- "namespace" .Release.Namespace }}
-{{- define "core" }}
-{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
-a unique prefix to each. */}}
-- name: {{.Prefix}}sidecar-injector.istio.io
- clientConfig:
- {{- if .injectionURL }}
- url: "{{ .injectionURL }}"
- {{- else }}
- service:
- name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
- namespace: {{ .namespace }}
- path: "{{ .injectionPath }}"
- port: 443
- {{- end }}
- sideEffects: None
- rules:
- - operations: [ "CREATE" ]
- apiGroups: [""]
- apiVersions: ["v1"]
- resources: ["pods"]
- failurePolicy: Fail
- admissionReviewVersions: ["v1beta1", "v1"]
-{{- end }}
-{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
-{{- if not .Values.global.operatorManageWebhooks }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-{{- if eq .Release.Namespace "istio-system"}}
- name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-{{- else }}
- name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-{{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- app: sidecar-injector
- release: {{ .Release.Name }}
-webhooks:
-{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
-
-{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
-{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: In
- values:
- {{- if (eq .Values.revision "") }}
- - "default"
- {{- else }}
- - "{{ .Values.revision }}"
- {{- end }}
- - key: istio-injection
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
-
-{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: DoesNotExist
- - key: istio-injection
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
- - key: istio.io/rev
- operator: In
- values:
- {{- if (eq .Values.revision "") }}
- - "default"
- {{- else }}
- - "{{ .Values.revision }}"
- {{- end }}
-
-
-{{- /* Webhooks for default revision */}}
-{{- if (eq .Values.revision "") }}
-
-{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: In
- values:
- - enabled
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
-
-{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: In
- values:
- - "true"
- - key: istio.io/rev
- operator: DoesNotExist
-
-{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
-{{- /* Special case 3: no labels at all */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
- - key: "kubernetes.io/metadata.name"
- operator: "NotIn"
- values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
-{{- end }}
-
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml
deleted file mode 100644
index 454737a6..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
-{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }}
-apiVersion: policy/v1
-{{- else }}
-apiVersion: policy/v1beta1
-{{- end }}
-kind: PodDisruptionBudget
-metadata:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- app: istiod
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- release: {{ .Release.Name }}
- istio: pilot
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: istiod
- {{- if ne .Values.revision "" }}
- istio.io/rev: {{ .Values.revision }}
- {{- else }}
- istio: pilot
- {{- end }}
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml
deleted file mode 100644
index 793b75e6..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istio-reader
- release: {{ .Release.Name }}
-rules:
- - apiGroups:
- - "config.istio.io"
- - "security.istio.io"
- - "networking.istio.io"
- - "authentication.istio.io"
- - "rbac.istio.io"
- resources: ["*"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list" ]
- resources: [ "workloadentries" ]
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["discovery.k8s.io"]
- resources: ["endpointslices"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["{{ $mcsAPIGroup }}"]
- resources: ["serviceexports"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: ["{{ $mcsAPIGroup }}"]
- resources: ["serviceimports"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["apps"]
- resources: ["replicasets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["authentication.k8s.io"]
- resources: ["tokenreviews"]
- verbs: ["create"]
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
-{{- if .Values.global.externalIstiod }}
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create", "get", "list", "watch", "update"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
-{{- end}}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml
deleted file mode 100644
index 4f9925c9..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istio-reader
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-subjects:
- - kind: ServiceAccount
- name: istio-reader-service-account
- namespace: {{ .Values.global.istioNamespace }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml
deleted file mode 100644
index 8bef5464..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml
+++ /dev/null
@@ -1,140 +0,0 @@
-# Adapted from istio-discovery/templates/mutatingwebhook.yaml
-# Removed paths for legacy and default selectors since a revision tag
-# is inherently created from a specific revision
-{{- $whv := dict
- "revision" .Values.revision
- "injectionPath" .Values.istiodRemote.injectionPath
- "injectionURL" .Values.istiodRemote.injectionURL
- "namespace" .Release.Namespace }}
-{{- define "core" }}
-{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
-a unique prefix to each. */}}
-- name: {{.Prefix}}sidecar-injector.istio.io
- clientConfig:
- {{- if .injectionURL }}
- url: "{{ .injectionURL }}"
- {{- else }}
- service:
- name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
- namespace: {{ .namespace }}
- path: "{{ .injectionPath }}"
- port: 443
- {{- end }}
- sideEffects: None
- rules:
- - operations: [ "CREATE" ]
- apiGroups: [""]
- apiVersions: ["v1"]
- resources: ["pods"]
- failurePolicy: Fail
- admissionReviewVersions: ["v1beta1", "v1"]
-{{- end }}
-{{- range $tagName := $.Values.revisionTags }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-{{- if eq $.Release.Namespace "istio-system"}}
- name: istio-revision-tag-{{ $tagName }}
-{{- else }}
- name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
-{{- end }}
- labels:
- istio.io/tag: {{ $tagName }}
- istio.io/rev: {{ $.Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- app: sidecar-injector
- release: {{ $.Release.Name }}
-webhooks:
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: In
- values:
- - "{{ $tagName }}"
- - key: istio-injection
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: DoesNotExist
- - key: istio-injection
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
- - key: istio.io/rev
- operator: In
- values:
- - "{{ $tagName }}"
-
-{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
-{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
-{{- if (eq $tagName "default") }}
-
-{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: In
- values:
- - enabled
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
-
-{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: In
- values:
- - "true"
- - key: istio.io/rev
- operator: DoesNotExist
-
-{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
-{{- /* Special case 3: no labels at all */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
- - key: "kubernetes.io/metadata.name"
- operator: "NotIn"
- values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
-{{- end }}
-
-{{- end }}
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml
deleted file mode 100644
index 195bdde4..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-rules:
-# permissions to verify the webhook is ready and rejecting
-# invalid config. We use --server-dry-run so no config is persisted.
-- apiGroups: ["networking.istio.io"]
- verbs: ["create"]
- resources: ["gateways"]
-
-# For storing CA secret
-- apiGroups: [""]
- resources: ["secrets"]
- # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
- verbs: ["create", "get", "watch", "list", "update", "delete"]
-
-# For status controller, so it can delete the distribution report configmap
-- apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["delete"]
-
-# For gateway deployment controller
-- apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["get", "update", "patch", "create"]
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml
deleted file mode 100644
index 0d700f00..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
-subjects:
- - kind: ServiceAccount
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml
deleted file mode 100644
index b5ddf5b6..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- {{- if .Values.pilot.serviceAnnotations }}
- annotations:
-{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- app: istiod
- istio: pilot
- release: {{ .Release.Name }}
-spec:
- ports:
- - port: 15010
- name: grpc-xds # plaintext
- protocol: TCP
- - port: 15012
- name: https-dns # mTLS with k8s-signed cert
- protocol: TCP
- - port: 443
- name: https-webhook # validation and injection
- targetPort: 15017
- protocol: TCP
- - port: 15014
- name: http-monitoring # prometheus stats
- protocol: TCP
- selector:
- app: istiod
- {{- if ne .Values.revision "" }}
- istio.io/rev: {{ .Values.revision }}
- {{- else }}
- # Label used by the 'default' service. For versioned deployments we match with app and version.
- # This avoids default deployment picking the canary
- istio: pilot
- {{- end }}
----
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml
deleted file mode 100644
index ee6cbc32..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
- {{- if .Values.global.imagePullSecrets }}
-imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
-metadata:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
----
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml
deleted file mode 100644
index 8374fc05..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml
+++ /dev/null
@@ -1,616 +0,0 @@
-{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
-{{ $prom := not (include "prometheus" . | eq "true") }}
-{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }}
-{{ $sdLogs := not (include "sd-logs" . | eq "true") }}
----
-# Note: http stats filter is wasm enabled only in sidecars.
-{{- if and .Values.telemetry.v2.prometheus.enabled $prom }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stats_outbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stats_inbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stats_outbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- {{- end }}
----
-# Note: tcp stats filter is wasm enabled only in sidecars.
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: tcp_stats_inbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: "envoy.wasm.stats"
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: tcp_stats_outbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: "envoy.wasm.stats"
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: tcp_stats_outbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: "envoy.wasm.stats"
- {{- end }}
----
-{{- end }}
-{{/*TODO: this is broken, we do not handle the split quite right! */}}
-{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
-{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
-{{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-sampling-accesslog-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "istio.stackdriver"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.access_log
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {
- "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
- }
- vm_config:
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: "envoy.wasm.access_log_policy" }
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml
deleted file mode 100644
index 990d817c..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml
+++ /dev/null
@@ -1,486 +0,0 @@
-{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
-{{ $prom := not (include "prometheus" . | eq "true") }}
-{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }}
-{{ $sdLogs := not (include "sd-logs" . | eq "true") }}
----
-# Note: http stats filter is wasm enabled only in sidecars.
-{{- if and .Values.telemetry.v2.prometheus.enabled $prom }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
----
-# Note: tcp stats filter is wasm enabled only in sidecars.
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
----
-{{- end }}
-{{/*TODO: this is broken, we do not handle the split quite right! */}}
-{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
-{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
-{{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-sampling-accesslog-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "istio.stackdriver"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.access_log
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {
- "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
- }
- vm_config:
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: "envoy.wasm.access_log_policy" }
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml
deleted file mode 100644
index 736ed586..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml
+++ /dev/null
@@ -1,486 +0,0 @@
-{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
-{{ $prom := not (include "prometheus" . | eq "true") }}
-{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }}
-{{ $sdLogs := not (include "sd-logs" . | eq "true") }}
----
-# Note: http stats filter is wasm enabled only in sidecars.
-{{- if and .Values.telemetry.v2.prometheus.enabled $prom }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
----
-# Note: tcp stats filter is wasm enabled only in sidecars.
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
----
-{{- end }}
-{{/*TODO: this is broken, we do not handle the split quite right! */}}
-{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
-{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
-{{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-sampling-accesslog-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "istio.stackdriver"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.access_log
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {
- "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
- }
- vm_config:
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: "envoy.wasm.access_log_policy" }
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml
deleted file mode 100644
index 88b9eb7c..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-{{- if .Values.global.configValidation }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
- istio: istiod
- istio.io/rev: {{ .Values.revision | default "default" }}
-webhooks:
- # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
- # are rejecting invalid configs on a per-revision basis.
- - name: rev.validation.istio.io
- clientConfig:
- # Should change from base but cannot for API compat
- {{- if .Values.base.validationURL }}
- url: {{ .Values.base.validationURL }}
- {{- else }}
- service:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- path: "/validate"
- {{- end }}
- rules:
- - operations:
- - CREATE
- - UPDATE
- apiGroups:
- - security.istio.io
- - networking.istio.io
- - telemetry.istio.io
- - extensions.istio.io
- {{- if .Values.base.validateGateway }}
- - gateway.networking.k8s.io
- {{- end }}
- apiVersions:
- - "*"
- resources:
- - "*"
- # Fail open until the validation webhook is ready. The webhook controller
- # will update this to `Fail` and patch in the `caBundle` when the webhook
- # endpoint is ready.
- failurePolicy: Ignore
- sideEffects: None
- admissionReviewVersions: ["v1beta1", "v1"]
- objectSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: In
- values:
- {{- if (eq .Values.revision "") }}
- - "default"
- {{- else }}
- - "{{ .Values.revision }}"
- {{- end }}
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml
deleted file mode 100644
index 2c05e3df..00000000
--- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml
+++ /dev/null
@@ -1,485 +0,0 @@
-#.Values.pilot for discovery and mesh wide config
-
-## Discovery Settings
-pilot:
- autoscaleEnabled: true
- autoscaleMin: 1
- autoscaleMax: 5
- replicaCount: 1
- rollingMaxSurge: 100%
- rollingMaxUnavailable: 25%
-
- hub: ""
- tag: ""
- variant: ""
-
- # Can be a full hub/image:tag
- image: pilot
- traceSampling: 1.0
-
- # Resources for a small pilot install
- resources:
- requests:
- cpu: 500m
- memory: 2048Mi
-
- # Set to `type: RuntimeDefault` to use the default profile if available.
- seccompProfile: {}
-
- env: {}
-
- cpu:
- targetAverageUtilization: 80
-
- # if protocol sniffing is enabled for outbound
- enableProtocolSniffingForOutbound: true
- # if protocol sniffing is enabled for inbound
- enableProtocolSniffingForInbound: true
-
- nodeSelector: {}
- podAnnotations: {}
- serviceAnnotations: {}
-
- # You can use jwksResolverExtraRootCA to provide a root certificate
- # in PEM format. This will then be trusted by pilot when resolving
- # JWKS URIs.
- jwksResolverExtraRootCA: ""
-
- # This is used to set the source of configuration for
- # the associated address in configSource, if nothing is specified
- # the default MCP is assumed.
- configSource:
- subscribedResources: []
-
- plugins: []
-
- # The following is used to limit how long a sidecar can be connected
- # to a pilot. It balances out load across pilot instances at the cost of
- # increasing system churn.
- keepaliveMaxServerConnectionAge: 30m
-
- # Additional labels to apply to the deployment.
- deploymentLabels: {}
-
- ## Mesh config settings
-
- # Install the mesh config map, generated from values.yaml.
- # If false, pilot wil use default values (by default) or user-supplied values.
- configMap: true
-
- # Additional labels to apply on the pod level for monitoring and logging configuration.
- podLabels: {}
-
-sidecarInjectorWebhook:
- # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
- # always skip the injection on pods that match that label selector, regardless of the global policy.
- # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
- neverInjectSelector: []
- alwaysInjectSelector: []
-
- # injectedAnnotations are additional annotations that will be added to the pod spec after injection
- # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
- #
- # annotations:
- # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
- # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
- #
- # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
- # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
- # injectedAnnotations:
- # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
- # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
- injectedAnnotations: {}
-
- # This enables injection of sidecar in all namespaces,
- # with the exception of namespaces with "istio-injection:disabled" annotation
- # Only one environment should have this enabled.
- enableNamespacesByDefault: false
-
- rewriteAppHTTPProbe: true
-
- # Templates defines a set of custom injection templates that can be used. For example, defining:
- #
- # templates:
- # hello: |
- # metadata:
- # labels:
- # hello: world
- #
- # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
- # being injected with the hello=world labels.
- # This is intended for advanced configuration only; most users should use the built in template
- templates: {}
-
- # Default templates specifies a set of default templates that are used in sidecar injection.
- # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
- # To inject other additional templates, define it using the `templates` option, and add it to
- # the default templates list.
- # For example:
- #
- # templates:
- # hello: |
- # metadata:
- # labels:
- # hello: world
- #
- # defaultTemplates: ["sidecar", "hello"]
- defaultTemplates: []
-istiodRemote:
- # Sidecar injector mutating webhook configuration clientConfig.url value.
- # For example: https://$remotePilotAddress:15017/inject
- # The host should not refer to a service running in the cluster; use a service reference by specifying
- # the clientConfig.service field instead.
- injectionURL: ""
-
- # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
- # Override to pass env variables, for example: /inject/cluster/remote/net/network2
- injectionPath: "/inject"
-telemetry:
- enabled: true
- v2:
- # For Null VM case now.
- # This also enables metadata exchange.
- enabled: true
- metadataExchange:
- # Indicates whether to enable WebAssembly runtime for metadata exchange filter.
- wasmEnabled: false
- # Indicate if prometheus stats filter is enabled or not
- prometheus:
- enabled: true
- # Indicates whether to enable WebAssembly runtime for stats filter.
- wasmEnabled: false
- # overrides stats EnvoyFilter configuration.
- configOverride:
- gateway: {}
- inboundSidecar: {}
- outboundSidecar: {}
- # stackdriver filter settings.
- stackdriver:
- enabled: false
- logging: false
- monitoring: false
- topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
- disableOutbound: false
- # configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
-
- configOverride: {}
- # e.g.
- # disable_server_access_logging: false
- # disable_host_header_fallback: true
- # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
- accessLogPolicy:
- enabled: false
- # To reduce the number of successful logs, default log window duration is
- # set to 12 hours.
- logWindowDuration: "43200s"
-# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
-revision: ""
-
-# Revision tags are aliases to Istio control plane revisions
-revisionTags: []
-
-# For Helm compatibility.
-ownerName: ""
-
-# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
-# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
-meshConfig:
- enablePrometheusMerge: true
-
-global:
- # Used to locate istiod.
- istioNamespace: istio-system
- # List of cert-signers to allow "approve" action in the istio cluster role
- #
- # certSigners:
- # - clusterissuers.cert-manager.io/istio-ca
- certSigners: []
- # enable pod disruption budget for the control plane, which is used to
- # ensure Istio control plane components are gradually upgraded or recovered.
- defaultPodDisruptionBudget:
- enabled: true
- # The values aren't mutable due to a current PodDisruptionBudget limitation
- # minAvailable: 1
-
- # A minimal set of requested resources to applied to all deployments so that
- # Horizontal Pod Autoscaler will be able to function (if set).
- # Each component can overwrite these default values by adding its own resources
- # block in the relevant section below and setting the desired resources values.
- defaultResources:
- requests:
- cpu: 10m
- # memory: 128Mi
- # limits:
- # cpu: 100m
- # memory: 128Mi
-
- # Default hub for Istio images.
- # Releases are published to docker hub under 'istio' project.
- # Dev builds from prow are on gcr.io
- hub: docker.io/istio
- # Default tag for Istio images.
- tag: 1.18.2
- # Variant of the image to use.
- # Currently supported are: [debug, distroless]
- variant: ""
-
- # Specify image pull policy if default behavior isn't desired.
- # Default behavior: latest images will be Always else IfNotPresent.
- imagePullPolicy: ""
-
- # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
- # to use for pulling any images in pods that reference this ServiceAccount.
- # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
- # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
- # Must be set for any cluster configured with private docker registry.
- imagePullSecrets: []
- # - private-registry-key
-
- # Enabled by default in master for maximising testing.
- istiod:
- enableAnalysis: false
-
- # To output all istio components logs in json format by adding --log_as_json argument to each container argument
- logAsJson: false
-
- # Comma-separated minimum per-scope logging level of messages to output, in the form of :,:
- # The control plane has different scopes depending on component, but can configure default log level across all components
- # If empty, default scope and level will be used as configured in code
- logging:
- level: "default:info"
-
- omitSidecarInjectorConfigMap: false
-
- # Whether to restrict the applications namespace the controller manages;
- # If not set, controller watches all namespaces
- oneNamespace: false
-
- # Configure whether Operator manages webhook configurations. The current behavior
- # of Istiod is to manage its own webhook configurations.
- # When this option is set as true, Istio Operator, instead of webhooks, manages the
- # webhook configurations. When this option is set as false, webhooks manage their
- # own webhook configurations.
- operatorManageWebhooks: false
-
- # Custom DNS config for the pod to resolve names of services in other
- # clusters. Use this to add additional search domains, and other settings.
- # see
- # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
- # This does not apply to gateway pods as they typically need a different
- # set of DNS settings than the normal application pods (e.g., in
- # multicluster scenarios).
- # NOTE: If using templates, follow the pattern in the commented example below.
- #podDNSSearchNamespaces:
- #- global
- #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
-
- # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
- # system-node-critical, it is better to configure this in order to make sure your Istio pods
- # will not be killed because of low priority class.
- # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- # for more detail.
- priorityClassName: ""
-
- proxy:
- image: proxyv2
-
- # This controls the 'policy' in the sidecar injector.
- autoInject: enabled
-
- # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
- # cluster domain. Default value is "cluster.local".
- clusterDomain: "cluster.local"
-
- # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
- # not set, then the global "logLevel" will be used.
- componentLogLevel: "misc:error"
-
- # If set, newly injected sidecars will have core dumps enabled.
- enableCoreDump: false
-
- # istio ingress capture allowlist
- # examples:
- # Redirect only selected ports: --includeInboundPorts="80,8080"
- excludeInboundPorts: ""
- includeInboundPorts: "*"
-
- # istio egress capture allowlist
- # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
- # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
- # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
- # be allowed by the sidecar
- includeIPRanges: "*"
- excludeIPRanges: ""
- includeOutboundPorts: ""
- excludeOutboundPorts: ""
-
- # Log level for proxy, applies to gateways and sidecars.
- # Expected values are: trace|debug|info|warning|error|critical|off
- logLevel: warning
-
- #If set to true, istio-proxy container will have privileged securityContext
- privileged: false
-
- # The number of successive failed probes before indicating readiness failure.
- readinessFailureThreshold: 30
-
- # The initial delay for readiness probes in seconds.
- readinessInitialDelaySeconds: 1
-
- # The period between readiness probes.
- readinessPeriodSeconds: 2
-
- # Resources for the sidecar.
- resources:
- requests:
- cpu: 100m
- memory: 128Mi
- limits:
- cpu: 2000m
- memory: 1024Mi
-
- # Default port for Pilot agent health checks. A value of 0 will disable health checking.
- statusPort: 15020
-
- # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
- # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
- tracer: "zipkin"
-
- proxy_init:
- # Base name for the proxy_init container, used to configure iptables.
- image: proxyv2
-
- # configure remote pilot and istiod service and endpoint
- remotePilotAddress: ""
-
- ##############################################################################################
- # The following values are found in other charts. To effectively modify these values, make #
- # make sure they are consistent across your Istio helm charts #
- ##############################################################################################
-
- # The customized CA address to retrieve certificates for the pods in the cluster.
- # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
- # If not set explicitly, default to the Istio discovery address.
- caAddress: ""
-
- # Configure a remote cluster data plane controlled by an external istiod.
- # When set to true, istiod is not deployed locally and only a subset of the other
- # discovery charts are enabled.
- externalIstiod: false
-
- # Configure a remote cluster as the config cluster for an external istiod.
- configCluster: false
-
- # Configure the policy for validating JWT.
- # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
- jwtPolicy: "third-party-jwt"
-
- # Mesh ID means Mesh Identifier. It should be unique within the scope where
- # meshes will interact with each other, but it is not required to be
- # globally/universally unique. For example, if any of the following are true,
- # then two meshes must have different Mesh IDs:
- # - Meshes will have their telemetry aggregated in one place
- # - Meshes will be federated together
- # - Policy will be written referencing one mesh from the other
- #
- # If an administrator expects that any of these conditions may become true in
- # the future, they should ensure their meshes have different Mesh IDs
- # assigned.
- #
- # Within a multicluster mesh, each cluster must be (manually or auto)
- # configured to have the same Mesh ID value. If an existing cluster 'joins' a
- # multicluster mesh, it will need to be migrated to the new mesh ID. Details
- # of migration TBD, and it may be a disruptive operation to change the Mesh
- # ID post-install.
- #
- # If the mesh admin does not specify a value, Istio will use the value of the
- # mesh's Trust Domain. The best practice is to select a proper Trust Domain
- # value.
- meshID: ""
-
- # Configure the mesh networks to be used by the Split Horizon EDS.
- #
- # The following example defines two networks with different endpoints association methods.
- # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
- # mapped to network1. The gateway for this network example is specified by its public IP
- # address and port.
- # The second network, `network2`, in this example is defined differently with all endpoints
- # retrieved through the specified Multi-Cluster registry being mapped to network2. The
- # gateway is also defined differently with the name of the gateway service on the remote
- # cluster. The public IP for the gateway will be determined from that remote service (only
- # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
- # it still need to be configured manually).
- #
- # meshNetworks:
- # network1:
- # endpoints:
- # - fromCidr: "192.168.0.1/24"
- # gateways:
- # - address: 1.1.1.1
- # port: 80
- # network2:
- # endpoints:
- # - fromRegistry: reg1
- # gateways:
- # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
- # port: 443
- #
- meshNetworks: {}
-
- # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
- mountMtlsCerts: false
-
- multiCluster:
- # Set to true to connect two kubernetes clusters via their respective
- # ingressgateway services when pods in each cluster cannot directly
- # talk to one another. All clusters should be using Istio mTLS and must
- # have a shared root CA for this model to work.
- enabled: false
- # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
- # to properly label proxies
- clusterName: ""
-
- # Network defines the network this cluster belong to. This name
- # corresponds to the networks in the map of mesh networks.
- network: ""
-
- # Configure the certificate provider for control plane communication.
- # Currently, two providers are supported: "kubernetes" and "istiod".
- # As some platforms may not have kubernetes signing APIs,
- # Istiod is the default
- pilotCertProvider: istiod
-
- sds:
- # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
- # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
- # JWT is intended for the CA.
- token:
- aud: istio-ca
-
- sts:
- # The service port used by Security Token Service (STS) server to handle token exchange requests.
- # Setting this port to a non-zero value enables STS server.
- servicePort: 0
-
- # The name of the CA for workload certificates.
- # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
- # will be used as the certificates for workloads.
- # The default value is "" and when caName="", the CA will be configured by other
- # mechanisms (e.g., environmental variable CA_PROVIDER).
- caName: ""
-
- # whether to use autoscaling/v2 template for HPA settings
- # for internal usage only, not to be configured by users.
- autoscalingv2API: true
-
-base:
- # For istioctl usage to disable istio config crds in base
- enableIstioConfigCRDs: true
-
- # If enabled, gateway-api types will be validated using the standard upstream validation logic.
- # This is an alternative to deploying the standalone validation server the project provides.
- # This is disabled by default, as the cluster may already have a validation server; while technically
- # it works to have multiple redundant validations, this adds complexity and operational risks.
- # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers.
- validateGateway: false
diff --git a/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml b/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml
deleted file mode 100644
index 3e630578..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-name: istio-operator
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-tillerVersion: ">=2.7.2"
-description: Helm chart for deploying Istio operator
-keywords:
- - istio
- - operator
-sources:
- - https://github.com/istio/istio/tree/master/operator
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml b/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml
deleted file mode 100644
index 93ac1de0..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-# SYNC WITH manifests/charts/base/files
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: istiooperators.install.istio.io
- labels:
- release: istio
-spec:
- conversion:
- strategy: None
- group: install.istio.io
- names:
- kind: IstioOperator
- listKind: IstioOperatorList
- plural: istiooperators
- singular: istiooperator
- shortNames:
- - iop
- - io
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Istio control plane revision
- jsonPath: .spec.revision
- name: Revision
- type: string
- - description: IOP current state
- jsonPath: .status.status
- name: Status
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- subresources:
- status: {}
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
----
diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml
deleted file mode 100644
index c7101ab6..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml
+++ /dev/null
@@ -1,117 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- creationTimestamp: null
- name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-rules:
-# istio groups
-- apiGroups:
- - authentication.istio.io
- resources:
- - '*'
- verbs:
- - '*'
-- apiGroups:
- - config.istio.io
- resources:
- - '*'
- verbs:
- - '*'
-- apiGroups:
- - install.istio.io
- resources:
- - '*'
- verbs:
- - '*'
-- apiGroups:
- - networking.istio.io
- resources:
- - '*'
- verbs:
- - '*'
-- apiGroups:
- - security.istio.io
- resources:
- - '*'
- verbs:
- - '*'
-# k8s groups
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- verbs:
- - '*'
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions.apiextensions.k8s.io
- - customresourcedefinitions
- verbs:
- - '*'
-- apiGroups:
- - apps
- - extensions
- resources:
- - daemonsets
- - deployments
- - deployments/finalizers
- - replicasets
- verbs:
- - '*'
-- apiGroups:
- - autoscaling
- resources:
- - horizontalpodautoscalers
- verbs:
- - '*'
-- apiGroups:
- - monitoring.coreos.com
- resources:
- - servicemonitors
- verbs:
- - get
- - create
- - update
-- apiGroups:
- - policy
- resources:
- - poddisruptionbudgets
- verbs:
- - '*'
-- apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - clusterrolebindings
- - clusterroles
- - roles
- - rolebindings
- verbs:
- - '*'
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - get
- - create
- - update
-- apiGroups:
- - ""
- resources:
- - configmaps
- - endpoints
- - events
- - namespaces
- - pods
- - pods/proxy
- - pods/portforward
- - persistentvolumeclaims
- - secrets
- - services
- - serviceaccounts
- - resourcequotas
- verbs:
- - '*'
----
diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml
deleted file mode 100644
index a3df073a..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-subjects:
-- kind: ServiceAccount
- name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{.Release.Namespace}}
-roleRef:
- kind: ClusterRole
- name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- apiGroup: rbac.authorization.k8s.io
----
diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml
deleted file mode 100644
index a3703650..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-{{- if .Values.enableCRDTemplates -}}
-{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}}
----
-{{ $.Files.Get $path }}
-{{- end -}}
-{{- end -}}
diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml
deleted file mode 100644
index 01830956..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml
+++ /dev/null
@@ -1,81 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- namespace: {{.Release.Namespace}}
- name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-spec:
- replicas: 1
- revisionHistoryLimit: {{ .Values.deploymentHistory }}
- selector:
- matchLabels:
- name: istio-operator
- template:
- metadata:
- labels:
- name: istio-operator
- {{- range $key, $val := .Values.podLabels }}
- {{ $key }}: "{{ $val }}"
- {{- end }}
- annotations:
- prometheus.io/port: "{{ .Values.operator.monitoring.port }}"
- prometheus.io/scrape: "true"
- {{- if .Values.podAnnotations }}
-{{ toYaml .Values.podAnnotations | indent 8 }}
- {{- end }}
- spec:
- serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- containers:
- - name: istio-operator
- image: {{.Values.hub}}/operator:{{.Values.tag}}
- command:
- - operator
- - server
- - --monitoring-host={{ .Values.operator.monitoring.host }}
- - --monitoring-port={{ .Values.operator.monitoring.port }}
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 1337
- runAsUser: 1337
- runAsNonRoot: true
-{{- if .Values.operator.seccompProfile }}
- seccompProfile:
-{{ toYaml .Values.operator.seccompProfile | trim | indent 14 }}
-{{- end }}
-{{- if .Values.imagePullPolicy }}
- imagePullPolicy: {{ .Values.imagePullPolicy }}
-{{- end }}
- resources:
-{{ toYaml .Values.operator.resources | trim | indent 12 }}
- env:
- - name: WATCH_NAMESPACE
- value: {{.Values.watchedNamespaces | quote}}
- - name: LEADER_ELECTION_NAMESPACE
- value: {{.Release.Namespace | quote}}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: OPERATOR_NAME
- value: {{.Release.Namespace | quote}}
- - name: WAIT_FOR_RESOURCES_TIMEOUT
- value: {{.Values.waitForResourcesTimeout | quote}}
- - name: REVISION
- value: {{.Values.revision | quote}}
- {{- with .Values.nodeSelector }}
- nodeSelector:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.affinity }}
- affinity:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.tolerations }}
- tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
----
diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml
deleted file mode 100644
index e32e8ea0..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- namespace: {{.Release.Namespace}}
- labels:
- name: istio-operator
- name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-spec:
- ports:
- - name: http-metrics
- port: 8383
- targetPort: 8383
- protocol: TCP
- selector:
- name: istio-operator
----
diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml
deleted file mode 100644
index fe9d4cf2..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- namespace: {{.Release.Namespace}}
- name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-{{- if .Values.imagePullSecrets }}
-imagePullSecrets:
-{{- range .Values.imagePullSecrets }}
-- name: {{ . }}
-{{- end }}
-{{- end }}
----
diff --git a/istio-1.18.2/manifests/charts/istio-operator/values.yaml b/istio-1.18.2/manifests/charts/istio-operator/values.yaml
deleted file mode 100644
index d344f093..00000000
--- a/istio-1.18.2/manifests/charts/istio-operator/values.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-hub: docker.io/istio
-tag: 1.18.2
-
-# ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace
-# used to pull operator image. Must be set for any cluster configured with private docker registry.
-imagePullSecrets: []
-
-# Specify image pull policy if default behavior isn't desired.
-# Default behavior: latest images will be Always else IfNotPresent.
-imagePullPolicy: ""
-
-# Used to replace istioNamespace to support operator watch multiple namespaces.
-watchedNamespaces: istio-system
-waitForResourcesTimeout: 300s
-
-# Used for helm2 to add the CRDs to templates.
-enableCRDTemplates: false
-
-# revision for the operator resources
-revision: ""
-
-# The number of old ReplicaSets to retain in operator deployment
-deploymentHistory: 10
-
-# Operator resource defaults
-operator:
- monitoring:
- host: 127.0.0.1
- port: 15014
- resources:
- limits:
- cpu: 200m
- memory: 256Mi
- requests:
- cpu: 50m
- memory: 128Mi
- # Set to `type: RuntimeDefault` to use the default profile if available.
- seccompProfile: {}
-
-# Node labels for pod assignment
-nodeSelector: {}
-
-# Tolerations for pod assignment
-tolerations: []
-
-# Affinity for pod assignment
-affinity: {}
-
-# Additional labels and annotations to apply on the pod level for monitoring and logging configuration.
-podLabels: {}
-podAnnotations: {}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml b/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml
deleted file mode 100644
index 616ce3fc..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-name: istiod-remote
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-tillerVersion: ">=2.7.2"
-description: Helm chart for a remote cluster using an external istio control plane
-keywords:
- - istio
- - external-istiod
-sources:
- - https://github.com/istio/istio
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt b/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt
deleted file mode 100644
index 0230b6f8..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Install for a remote cluster using an external control plane.
-
-The templates in this directory are copies of base and istio-discovery templates.
-DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen.
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml b/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml
deleted file mode 100644
index 5002c03f..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml
+++ /dev/null
@@ -1,237 +0,0 @@
-{{- $containers := list }}
-{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
-metadata:
- labels:
- service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
- service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
- annotations: {
- istio.io/rev: {{ .Revision | default "default" | quote }},
- {{- if eq (len $containers) 1 }}
- kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
- kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
- {{ end }}
- }
-spec:
- containers:
- - name: istio-proxy
- {{- if contains "/" .Values.global.proxy.image }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- ports:
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- args:
- - proxy
- - router
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
- {{- if .Values.global.sts.servicePort }}
- - --stsPort={{ .Values.global.sts.servicePort }}
- {{- end }}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- {{- if .Values.global.proxy.lifecycle }}
- lifecycle:
- {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
- {{- end }}
- env:
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: HOST_IP
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: PROXY_CONFIG
- value: |
- {{ protoToJSON .ProxyConfig }}
- - name: ISTIO_META_POD_PORTS
- value: |-
- [
- {{- $first := true }}
- {{- range $index1, $c := .Spec.Containers }}
- {{- range $index2, $p := $c.Ports }}
- {{- if (structToJSON $p) }}
- {{if not $first}},{{end}}{{ structToJSON $p }}
- {{- $first = false }}
- {{- end }}
- {{- end}}
- {{- end}}
- ]
- - name: ISTIO_META_APP_CONTAINERS
- value: "{{ $containers | join "," }}"
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: ISTIO_META_INTERCEPTION_MODE
- value: "{{ .ProxyConfig.InterceptionMode.String }}"
- {{- if .Values.global.network }}
- - name: ISTIO_META_NETWORK
- value: "{{ .Values.global.network }}"
- {{- end }}
- {{- if .DeploymentMeta.Name }}
- - name: ISTIO_META_WORKLOAD_NAME
- value: "{{ .DeploymentMeta.Name }}"
- {{ end }}
- {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
- {{- end}}
- {{- if .Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.global.meshID }}"
- {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: ISTIO_META_MESH_ID
- value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
- {{- end }}
- {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: TRUST_DOMAIN
- value: "{{ . }}"
- {{- end }}
- {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- readinessProbe:
- httpGet:
- path: /healthz/ready
- port: 15021
- initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
- periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
- timeoutSeconds: 3
- failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
- volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
- - name: credential-socket
- mountPath: /var/run/secrets/credential-uds
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- mountPath: /var/run/secrets/workload-spiffe-credentials
- readOnly: true
- {{- else }}
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- {{- end }}
- - mountPath: /var/lib/istio/data
- name: istio-data
- # SDS channel between istioagent and Envoy
- - mountPath: /etc/istio/proxy
- name: istio-envoy
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - mountPath: /etc/certs/
- name: istio-certs
- readOnly: true
- {{- end }}
- - name: istio-podinfo
- mountPath: /etc/istio/pod
- volumes:
- - emptyDir: {}
- name: workload-socket
- - emptyDir: {}
- name: credential-socket
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- csi:
- driver: workloadcertificates.security.cloud.google.com
- {{- else}}
- - emptyDir: {}
- name: workload-certs
- {{- end }}
- # SDS channel between istioagent and Envoy
- - emptyDir:
- medium: Memory
- name: istio-envoy
- - name: istio-data
- emptyDir: {}
- - name: istio-podinfo
- downwardAPI:
- items:
- - path: "labels"
- fieldRef:
- fieldPath: metadata.labels
- - path: "annotations"
- fieldRef:
- fieldPath: metadata.annotations
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: {{ .Values.global.sds.token.aud }}
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- secret:
- optional: true
- {{ if eq .Spec.ServiceAccountName "" }}
- secretName: istio.default
- {{ else -}}
- secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
- {{ end -}}
- {{- end }}
- {{- if .Values.global.imagePullSecrets }}
- imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
- {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
- securityContext:
- fsGroup: 1337
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml b/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml
deleted file mode 100644
index a05fd576..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml
+++ /dev/null
@@ -1,513 +0,0 @@
-{{- define "resources" }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
- requests:
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
- {{ end }}
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
- {{ end }}
- {{- end }}
- {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
- limits:
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
- {{ end }}
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
- {{ end }}
- {{- end }}
- {{- else }}
- {{- if .Values.global.proxy.resources }}
- {{ toYaml .Values.global.proxy.resources | indent 6 }}
- {{- end }}
- {{- end }}
-{{- end }}
-{{- $containers := list }}
-{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
-metadata:
- labels:
- security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
- {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
- networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }}
- {{- end }}
- service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
- service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
- annotations: {
- istio.io/rev: {{ .Revision | default "default" | quote }},
- {{- if ge (len $containers) 1 }}
- {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
- kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
- {{- end }}
- {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
- kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
- {{- end }}
- {{- end }}
-{{- if .Values.istio_cni.enabled }}
- {{- if not .Values.istio_cni.chained }}
- k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
- {{- end }}
- sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
- {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
- {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
- {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }}
- traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
- {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
- traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
- {{- end }}
- {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
- traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
- {{- end }}
- {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
- {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
-{{- end }}
- }
-spec:
- {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
- initContainers:
- {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
- {{ if .Values.istio_cni.enabled -}}
- - name: istio-validation
- {{ else -}}
- - name: istio-init
- {{ end -}}
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- args:
- - istio-iptables
- - "-p"
- - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
- - "-z"
- - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
- - "-u"
- - "1337"
- - "-m"
- - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- - "-i"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- - "-x"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- - "-b"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
- - "-d"
- {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
- {{- else }}
- - "15090,15021"
- {{- end }}
- {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
- - "-q"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
- {{ end -}}
- {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- - "-o"
- - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
- {{ end -}}
- {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- - "-k"
- - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
- {{ end -}}
- {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
- - "-c"
- - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
- {{ end -}}
- - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
- {{ if .Values.global.logAsJson -}}
- - "--log_as_json"
- {{ end -}}
- {{ if .Values.istio_cni.enabled -}}
- - "--run-validation"
- - "--skip-rule-apply"
- {{ end -}}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- {{- if .ProxyConfig.ProxyMetadata }}
- env:
- {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{- end }}
- resources:
- {{ template "resources" . }}
- securityContext:
- allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
- privileged: {{ .Values.global.proxy.privileged }}
- capabilities:
- {{- if not .Values.istio_cni.enabled }}
- add:
- - NET_ADMIN
- - NET_RAW
- {{- end }}
- drop:
- - ALL
- {{- if not .Values.istio_cni.enabled }}
- readOnlyRootFilesystem: false
- runAsGroup: 0
- runAsNonRoot: false
- runAsUser: 0
- {{- else }}
- readOnlyRootFilesystem: true
- runAsGroup: 1337
- runAsUser: 1337
- runAsNonRoot: true
- {{- end }}
- {{ end -}}
- {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- - name: enable-core-dump
- args:
- - -c
- - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
- command:
- - /bin/sh
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- resources:
- {{ template "resources" . }}
- securityContext:
- allowPrivilegeEscalation: true
- capabilities:
- add:
- - SYS_ADMIN
- drop:
- - ALL
- privileged: true
- readOnlyRootFilesystem: false
- runAsGroup: 0
- runAsNonRoot: false
- runAsUser: 0
- {{ end }}
- containers:
- - name: istio-proxy
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- ports:
- - containerPort: 15090
- protocol: TCP
- name: http-envoy-prom
- args:
- - proxy
- - sidecar
- - --domain
- - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
- {{- if .Values.global.sts.servicePort }}
- - --stsPort={{ .Values.global.sts.servicePort }}
- {{- end }}
- {{- if .Values.global.logAsJson }}
- - --log_as_json
- {{- end }}
- {{- if .Values.global.proxy.lifecycle }}
- lifecycle:
- {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
- {{- else if $holdProxy }}
- lifecycle:
- postStart:
- exec:
- command:
- - pilot-agent
- - wait
- {{- end }}
- env:
- {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
- value: "true"
- {{- end }}
- - name: JWT_POLICY
- value: {{ .Values.global.jwtPolicy }}
- - name: PILOT_CERT_PROVIDER
- value: {{ .Values.global.pilotCertProvider }}
- - name: CA_ADDR
- {{- if .Values.global.caAddress }}
- value: {{ .Values.global.caAddress }}
- {{- else }}
- value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
- {{- end }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: HOST_IP
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: PROXY_CONFIG
- value: |
- {{ protoToJSON .ProxyConfig }}
- - name: ISTIO_META_POD_PORTS
- value: |-
- [
- {{- $first := true }}
- {{- range $index1, $c := .Spec.Containers }}
- {{- range $index2, $p := $c.Ports }}
- {{- if (structToJSON $p) }}
- {{if not $first}},{{end}}{{ structToJSON $p }}
- {{- $first = false }}
- {{- end }}
- {{- end}}
- {{- end}}
- ]
- - name: ISTIO_META_APP_CONTAINERS
- value: "{{ $containers | join "," }}"
- - name: ISTIO_META_CLUSTER_ID
- value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: ISTIO_META_INTERCEPTION_MODE
- value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
- {{- if .Values.global.network }}
- - name: ISTIO_META_NETWORK
- value: "{{ .Values.global.network }}"
- {{- end }}
- {{- if .DeploymentMeta.Name }}
- - name: ISTIO_META_WORKLOAD_NAME
- value: "{{ .DeploymentMeta.Name }}"
- {{ end }}
- {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
- {{- end}}
- {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- - name: ISTIO_BOOTSTRAP_OVERRIDE
- value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
- {{- end }}
- {{- if .Values.global.meshID }}
- - name: ISTIO_META_MESH_ID
- value: "{{ .Values.global.meshID }}"
- {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: ISTIO_META_MESH_ID
- value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
- {{- end }}
- {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- - name: TRUST_DOMAIN
- value: "{{ . }}"
- {{- end }}
- {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{- end }}
- {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
- readinessProbe:
- httpGet:
- path: /healthz/ready
- port: 15021
- initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
- periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
- timeoutSeconds: 3
- failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
- {{ end -}}
- securityContext:
- {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
- allowPrivilegeEscalation: true
- capabilities:
- add:
- - NET_ADMIN
- drop:
- - ALL
- privileged: true
- readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- runAsGroup: 1337
- runAsNonRoot: false
- runAsUser: 0
- {{- else }}
- allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
- capabilities:
- {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
- add:
- {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- - NET_ADMIN
- {{- end }}
- {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- - NET_BIND_SERVICE
- {{- end }}
- {{- end }}
- drop:
- - ALL
- privileged: {{ .Values.global.proxy.privileged }}
- readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- runAsGroup: 1337
- {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
- runAsNonRoot: false
- runAsUser: 0
- {{- else -}}
- runAsNonRoot: true
- runAsUser: 1337
- {{- end }}
- {{- end }}
- resources:
- {{ template "resources" . }}
- volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
- - name: credential-socket
- mountPath: /var/run/secrets/credential-uds
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- mountPath: /var/run/secrets/workload-spiffe-credentials
- readOnly: true
- {{- else }}
- - name: workload-certs
- mountPath: /var/run/secrets/workload-spiffe-credentials
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
- - mountPath: /var/run/secrets/istio/kubernetes
- name: kube-ca-cert
- {{- end }}
- - mountPath: /var/lib/istio/data
- name: istio-data
- {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- - mountPath: /etc/istio/custom-bootstrap
- name: custom-bootstrap-volume
- {{- end }}
- # SDS channel between istioagent and Envoy
- - mountPath: /etc/istio/proxy
- name: istio-envoy
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - mountPath: /etc/certs/
- name: istio-certs
- readOnly: true
- {{- end }}
- - name: istio-podinfo
- mountPath: /etc/istio/pod
- {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
- name: lightstep-certs
- readOnly: true
- {{- end }}
- {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
- {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- - name: "{{ $index }}"
- {{ toYaml $value | indent 6 }}
- {{ end }}
- {{- end }}
- volumes:
- - emptyDir:
- name: workload-socket
- - emptyDir:
- name: credential-socket
- {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- - name: gke-workload-certificate
- csi:
- driver: workloadcertificates.security.cloud.google.com
- {{- else }}
- - emptyDir:
- name: workload-certs
- {{- end }}
- {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- - name: custom-bootstrap-volume
- configMap:
- name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
- {{- end }}
- # SDS channel between istioagent and Envoy
- - emptyDir:
- medium: Memory
- name: istio-envoy
- - name: istio-data
- emptyDir: {}
- - name: istio-podinfo
- downwardAPI:
- items:
- - path: "labels"
- fieldRef:
- fieldPath: metadata.labels
- - path: "annotations"
- fieldRef:
- fieldPath: metadata.annotations
- {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: {{ .Values.global.sds.token.aud }}
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "istiod" }}
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
- {{- end }}
- {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
- - name: kube-ca-cert
- configMap:
- name: kube-root-ca.crt
- {{- end }}
- {{- if .Values.global.mountMtlsCerts }}
- # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- - name: istio-certs
- secret:
- optional: true
- {{ if eq .Spec.ServiceAccountName "" }}
- secretName: istio.default
- {{ else -}}
- secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
- {{ end -}}
- {{- end }}
- {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
- {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- - name: "{{ $index }}"
- {{ toYaml $value | indent 4 }}
- {{ end }}
- {{ end }}
- {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- - name: lightstep-certs
- secret:
- optional: true
- secretName: lightstep.cacert
- {{- end }}
- {{- if .Values.global.imagePullSecrets }}
- imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
- {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
- securityContext:
- fsGroup: 1337
- {{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl
deleted file mode 100644
index ccf8a077..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl
+++ /dev/null
@@ -1,35 +0,0 @@
-{{/* Prometheus is enabled if its enabled and there are no config overrides set */}}
-{{ define "prometheus" }}
-{{- and
- (not .Values.meshConfig.defaultProviders)
- .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
- (not (or
- .Values.telemetry.v2.prometheus.configOverride.gateway
- .Values.telemetry.v2.prometheus.configOverride.inboundSidecar
- .Values.telemetry.v2.prometheus.configOverride.outboundSidecar
- )) }}
-{{- end }}
-
-{{/* SD has metrics and logging split. Metrics are enabled if SD is enabled and there are no config overrides set */}}
-{{ define "sd-metrics" }}
-{{- and
- (not .Values.meshConfig.defaultProviders)
- .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
- (not (or
- .Values.telemetry.v2.stackdriver.configOverride
- .Values.telemetry.v2.stackdriver.disableOutbound ))
-}}
-{{- end }}
-
-{{/* SD has metrics and logging split. */}}
-{{ define "sd-logs" }}
-{{- and
- (not .Values.meshConfig.defaultProviders)
- .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
- (not (or
- .Values.telemetry.v2.stackdriver.configOverride
- (has .Values.telemetry.v2.stackdriver.outboundAccessLogging (list "" "ERRORS_ONLY"))
- (has .Values.telemetry.v2.stackdriver.inboundAccessLogging (list "" "ALL"))
- .Values.telemetry.v2.stackdriver.disableOutbound ))
-}}
-{{- end }}
\ No newline at end of file
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml
deleted file mode 100644
index 2550df5f..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml
+++ /dev/null
@@ -1,149 +0,0 @@
-{{- if .Values.global.configCluster }}
-{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-rules:
- # sidecar injection controller
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update", "patch"]
-
- # configuration validation webhook controller
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
-
- # istio configuration
- # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
- # please proceed with caution
- - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
- verbs: ["get", "watch", "list"]
- resources: ["*"]
-{{- if .Values.global.istiod.enableAnalysis }}
- - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
- verbs: ["update"]
- # TODO: should be on just */status but wildcard is not supported
- resources: ["*"]
-{{- end }}
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "workloadentries" ]
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "workloadentries/status" ]
-
- # auto-detect installed CRD definitions
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch"]
-
- # discovery and routing
- - apiGroups: [""]
- resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["discovery.k8s.io"]
- resources: ["endpointslices"]
- verbs: ["get", "list", "watch"]
-
- # ingress controller
-{{- if .Values.global.istiod.enableAnalysis }}
- - apiGroups: ["extensions", "networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["extensions", "networking.k8s.io"]
- resources: ["ingresses/status"]
- verbs: ["*"]
-{{- end}}
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses", "ingressclasses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses/status"]
- verbs: ["*"]
-
- # required for CA's namespace controller
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create", "get", "list", "watch", "update"]
-
- # Istiod and bootstrap.
-{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
-{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
- - apiGroups: ["certificates.k8s.io"]
- resources:
- - "certificatesigningrequests"
- - "certificatesigningrequests/approval"
- - "certificatesigningrequests/status"
- verbs: ["update", "create", "get", "delete", "watch"]
- - apiGroups: ["certificates.k8s.io"]
- resources:
- - "signers"
- resourceNames:
- - "kubernetes.io/legacy-unknown"
-{{- range .Values.global.certSigners }}
- - {{ . | quote }}
-{{- end }}
- verbs: ["approve"]
-{{- end}}
-
- # Used by Istiod to verify the JWT tokens
- - apiGroups: ["authentication.k8s.io"]
- resources: ["tokenreviews"]
- verbs: ["create"]
-
- # Used by Istiod to verify gateway SDS
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
-
- # Use for Kubernetes Service APIs
- - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
- resources: ["*"]
- verbs: ["get", "watch", "list"]
- - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
- resources: ["*"] # TODO: should be on just */status but wildcard is not supported
- verbs: ["update", "patch"]
- - apiGroups: ["gateway.networking.k8s.io"]
- resources: ["gatewayclasses"]
- verbs: ["create", "update", "patch", "delete"]
-
- # Needed for multicluster secret reading, possibly ingress certs in the future
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "watch", "list"]
-
- # Used for MCS serviceexport management
- - apiGroups: ["{{ $mcsAPIGroup }}"]
- resources: ["serviceexports"]
- verbs: [ "get", "watch", "list", "create", "delete"]
-
- # Used for MCS serviceimport management
- - apiGroups: ["{{ $mcsAPIGroup }}"]
- resources: ["serviceimports"]
- verbs: ["get", "watch", "list"]
----
-{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-rules:
- - apiGroups: ["apps"]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "deployments" ]
- - apiGroups: [""]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "services" ]
- - apiGroups: [""]
- verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
- resources: [ "serviceaccounts"]
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml
deleted file mode 100644
index 932cdce0..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-{{- if .Values.global.configCluster }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-subjects:
- - kind: ServiceAccount
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
----
-{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-subjects:
-- kind: ServiceAccount
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml
deleted file mode 100644
index d5504047..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
-{{- define "mesh" }}
- # The trust domain corresponds to the trust root of a system.
- # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
- trustDomain: "cluster.local"
-
- # The namespace to treat as the administrative root namespace for Istio configuration.
- # When processing a leaf namespace Istio will search for declarations in that namespace first
- # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
- # is processed as if it were declared in the leaf namespace.
- rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
-
- {{ $prom := include "prometheus" . | eq "true" }}
- {{ $sdMetrics := include "sd-metrics" . | eq "true" }}
- {{ $sdLogs := include "sd-logs" . | eq "true" }}
- {{- if or $prom $sdMetrics $sdLogs }}
- defaultProviders:
- {{- if or $prom $sdMetrics }}
- metrics:
- {{ if $prom }}- prometheus{{ end }}
- {{ if $sdMetrics }}- stackdriver{{ end }}
- {{- end }}
- {{- if $sdLogs }}
- accessLogging:
- - stackdriver
- {{- end }}
- {{- end }}
-
- defaultConfig:
- {{- if .Values.global.meshID }}
- meshId: "{{ .Values.global.meshID }}"
- {{- end }}
- {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
- image:
- imageType: {{. | quote}}
- {{- end }}
- tracing:
- {{- if eq .Values.global.proxy.tracer "lightstep" }}
- lightstep:
- # Address of the LightStep Satellite pool
- address: {{ .Values.global.tracer.lightstep.address }}
- # Access Token used to communicate with the Satellite pool
- accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
- {{- else if eq .Values.global.proxy.tracer "zipkin" }}
- zipkin:
- # Address of the Zipkin collector
- address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
- {{- else if eq .Values.global.proxy.tracer "datadog" }}
- datadog:
- # Address of the Datadog Agent
- address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
- {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
- stackdriver:
- # enables trace output to stdout.
- {{- if $.Values.global.tracer.stackdriver.debug }}
- debug: {{ $.Values.global.tracer.stackdriver.debug }}
- {{- end }}
- {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
- # The global default max number of attributes per span.
- maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
- {{- end }}
- {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
- # The global default max number of annotation events per span.
- maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
- {{- end }}
- {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
- # The global default max number of message events per span.
- maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
- {{- end }}
- {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
- {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
-{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
- {{- else }}
- {}
- {{- end }}
- {{- if .Values.global.remotePilotAddress }}
- {{- if .Values.pilot.enabled }}
- discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
- {{- else }}
- discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
- {{- end }}
- {{- else }}
- discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
- {{- end }}
-{{- end }}
-
-{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
-{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
-{{- $originalMesh := include "mesh" . | fromYaml }}
-{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
-
-{{- if .Values.pilot.configMap }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- release: {{ .Release.Name }}
-data:
-
- # Configuration file for the mesh networks to be used by the Split Horizon EDS.
- meshNetworks: |-
- {{- if .Values.global.meshNetworks }}
- networks:
-{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
- {{- else }}
- networks: {}
- {{- end }}
-
- mesh: |-
-{{- if .Values.meshConfig }}
-{{ $mesh | toYaml | indent 4 }}
-{{- else }}
-{{- include "mesh" . }}
-{{- end }}
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml
deleted file mode 100644
index 27259265..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml
+++ /dev/null
@@ -1,7201 +0,0 @@
-{{- if .Values.global.configCluster }}
-# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: wasmplugins.extensions.istio.io
-spec:
- group: extensions.istio.io
- names:
- categories:
- - istio-io
- - extensions-istio-io
- kind: WasmPlugin
- listKind: WasmPluginList
- plural: wasmplugins
- singular: wasmplugin
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Extend the functionality provided by the Istio proxy through
- WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
- properties:
- imagePullPolicy:
- enum:
- - UNSPECIFIED_POLICY
- - IfNotPresent
- - Always
- type: string
- imagePullSecret:
- description: Credentials to use for OCI image pulling.
- type: string
- match:
- description: Specifies the criteria to determine which traffic is
- passed to WasmPlugin.
- items:
- properties:
- mode:
- description: Criteria for selecting traffic by their direction.
- enum:
- - UNDEFINED
- - CLIENT
- - SERVER
- - CLIENT_AND_SERVER
- type: string
- ports:
- description: Criteria for selecting traffic by their destination
- port.
- items:
- properties:
- number:
- type: integer
- type: object
- type: array
- type: object
- type: array
- phase:
- description: Determines where in the filter chain this `WasmPlugin`
- is to be injected.
- enum:
- - UNSPECIFIED_PHASE
- - AUTHN
- - AUTHZ
- - STATS
- type: string
- pluginConfig:
- description: The configuration that will be passed on to the plugin.
- type: object
- x-kubernetes-preserve-unknown-fields: true
- pluginName:
- type: string
- priority:
- description: Determines ordering of `WasmPlugins` in the same `phase`.
- nullable: true
- type: integer
- selector:
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- sha256:
- description: SHA256 checksum that will be used to verify Wasm module
- or OCI container.
- type: string
- url:
- description: URL of a Wasm module or OCI container.
- type: string
- verificationKey:
- type: string
- vmConfig:
- description: Configuration for a Wasm VM.
- properties:
- env:
- description: Specifies environment variables to be injected to
- this VM.
- items:
- properties:
- name:
- type: string
- value:
- description: Value for the environment variable.
- type: string
- valueFrom:
- enum:
- - INLINE
- - HOST
- type: string
- type: object
- type: array
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: destinationrules.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: DestinationRule
- listKind: DestinationRuleList
- plural: destinationrules
- shortNames:
- - dr
- singular: destinationrule
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The name of a service from the service registry
- jsonPath: .spec.host
- name: Host
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting load balancing, outlier detection,
- etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
- properties:
- exportTo:
- description: A list of namespaces to which this destination rule is
- exported.
- items:
- type: string
- type: array
- host:
- description: The name of a service from the service registry.
- type: string
- subsets:
- items:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- name:
- description: Name of the subset.
- type: string
- trafficPolicy:
- description: Traffic policies that apply to this subset.
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should
- be upgraded to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to
- a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will
- be preserved while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the
- socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query
- parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to
- traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this
- is DestinationRule-level and will override mesh
- wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list
- of labels used to sort endpoints to do priority
- based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local
- origin failures from external errors.
- type: boolean
- type: object
- portLevelSettings:
- description: Traffic policies specific to individual ports.
- items:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection
- should be upgraded to http2 for the associated
- destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests
- to a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream
- connection pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per
- connection to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol
- will be preserved while initiating connection
- to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and
- TCP upstream connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP
- connections to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE
- on the socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between
- keep-alive probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer
- algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP
- header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP
- query parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev
- hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend
- hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/'
- separated, e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities
- to traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing,
- this is DestinationRule-level and will override
- mesh wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered
- list of labels used to sort endpoints to
- do priority based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a
- host is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep
- analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish
- local origin failures from external errors.
- type: boolean
- type: object
- port:
- properties:
- number:
- type: integer
- type: object
- tls:
- description: TLS related settings for connections
- to the upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server
- during TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- tls:
- description: TLS related settings for connections to the
- upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during
- TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- tunnel:
- properties:
- protocol:
- description: Specifies which protocol to use for tunneling
- the downstream connection.
- type: string
- targetHost:
- description: Specifies a host to which the downstream
- connection is tunneled.
- type: string
- targetPort:
- description: Specifies a port to which the downstream
- connection is tunneled.
- type: integer
- type: object
- type: object
- type: object
- type: array
- trafficPolicy:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should be upgraded
- to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will be preserved
- while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the socket
- to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements consistent
- hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer implements
- consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute, failover
- or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to traffic
- distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this is DestinationRule-level
- and will override mesh wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute, failover
- or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list of labels
- used to sort endpoints to do priority based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local origin
- failures from external errors.
- type: boolean
- type: object
- portLevelSettings:
- description: Traffic policies specific to individual ports.
- items:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should
- be upgraded to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to
- a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will
- be preserved while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the
- socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query
- parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to
- traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this
- is DestinationRule-level and will override mesh
- wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list
- of labels used to sort endpoints to do priority
- based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local
- origin failures from external errors.
- type: boolean
- type: object
- port:
- properties:
- number:
- type: integer
- type: object
- tls:
- description: TLS related settings for connections to the
- upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during
- TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- tls:
- description: TLS related settings for connections to the upstream
- service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during TLS
- handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- tunnel:
- properties:
- protocol:
- description: Specifies which protocol to use for tunneling
- the downstream connection.
- type: string
- targetHost:
- description: Specifies a host to which the downstream connection
- is tunneled.
- type: string
- targetPort:
- description: Specifies a port to which the downstream connection
- is tunneled.
- type: integer
- type: object
- type: object
- workloadSelector:
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: The name of a service from the service registry
- jsonPath: .spec.host
- name: Host
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting load balancing, outlier detection,
- etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
- properties:
- exportTo:
- description: A list of namespaces to which this destination rule is
- exported.
- items:
- type: string
- type: array
- host:
- description: The name of a service from the service registry.
- type: string
- subsets:
- items:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- name:
- description: Name of the subset.
- type: string
- trafficPolicy:
- description: Traffic policies that apply to this subset.
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should
- be upgraded to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to
- a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will
- be preserved while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the
- socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query
- parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to
- traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this
- is DestinationRule-level and will override mesh
- wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list
- of labels used to sort endpoints to do priority
- based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local
- origin failures from external errors.
- type: boolean
- type: object
- portLevelSettings:
- description: Traffic policies specific to individual ports.
- items:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection
- should be upgraded to http2 for the associated
- destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests
- to a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream
- connection pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per
- connection to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol
- will be preserved while initiating connection
- to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and
- TCP upstream connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP
- connections to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE
- on the socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between
- keep-alive probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer
- algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP
- header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP
- query parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev
- hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend
- hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/'
- separated, e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities
- to traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing,
- this is DestinationRule-level and will override
- mesh wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered
- list of labels used to sort endpoints to
- do priority based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a
- host is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep
- analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish
- local origin failures from external errors.
- type: boolean
- type: object
- port:
- properties:
- number:
- type: integer
- type: object
- tls:
- description: TLS related settings for connections
- to the upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server
- during TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- tls:
- description: TLS related settings for connections to the
- upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during
- TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- tunnel:
- properties:
- protocol:
- description: Specifies which protocol to use for tunneling
- the downstream connection.
- type: string
- targetHost:
- description: Specifies a host to which the downstream
- connection is tunneled.
- type: string
- targetPort:
- description: Specifies a port to which the downstream
- connection is tunneled.
- type: integer
- type: object
- type: object
- type: object
- type: array
- trafficPolicy:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should be upgraded
- to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will be preserved
- while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the socket
- to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements consistent
- hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer implements
- consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute, failover
- or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to traffic
- distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this is DestinationRule-level
- and will override mesh wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute, failover
- or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list of labels
- used to sort endpoints to do priority based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local origin
- failures from external errors.
- type: boolean
- type: object
- portLevelSettings:
- description: Traffic policies specific to individual ports.
- items:
- properties:
- connectionPool:
- properties:
- http:
- description: HTTP connection pool settings.
- properties:
- h2UpgradePolicy:
- description: Specify if http1.1 connection should
- be upgraded to http2 for the associated destination.
- enum:
- - DEFAULT
- - DO_NOT_UPGRADE
- - UPGRADE
- type: string
- http1MaxPendingRequests:
- format: int32
- type: integer
- http2MaxRequests:
- description: Maximum number of active requests to
- a destination.
- format: int32
- type: integer
- idleTimeout:
- description: The idle timeout for upstream connection
- pool connections.
- type: string
- maxRequestsPerConnection:
- description: Maximum number of requests per connection
- to a backend.
- format: int32
- type: integer
- maxRetries:
- format: int32
- type: integer
- useClientProtocol:
- description: If set to true, client protocol will
- be preserved while initiating connection to backend.
- type: boolean
- type: object
- tcp:
- description: Settings common to both HTTP and TCP upstream
- connections.
- properties:
- connectTimeout:
- description: TCP connection timeout.
- type: string
- maxConnectionDuration:
- description: The maximum duration of a connection.
- type: string
- maxConnections:
- description: Maximum number of HTTP1 /TCP connections
- to a destination host.
- format: int32
- type: integer
- tcpKeepalive:
- description: If set then set SO_KEEPALIVE on the
- socket to enable TCP Keepalives.
- properties:
- interval:
- description: The time duration between keep-alive
- probes.
- type: string
- probes:
- type: integer
- time:
- type: string
- type: object
- type: object
- type: object
- loadBalancer:
- description: Settings controlling the load balancer algorithms.
- oneOf:
- - not:
- anyOf:
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- - required:
- - simple
- - properties:
- consistentHash:
- allOf:
- - oneOf:
- - not:
- anyOf:
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - required:
- - httpHeaderName
- - required:
- - httpCookie
- - required:
- - useSourceIp
- - required:
- - httpQueryParameterName
- - oneOf:
- - not:
- anyOf:
- - required:
- - ringHash
- - required:
- - maglev
- - required:
- - ringHash
- - required:
- - maglev
- properties:
- minimumRingSize: {}
- required:
- - consistentHash
- properties:
- consistentHash:
- properties:
- httpCookie:
- description: Hash based on HTTP cookie.
- properties:
- name:
- description: Name of the cookie.
- type: string
- path:
- description: Path to set for the cookie.
- type: string
- ttl:
- description: Lifetime of the cookie.
- type: string
- type: object
- httpHeaderName:
- description: Hash based on a specific HTTP header.
- type: string
- httpQueryParameterName:
- description: Hash based on a specific HTTP query
- parameter.
- type: string
- maglev:
- description: The Maglev load balancer implements
- consistent hashing to backend hosts.
- properties:
- tableSize:
- description: The table size for Maglev hashing.
- type: integer
- type: object
- minimumRingSize:
- description: Deprecated.
- type: integer
- ringHash:
- description: The ring/modulo hash load balancer
- implements consistent hashing to backend hosts.
- properties:
- minimumRingSize:
- type: integer
- type: object
- useSourceIp:
- description: Hash based on the source IP address.
- type: boolean
- type: object
- localityLbSetting:
- properties:
- distribute:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated,
- e.g.
- type: string
- to:
- additionalProperties:
- type: integer
- description: Map of upstream localities to
- traffic distribution weights.
- type: object
- type: object
- type: array
- enabled:
- description: enable locality load balancing, this
- is DestinationRule-level and will override mesh
- wide settings in entirety.
- nullable: true
- type: boolean
- failover:
- description: 'Optional: only one of distribute,
- failover or failoverPriority can be set.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- type: string
- type: object
- type: array
- failoverPriority:
- description: failoverPriority is an ordered list
- of labels used to sort endpoints to do priority
- based load balancing.
- items:
- type: string
- type: array
- type: object
- simple:
- enum:
- - UNSPECIFIED
- - LEAST_CONN
- - RANDOM
- - PASSTHROUGH
- - ROUND_ROBIN
- - LEAST_REQUEST
- type: string
- warmupDurationSecs:
- description: Represents the warmup duration of Service.
- type: string
- type: object
- outlierDetection:
- properties:
- baseEjectionTime:
- description: Minimum ejection duration.
- type: string
- consecutive5xxErrors:
- description: Number of 5xx errors before a host is ejected
- from the connection pool.
- nullable: true
- type: integer
- consecutiveErrors:
- format: int32
- type: integer
- consecutiveGatewayErrors:
- description: Number of gateway errors before a host
- is ejected from the connection pool.
- nullable: true
- type: integer
- consecutiveLocalOriginFailures:
- nullable: true
- type: integer
- interval:
- description: Time interval between ejection sweep analysis.
- type: string
- maxEjectionPercent:
- format: int32
- type: integer
- minHealthPercent:
- format: int32
- type: integer
- splitExternalLocalOriginErrors:
- description: Determines whether to distinguish local
- origin failures from external errors.
- type: boolean
- type: object
- port:
- properties:
- number:
- type: integer
- type: object
- tls:
- description: TLS related settings for connections to the
- upstream service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during
- TLS handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- tls:
- description: TLS related settings for connections to the upstream
- service.
- properties:
- caCertificates:
- type: string
- clientCertificate:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- credentialName:
- type: string
- insecureSkipVerify:
- nullable: true
- type: boolean
- mode:
- enum:
- - DISABLE
- - SIMPLE
- - MUTUAL
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- sni:
- description: SNI string to present to the server during TLS
- handshake.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- type: object
- tunnel:
- properties:
- protocol:
- description: Specifies which protocol to use for tunneling
- the downstream connection.
- type: string
- targetHost:
- description: Specifies a host to which the downstream connection
- is tunneled.
- type: string
- targetPort:
- description: Specifies a port to which the downstream connection
- is tunneled.
- type: integer
- type: object
- type: object
- workloadSelector:
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: envoyfilters.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: EnvoyFilter
- listKind: EnvoyFilterList
- plural: envoyfilters
- singular: envoyfilter
- scope: Namespaced
- versions:
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Customizing Envoy configuration generated by Istio. See
- more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
- properties:
- configPatches:
- description: One or more patches with match conditions.
- items:
- properties:
- applyTo:
- enum:
- - INVALID
- - LISTENER
- - FILTER_CHAIN
- - NETWORK_FILTER
- - HTTP_FILTER
- - ROUTE_CONFIGURATION
- - VIRTUAL_HOST
- - HTTP_ROUTE
- - CLUSTER
- - EXTENSION_CONFIG
- - BOOTSTRAP
- - LISTENER_FILTER
- type: string
- match:
- description: Match on listener/route configuration/cluster.
- oneOf:
- - not:
- anyOf:
- - required:
- - listener
- - required:
- - routeConfiguration
- - required:
- - cluster
- - required:
- - listener
- - required:
- - routeConfiguration
- - required:
- - cluster
- properties:
- cluster:
- description: Match on envoy cluster attributes.
- properties:
- name:
- description: The exact name of the cluster to match.
- type: string
- portNumber:
- description: The service port for which this cluster
- was generated.
- type: integer
- service:
- description: The fully qualified service name for this
- cluster.
- type: string
- subset:
- description: The subset associated with the service.
- type: string
- type: object
- context:
- description: The specific config generation context to match
- on.
- enum:
- - ANY
- - SIDECAR_INBOUND
- - SIDECAR_OUTBOUND
- - GATEWAY
- type: string
- listener:
- description: Match on envoy listener attributes.
- properties:
- filterChain:
- description: Match a specific filter chain in a listener.
- properties:
- applicationProtocols:
- description: Applies only to sidecars.
- type: string
- destinationPort:
- description: The destination_port value used by
- a filter chain's match condition.
- type: integer
- filter:
- description: The name of a specific filter to apply
- the patch to.
- properties:
- name:
- description: The filter name to match on.
- type: string
- subFilter:
- properties:
- name:
- description: The filter name to match on.
- type: string
- type: object
- type: object
- name:
- description: The name assigned to the filter chain.
- type: string
- sni:
- description: The SNI value used by a filter chain's
- match condition.
- type: string
- transportProtocol:
- description: Applies only to `SIDECAR_INBOUND` context.
- type: string
- type: object
- listenerFilter:
- description: Match a specific listener filter.
- type: string
- name:
- description: Match a specific listener by its name.
- type: string
- portName:
- type: string
- portNumber:
- type: integer
- type: object
- proxy:
- description: Match on properties associated with a proxy.
- properties:
- metadata:
- additionalProperties:
- type: string
- type: object
- proxyVersion:
- type: string
- type: object
- routeConfiguration:
- description: Match on envoy HTTP route configuration attributes.
- properties:
- gateway:
- type: string
- name:
- description: Route configuration name to match on.
- type: string
- portName:
- description: Applicable only for GATEWAY context.
- type: string
- portNumber:
- type: integer
- vhost:
- properties:
- name:
- type: string
- route:
- description: Match a specific route within the virtual
- host.
- properties:
- action:
- description: Match a route with specific action
- type.
- enum:
- - ANY
- - ROUTE
- - REDIRECT
- - DIRECT_RESPONSE
- type: string
- name:
- type: string
- type: object
- type: object
- type: object
- type: object
- patch:
- description: The patch to apply along with the operation.
- properties:
- filterClass:
- description: Determines the filter insertion order.
- enum:
- - UNSPECIFIED
- - AUTHN
- - AUTHZ
- - STATS
- type: string
- operation:
- description: Determines how the patch should be applied.
- enum:
- - INVALID
- - MERGE
- - ADD
- - REMOVE
- - INSERT_BEFORE
- - INSERT_AFTER
- - INSERT_FIRST
- - REPLACE
- type: string
- value:
- description: The JSON config of the object being patched.
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- priority:
- description: Priority defines the order in which patch sets are applied
- within a context.
- format: int32
- type: integer
- workloadSelector:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: gateways.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: Gateway
- listKind: GatewayList
- plural: gateways
- shortNames:
- - gw
- singular: gateway
- scope: Namespaced
- versions:
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting edge load balancer. See more details
- at: https://istio.io/docs/reference/config/networking/gateway.html'
- properties:
- selector:
- additionalProperties:
- type: string
- type: object
- servers:
- description: A list of server specifications.
- items:
- properties:
- bind:
- type: string
- defaultEndpoint:
- type: string
- hosts:
- description: One or more hosts exposed by this gateway.
- items:
- type: string
- type: array
- name:
- description: An optional name of the server, when set must be
- unique across all servers.
- type: string
- port:
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- tls:
- description: Set of TLS related options that govern the server's
- behavior.
- properties:
- caCertificates:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- cipherSuites:
- description: 'Optional: If specified, only support the specified
- cipher list.'
- items:
- type: string
- type: array
- credentialName:
- type: string
- httpsRedirect:
- type: boolean
- maxProtocolVersion:
- description: 'Optional: Maximum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- minProtocolVersion:
- description: 'Optional: Minimum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- mode:
- enum:
- - PASSTHROUGH
- - SIMPLE
- - MUTUAL
- - AUTO_PASSTHROUGH
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- serverCertificate:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- verifyCertificateHash:
- items:
- type: string
- type: array
- verifyCertificateSpki:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting edge load balancer. See more details
- at: https://istio.io/docs/reference/config/networking/gateway.html'
- properties:
- selector:
- additionalProperties:
- type: string
- type: object
- servers:
- description: A list of server specifications.
- items:
- properties:
- bind:
- type: string
- defaultEndpoint:
- type: string
- hosts:
- description: One or more hosts exposed by this gateway.
- items:
- type: string
- type: array
- name:
- description: An optional name of the server, when set must be
- unique across all servers.
- type: string
- port:
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- tls:
- description: Set of TLS related options that govern the server's
- behavior.
- properties:
- caCertificates:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- cipherSuites:
- description: 'Optional: If specified, only support the specified
- cipher list.'
- items:
- type: string
- type: array
- credentialName:
- type: string
- httpsRedirect:
- type: boolean
- maxProtocolVersion:
- description: 'Optional: Maximum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- minProtocolVersion:
- description: 'Optional: Minimum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- mode:
- enum:
- - PASSTHROUGH
- - SIMPLE
- - MUTUAL
- - AUTO_PASSTHROUGH
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- serverCertificate:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- verifyCertificateHash:
- items:
- type: string
- type: array
- verifyCertificateSpki:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: proxyconfigs.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: ProxyConfig
- listKind: ProxyConfigList
- plural: proxyconfigs
- singular: proxyconfig
- scope: Namespaced
- versions:
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Provides configuration for individual workloads. See more
- details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
- properties:
- concurrency:
- description: The number of worker threads to run.
- nullable: true
- type: integer
- environmentVariables:
- additionalProperties:
- type: string
- description: Additional environment variables for the proxy.
- type: object
- image:
- description: Specifies the details of the proxy image.
- properties:
- imageType:
- description: The image type of the image.
- type: string
- type: object
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: serviceentries.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: ServiceEntry
- listKind: ServiceEntryList
- plural: serviceentries
- shortNames:
- - se
- singular: serviceentry
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The hosts associated with the ServiceEntry
- jsonPath: .spec.hosts
- name: Hosts
- type: string
- - description: Whether the service is external to the mesh or part of the mesh
- (MESH_EXTERNAL or MESH_INTERNAL)
- jsonPath: .spec.location
- name: Location
- type: string
- - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
- jsonPath: .spec.resolution
- name: Resolution
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting service registry. See more details
- at: https://istio.io/docs/reference/config/networking/service-entry.html'
- properties:
- addresses:
- description: The virtual IP addresses associated with the service.
- items:
- type: string
- type: array
- endpoints:
- description: One or more endpoints associated with the service.
- items:
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- type: array
- exportTo:
- description: A list of namespaces to which this service is exported.
- items:
- type: string
- type: array
- hosts:
- description: The hosts associated with the ServiceEntry.
- items:
- type: string
- type: array
- location:
- enum:
- - MESH_EXTERNAL
- - MESH_INTERNAL
- type: string
- ports:
- description: The ports associated with the external service.
- items:
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- type: array
- resolution:
- description: Service resolution mode for the hosts.
- enum:
- - NONE
- - STATIC
- - DNS
- - DNS_ROUND_ROBIN
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- workloadSelector:
- description: Applicable only for MESH_INTERNAL services.
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: The hosts associated with the ServiceEntry
- jsonPath: .spec.hosts
- name: Hosts
- type: string
- - description: Whether the service is external to the mesh or part of the mesh
- (MESH_EXTERNAL or MESH_INTERNAL)
- jsonPath: .spec.location
- name: Location
- type: string
- - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
- jsonPath: .spec.resolution
- name: Resolution
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting service registry. See more details
- at: https://istio.io/docs/reference/config/networking/service-entry.html'
- properties:
- addresses:
- description: The virtual IP addresses associated with the service.
- items:
- type: string
- type: array
- endpoints:
- description: One or more endpoints associated with the service.
- items:
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- type: array
- exportTo:
- description: A list of namespaces to which this service is exported.
- items:
- type: string
- type: array
- hosts:
- description: The hosts associated with the ServiceEntry.
- items:
- type: string
- type: array
- location:
- enum:
- - MESH_EXTERNAL
- - MESH_INTERNAL
- type: string
- ports:
- description: The ports associated with the external service.
- items:
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- type: array
- resolution:
- description: Service resolution mode for the hosts.
- enum:
- - NONE
- - STATIC
- - DNS
- - DNS_ROUND_ROBIN
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- workloadSelector:
- description: Applicable only for MESH_INTERNAL services.
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: sidecars.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: Sidecar
- listKind: SidecarList
- plural: sidecars
- singular: sidecar
- scope: Namespaced
- versions:
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting network reachability of a sidecar.
- See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
- properties:
- egress:
- items:
- properties:
- bind:
- type: string
- captureMode:
- enum:
- - DEFAULT
- - IPTABLES
- - NONE
- type: string
- hosts:
- items:
- type: string
- type: array
- port:
- description: The port associated with the listener.
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- type: object
- type: array
- ingress:
- items:
- properties:
- bind:
- description: The IP(IPv4 or IPv6) to which the listener should
- be bound.
- type: string
- captureMode:
- enum:
- - DEFAULT
- - IPTABLES
- - NONE
- type: string
- defaultEndpoint:
- type: string
- port:
- description: The port associated with the listener.
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- tls:
- properties:
- caCertificates:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- cipherSuites:
- description: 'Optional: If specified, only support the specified
- cipher list.'
- items:
- type: string
- type: array
- credentialName:
- type: string
- httpsRedirect:
- type: boolean
- maxProtocolVersion:
- description: 'Optional: Maximum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- minProtocolVersion:
- description: 'Optional: Minimum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- mode:
- enum:
- - PASSTHROUGH
- - SIMPLE
- - MUTUAL
- - AUTO_PASSTHROUGH
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- serverCertificate:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- verifyCertificateHash:
- items:
- type: string
- type: array
- verifyCertificateSpki:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
- properties:
- egressProxy:
- properties:
- host:
- description: The name of a service from the service registry.
- type: string
- port:
- description: Specifies the port on the host that is being
- addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- mode:
- enum:
- - REGISTRY_ONLY
- - ALLOW_ANY
- type: string
- type: object
- workloadSelector:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting network reachability of a sidecar.
- See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
- properties:
- egress:
- items:
- properties:
- bind:
- type: string
- captureMode:
- enum:
- - DEFAULT
- - IPTABLES
- - NONE
- type: string
- hosts:
- items:
- type: string
- type: array
- port:
- description: The port associated with the listener.
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- type: object
- type: array
- ingress:
- items:
- properties:
- bind:
- description: The IP(IPv4 or IPv6) to which the listener should
- be bound.
- type: string
- captureMode:
- enum:
- - DEFAULT
- - IPTABLES
- - NONE
- type: string
- defaultEndpoint:
- type: string
- port:
- description: The port associated with the listener.
- properties:
- name:
- description: Label assigned to the port.
- type: string
- number:
- description: A valid non-negative integer port number.
- type: integer
- protocol:
- description: The protocol exposed on the port.
- type: string
- targetPort:
- type: integer
- type: object
- tls:
- properties:
- caCertificates:
- description: REQUIRED if mode is `MUTUAL`.
- type: string
- cipherSuites:
- description: 'Optional: If specified, only support the specified
- cipher list.'
- items:
- type: string
- type: array
- credentialName:
- type: string
- httpsRedirect:
- type: boolean
- maxProtocolVersion:
- description: 'Optional: Maximum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- minProtocolVersion:
- description: 'Optional: Minimum TLS protocol version.'
- enum:
- - TLS_AUTO
- - TLSV1_0
- - TLSV1_1
- - TLSV1_2
- - TLSV1_3
- type: string
- mode:
- enum:
- - PASSTHROUGH
- - SIMPLE
- - MUTUAL
- - AUTO_PASSTHROUGH
- - ISTIO_MUTUAL
- type: string
- privateKey:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- serverCertificate:
- description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
- type: string
- subjectAltNames:
- items:
- type: string
- type: array
- verifyCertificateHash:
- items:
- type: string
- type: array
- verifyCertificateSpki:
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
- properties:
- egressProxy:
- properties:
- host:
- description: The name of a service from the service registry.
- type: string
- port:
- description: Specifies the port on the host that is being
- addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- mode:
- enum:
- - REGISTRY_ONLY
- - ALLOW_ANY
- type: string
- type: object
- workloadSelector:
- properties:
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: virtualservices.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: VirtualService
- listKind: VirtualServiceList
- plural: virtualservices
- shortNames:
- - vs
- singular: virtualservice
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The names of gateways and sidecars that should apply these routes
- jsonPath: .spec.gateways
- name: Gateways
- type: string
- - description: The destination hosts to which traffic is being sent
- jsonPath: .spec.hosts
- name: Hosts
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting label/content routing, sni routing,
- etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
- properties:
- exportTo:
- description: A list of namespaces to which this virtual service is
- exported.
- items:
- type: string
- type: array
- gateways:
- description: The names of gateways and sidecars that should apply
- these routes.
- items:
- type: string
- type: array
- hosts:
- description: The destination hosts to which traffic is being sent.
- items:
- type: string
- type: array
- http:
- description: An ordered list of route rules for HTTP traffic.
- items:
- properties:
- corsPolicy:
- description: Cross-Origin Resource Sharing policy (CORS).
- properties:
- allowCredentials:
- nullable: true
- type: boolean
- allowHeaders:
- items:
- type: string
- type: array
- allowMethods:
- description: List of HTTP methods allowed to access the
- resource.
- items:
- type: string
- type: array
- allowOrigin:
- description: The list of origins that are allowed to perform
- CORS requests.
- items:
- type: string
- type: array
- allowOrigins:
- description: String patterns that match allowed origins.
- items:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- type: array
- exposeHeaders:
- items:
- type: string
- type: array
- maxAge:
- type: string
- type: object
- delegate:
- properties:
- name:
- description: Name specifies the name of the delegate VirtualService.
- type: string
- namespace:
- description: Namespace specifies the namespace where the
- delegate VirtualService resides.
- type: string
- type: object
- directResponse:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- properties:
- body:
- description: Specifies the content of the response body.
- oneOf:
- - not:
- anyOf:
- - required:
- - string
- - required:
- - bytes
- - required:
- - string
- - required:
- - bytes
- properties:
- bytes:
- description: response body as base64 encoded bytes.
- format: binary
- type: string
- string:
- type: string
- type: object
- status:
- description: Specifies the HTTP response status to be returned.
- type: integer
- type: object
- fault:
- description: Fault injection policy to apply on HTTP traffic
- at the client side.
- properties:
- abort:
- oneOf:
- - not:
- anyOf:
- - required:
- - httpStatus
- - required:
- - grpcStatus
- - required:
- - http2Error
- - required:
- - httpStatus
- - required:
- - grpcStatus
- - required:
- - http2Error
- properties:
- grpcStatus:
- description: GRPC status code to use to abort the request.
- type: string
- http2Error:
- type: string
- httpStatus:
- description: HTTP status code to use to abort the Http
- request.
- format: int32
- type: integer
- percentage:
- description: Percentage of requests to be aborted with
- the error code provided.
- properties:
- value:
- format: double
- type: number
- type: object
- type: object
- delay:
- oneOf:
- - not:
- anyOf:
- - required:
- - fixedDelay
- - required:
- - exponentialDelay
- - required:
- - fixedDelay
- - required:
- - exponentialDelay
- properties:
- exponentialDelay:
- type: string
- fixedDelay:
- description: Add a fixed delay before forwarding the
- request.
- type: string
- percent:
- description: Percentage of requests on which the delay
- will be injected (0-100).
- format: int32
- type: integer
- percentage:
- description: Percentage of requests on which the delay
- will be injected.
- properties:
- value:
- format: double
- type: number
- type: object
- type: object
- type: object
- headers:
- properties:
- request:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- response:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- match:
- items:
- properties:
- authority:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- headers:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- type: object
- ignoreUriCase:
- description: Flag to specify whether the URI matching
- should be case-insensitive.
- type: boolean
- method:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- name:
- description: The name assigned to a match.
- type: string
- port:
- description: Specifies the ports on the host that is being
- addressed.
- type: integer
- queryParams:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- description: Query parameters for matching.
- type: object
- scheme:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- statPrefix:
- description: The human readable prefix to use when emitting
- statistics for this route.
- type: string
- uri:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- withoutHeaders:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- description: withoutHeader has the same syntax with the
- header, but has opposite meaning.
- type: object
- type: object
- type: array
- mirror:
- properties:
- host:
- description: The name of a service from the service registry.
- type: string
- port:
- description: Specifies the port on the host that is being
- addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- mirror_percent:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- nullable: true
- type: integer
- mirrorPercent:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- nullable: true
- type: integer
- mirrorPercentage:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- properties:
- value:
- format: double
- type: number
- type: object
- name:
- description: The name assigned to the route for debugging purposes.
- type: string
- redirect:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- oneOf:
- - not:
- anyOf:
- - required:
- - port
- - required:
- - derivePort
- - required:
- - port
- - required:
- - derivePort
- properties:
- authority:
- type: string
- derivePort:
- enum:
- - FROM_PROTOCOL_DEFAULT
- - FROM_REQUEST_PORT
- type: string
- port:
- description: On a redirect, overwrite the port portion of
- the URL with this value.
- type: integer
- redirectCode:
- type: integer
- scheme:
- description: On a redirect, overwrite the scheme portion
- of the URL with this value.
- type: string
- uri:
- type: string
- type: object
- retries:
- description: Retry policy for HTTP requests.
- properties:
- attempts:
- description: Number of retries to be allowed for a given
- request.
- format: int32
- type: integer
- perTryTimeout:
- description: Timeout per attempt for a given request, including
- the initial call and any retries.
- type: string
- retryOn:
- description: Specifies the conditions under which retry
- takes place.
- type: string
- retryRemoteLocalities:
- description: Flag to specify whether the retries should
- retry to other localities.
- nullable: true
- type: boolean
- type: object
- rewrite:
- description: Rewrite HTTP URIs and Authority headers.
- properties:
- authority:
- description: rewrite the Authority/Host header with this
- value.
- type: string
- uri:
- type: string
- type: object
- route:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- headers:
- properties:
- request:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- response:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- timeout:
- description: Timeout for HTTP requests, default is disabled.
- type: string
- type: object
- type: array
- tcp:
- description: An ordered list of route rules for opaque TCP traffic.
- items:
- properties:
- match:
- items:
- properties:
- destinationSubnets:
- description: IPv4 or IPv6 ip addresses of destination
- with optional subnet.
- items:
- type: string
- type: array
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- port:
- description: Specifies the port on the host that is being
- addressed.
- type: integer
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- sourceSubnet:
- description: IPv4 or IPv6 ip address of source with optional
- subnet.
- type: string
- type: object
- type: array
- route:
- description: The destination to which the connection should
- be forwarded to.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- type: object
- type: array
- tls:
- items:
- properties:
- match:
- items:
- properties:
- destinationSubnets:
- description: IPv4 or IPv6 ip addresses of destination
- with optional subnet.
- items:
- type: string
- type: array
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- port:
- description: Specifies the port on the host that is being
- addressed.
- type: integer
- sniHosts:
- description: SNI (server name indicator) to match on.
- items:
- type: string
- type: array
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- type: object
- type: array
- route:
- description: The destination to which the connection should
- be forwarded to.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: The names of gateways and sidecars that should apply these routes
- jsonPath: .spec.gateways
- name: Gateways
- type: string
- - description: The destination hosts to which traffic is being sent
- jsonPath: .spec.hosts
- name: Hosts
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting label/content routing, sni routing,
- etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
- properties:
- exportTo:
- description: A list of namespaces to which this virtual service is
- exported.
- items:
- type: string
- type: array
- gateways:
- description: The names of gateways and sidecars that should apply
- these routes.
- items:
- type: string
- type: array
- hosts:
- description: The destination hosts to which traffic is being sent.
- items:
- type: string
- type: array
- http:
- description: An ordered list of route rules for HTTP traffic.
- items:
- properties:
- corsPolicy:
- description: Cross-Origin Resource Sharing policy (CORS).
- properties:
- allowCredentials:
- nullable: true
- type: boolean
- allowHeaders:
- items:
- type: string
- type: array
- allowMethods:
- description: List of HTTP methods allowed to access the
- resource.
- items:
- type: string
- type: array
- allowOrigin:
- description: The list of origins that are allowed to perform
- CORS requests.
- items:
- type: string
- type: array
- allowOrigins:
- description: String patterns that match allowed origins.
- items:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- type: array
- exposeHeaders:
- items:
- type: string
- type: array
- maxAge:
- type: string
- type: object
- delegate:
- properties:
- name:
- description: Name specifies the name of the delegate VirtualService.
- type: string
- namespace:
- description: Namespace specifies the namespace where the
- delegate VirtualService resides.
- type: string
- type: object
- directResponse:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- properties:
- body:
- description: Specifies the content of the response body.
- oneOf:
- - not:
- anyOf:
- - required:
- - string
- - required:
- - bytes
- - required:
- - string
- - required:
- - bytes
- properties:
- bytes:
- description: response body as base64 encoded bytes.
- format: binary
- type: string
- string:
- type: string
- type: object
- status:
- description: Specifies the HTTP response status to be returned.
- type: integer
- type: object
- fault:
- description: Fault injection policy to apply on HTTP traffic
- at the client side.
- properties:
- abort:
- oneOf:
- - not:
- anyOf:
- - required:
- - httpStatus
- - required:
- - grpcStatus
- - required:
- - http2Error
- - required:
- - httpStatus
- - required:
- - grpcStatus
- - required:
- - http2Error
- properties:
- grpcStatus:
- description: GRPC status code to use to abort the request.
- type: string
- http2Error:
- type: string
- httpStatus:
- description: HTTP status code to use to abort the Http
- request.
- format: int32
- type: integer
- percentage:
- description: Percentage of requests to be aborted with
- the error code provided.
- properties:
- value:
- format: double
- type: number
- type: object
- type: object
- delay:
- oneOf:
- - not:
- anyOf:
- - required:
- - fixedDelay
- - required:
- - exponentialDelay
- - required:
- - fixedDelay
- - required:
- - exponentialDelay
- properties:
- exponentialDelay:
- type: string
- fixedDelay:
- description: Add a fixed delay before forwarding the
- request.
- type: string
- percent:
- description: Percentage of requests on which the delay
- will be injected (0-100).
- format: int32
- type: integer
- percentage:
- description: Percentage of requests on which the delay
- will be injected.
- properties:
- value:
- format: double
- type: number
- type: object
- type: object
- type: object
- headers:
- properties:
- request:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- response:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- match:
- items:
- properties:
- authority:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- headers:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- type: object
- ignoreUriCase:
- description: Flag to specify whether the URI matching
- should be case-insensitive.
- type: boolean
- method:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- name:
- description: The name assigned to a match.
- type: string
- port:
- description: Specifies the ports on the host that is being
- addressed.
- type: integer
- queryParams:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- description: Query parameters for matching.
- type: object
- scheme:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- statPrefix:
- description: The human readable prefix to use when emitting
- statistics for this route.
- type: string
- uri:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- withoutHeaders:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- - required:
- - exact
- - required:
- - prefix
- - required:
- - regex
- properties:
- exact:
- type: string
- prefix:
- type: string
- regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
- type: string
- type: object
- description: withoutHeader has the same syntax with the
- header, but has opposite meaning.
- type: object
- type: object
- type: array
- mirror:
- properties:
- host:
- description: The name of a service from the service registry.
- type: string
- port:
- description: Specifies the port on the host that is being
- addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- mirror_percent:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- nullable: true
- type: integer
- mirrorPercent:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- nullable: true
- type: integer
- mirrorPercentage:
- description: Percentage of the traffic to be mirrored by the
- `mirror` field.
- properties:
- value:
- format: double
- type: number
- type: object
- name:
- description: The name assigned to the route for debugging purposes.
- type: string
- redirect:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- oneOf:
- - not:
- anyOf:
- - required:
- - port
- - required:
- - derivePort
- - required:
- - port
- - required:
- - derivePort
- properties:
- authority:
- type: string
- derivePort:
- enum:
- - FROM_PROTOCOL_DEFAULT
- - FROM_REQUEST_PORT
- type: string
- port:
- description: On a redirect, overwrite the port portion of
- the URL with this value.
- type: integer
- redirectCode:
- type: integer
- scheme:
- description: On a redirect, overwrite the scheme portion
- of the URL with this value.
- type: string
- uri:
- type: string
- type: object
- retries:
- description: Retry policy for HTTP requests.
- properties:
- attempts:
- description: Number of retries to be allowed for a given
- request.
- format: int32
- type: integer
- perTryTimeout:
- description: Timeout per attempt for a given request, including
- the initial call and any retries.
- type: string
- retryOn:
- description: Specifies the conditions under which retry
- takes place.
- type: string
- retryRemoteLocalities:
- description: Flag to specify whether the retries should
- retry to other localities.
- nullable: true
- type: boolean
- type: object
- rewrite:
- description: Rewrite HTTP URIs and Authority headers.
- properties:
- authority:
- description: rewrite the Authority/Host header with this
- value.
- type: string
- uri:
- type: string
- type: object
- route:
- description: A HTTP rule can either return a direct_response,
- redirect or forward (default) traffic.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- headers:
- properties:
- request:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- response:
- properties:
- add:
- additionalProperties:
- type: string
- type: object
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- timeout:
- description: Timeout for HTTP requests, default is disabled.
- type: string
- type: object
- type: array
- tcp:
- description: An ordered list of route rules for opaque TCP traffic.
- items:
- properties:
- match:
- items:
- properties:
- destinationSubnets:
- description: IPv4 or IPv6 ip addresses of destination
- with optional subnet.
- items:
- type: string
- type: array
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- port:
- description: Specifies the port on the host that is being
- addressed.
- type: integer
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- sourceSubnet:
- description: IPv4 or IPv6 ip address of source with optional
- subnet.
- type: string
- type: object
- type: array
- route:
- description: The destination to which the connection should
- be forwarded to.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- type: object
- type: array
- tls:
- items:
- properties:
- match:
- items:
- properties:
- destinationSubnets:
- description: IPv4 or IPv6 ip addresses of destination
- with optional subnet.
- items:
- type: string
- type: array
- gateways:
- description: Names of gateways where the rule should be
- applied.
- items:
- type: string
- type: array
- port:
- description: Specifies the port on the host that is being
- addressed.
- type: integer
- sniHosts:
- description: SNI (server name indicator) to match on.
- items:
- type: string
- type: array
- sourceLabels:
- additionalProperties:
- type: string
- type: object
- sourceNamespace:
- description: Source namespace constraining the applicability
- of a rule to workloads in that namespace.
- type: string
- type: object
- type: array
- route:
- description: The destination to which the connection should
- be forwarded to.
- items:
- properties:
- destination:
- properties:
- host:
- description: The name of a service from the service
- registry.
- type: string
- port:
- description: Specifies the port on the host that is
- being addressed.
- properties:
- number:
- type: integer
- type: object
- subset:
- description: The name of a subset within the service.
- type: string
- type: object
- weight:
- description: Weight specifies the relative proportion
- of traffic to be forwarded to the destination.
- format: int32
- type: integer
- type: object
- type: array
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: workloadentries.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: WorkloadEntry
- listKind: WorkloadEntryList
- plural: workloadentries
- shortNames:
- - we
- singular: workloadentry
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: Address associated with the network endpoint.
- jsonPath: .spec.address
- name: Address
- type: string
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting VMs onboarded into the mesh. See
- more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: Address associated with the network endpoint.
- jsonPath: .spec.address
- name: Address
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration affecting VMs onboarded into the mesh. See
- more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
- name: workloadgroups.networking.istio.io
-spec:
- group: networking.istio.io
- names:
- categories:
- - istio-io
- - networking-istio-io
- kind: WorkloadGroup
- listKind: WorkloadGroupList
- plural: workloadgroups
- shortNames:
- - wg
- singular: workloadgroup
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Describes a collection of workload instances. See more details
- at: https://istio.io/docs/reference/config/networking/workload-group.html'
- properties:
- metadata:
- description: Metadata that will be used for all corresponding `WorkloadEntries`.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- probe:
- description: '`ReadinessProbe` describes the configuration the user
- must provide for healthchecking on their workload.'
- oneOf:
- - not:
- anyOf:
- - required:
- - httpGet
- - required:
- - tcpSocket
- - required:
- - exec
- - required:
- - httpGet
- - required:
- - tcpSocket
- - required:
- - exec
- properties:
- exec:
- description: Health is determined by how the command that is executed
- exited.
- properties:
- command:
- description: Command to run.
- items:
- type: string
- type: array
- type: object
- failureThreshold:
- description: Minimum consecutive failures for the probe to be
- considered failed after having succeeded.
- format: int32
- type: integer
- httpGet:
- properties:
- host:
- description: Host name to connect to, defaults to the pod
- IP.
- type: string
- httpHeaders:
- description: Headers the proxy will pass on to make the request.
- items:
- properties:
- name:
- type: string
- value:
- type: string
- type: object
- type: array
- path:
- description: Path to access on the HTTP server.
- type: string
- port:
- description: Port on which the endpoint lives.
- type: integer
- scheme:
- type: string
- type: object
- initialDelaySeconds:
- description: Number of seconds after the container has started
- before readiness probes are initiated.
- format: int32
- type: integer
- periodSeconds:
- description: How often (in seconds) to perform the probe.
- format: int32
- type: integer
- successThreshold:
- description: Minimum consecutive successes for the probe to be
- considered successful after having failed.
- format: int32
- type: integer
- tcpSocket:
- description: Health is determined by if the proxy is able to connect.
- properties:
- host:
- type: string
- port:
- type: integer
- type: object
- timeoutSeconds:
- description: Number of seconds after which the probe times out.
- format: int32
- type: integer
- type: object
- template:
- description: Template to be used for the generation of `WorkloadEntry`
- resources that belong to this `WorkloadGroup`.
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- metadata:
- description: Metadata that will be used for all corresponding `WorkloadEntries`.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- probe:
- description: '`ReadinessProbe` describes the configuration the user
- must provide for healthchecking on their workload.'
- oneOf:
- - not:
- anyOf:
- - required:
- - httpGet
- - required:
- - tcpSocket
- - required:
- - exec
- - required:
- - httpGet
- - required:
- - tcpSocket
- - required:
- - exec
- properties:
- exec:
- description: Health is determined by how the command that is executed
- exited.
- properties:
- command:
- description: Command to run.
- items:
- type: string
- type: array
- type: object
- failureThreshold:
- description: Minimum consecutive failures for the probe to be
- considered failed after having succeeded.
- format: int32
- type: integer
- httpGet:
- properties:
- host:
- description: Host name to connect to, defaults to the pod
- IP.
- type: string
- httpHeaders:
- description: Headers the proxy will pass on to make the request.
- items:
- properties:
- name:
- type: string
- value:
- type: string
- type: object
- type: array
- path:
- description: Path to access on the HTTP server.
- type: string
- port:
- description: Port on which the endpoint lives.
- type: integer
- scheme:
- type: string
- type: object
- initialDelaySeconds:
- description: Number of seconds after the container has started
- before readiness probes are initiated.
- format: int32
- type: integer
- periodSeconds:
- description: How often (in seconds) to perform the probe.
- format: int32
- type: integer
- successThreshold:
- description: Minimum consecutive successes for the probe to be
- considered successful after having failed.
- format: int32
- type: integer
- tcpSocket:
- description: Health is determined by if the proxy is able to connect.
- properties:
- host:
- type: string
- port:
- type: integer
- type: object
- timeoutSeconds:
- description: Number of seconds after which the probe times out.
- format: int32
- type: integer
- type: object
- template:
- description: Template to be used for the generation of `WorkloadEntry`
- resources that belong to this `WorkloadGroup`.
- properties:
- address:
- type: string
- labels:
- additionalProperties:
- type: string
- description: One or more labels associated with the endpoint.
- type: object
- locality:
- description: The locality associated with the endpoint.
- type: string
- network:
- type: string
- ports:
- additionalProperties:
- type: integer
- description: Set of ports associated with the endpoint.
- type: object
- serviceAccount:
- type: string
- weight:
- description: The load balancing weight associated with the endpoint.
- type: integer
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
- name: authorizationpolicies.security.istio.io
-spec:
- group: security.istio.io
- names:
- categories:
- - istio-io
- - security-istio-io
- kind: AuthorizationPolicy
- listKind: AuthorizationPolicyList
- plural: authorizationpolicies
- singular: authorizationpolicy
- scope: Namespaced
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration for access control on workloads. See more
- details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
- oneOf:
- - not:
- anyOf:
- - required:
- - provider
- - required:
- - provider
- properties:
- action:
- description: Optional.
- enum:
- - ALLOW
- - DENY
- - AUDIT
- - CUSTOM
- type: string
- provider:
- description: Specifies detailed configuration of the CUSTOM action.
- properties:
- name:
- description: Specifies the name of the extension provider.
- type: string
- type: object
- rules:
- description: Optional.
- items:
- properties:
- from:
- description: Optional.
- items:
- properties:
- source:
- description: Source specifies the source of a request.
- properties:
- ipBlocks:
- description: Optional.
- items:
- type: string
- type: array
- namespaces:
- description: Optional.
- items:
- type: string
- type: array
- notIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- notNamespaces:
- description: Optional.
- items:
- type: string
- type: array
- notPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- notRemoteIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- notRequestPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- principals:
- description: Optional.
- items:
- type: string
- type: array
- remoteIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- requestPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- to:
- description: Optional.
- items:
- properties:
- operation:
- description: Operation specifies the operation of a request.
- properties:
- hosts:
- description: Optional.
- items:
- type: string
- type: array
- methods:
- description: Optional.
- items:
- type: string
- type: array
- notHosts:
- description: Optional.
- items:
- type: string
- type: array
- notMethods:
- description: Optional.
- items:
- type: string
- type: array
- notPaths:
- description: Optional.
- items:
- type: string
- type: array
- notPorts:
- description: Optional.
- items:
- type: string
- type: array
- paths:
- description: Optional.
- items:
- type: string
- type: array
- ports:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- when:
- description: Optional.
- items:
- properties:
- key:
- description: The name of an Istio attribute.
- type: string
- notValues:
- description: Optional.
- items:
- type: string
- type: array
- values:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: array
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Configuration for access control on workloads. See more
- details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
- oneOf:
- - not:
- anyOf:
- - required:
- - provider
- - required:
- - provider
- properties:
- action:
- description: Optional.
- enum:
- - ALLOW
- - DENY
- - AUDIT
- - CUSTOM
- type: string
- provider:
- description: Specifies detailed configuration of the CUSTOM action.
- properties:
- name:
- description: Specifies the name of the extension provider.
- type: string
- type: object
- rules:
- description: Optional.
- items:
- properties:
- from:
- description: Optional.
- items:
- properties:
- source:
- description: Source specifies the source of a request.
- properties:
- ipBlocks:
- description: Optional.
- items:
- type: string
- type: array
- namespaces:
- description: Optional.
- items:
- type: string
- type: array
- notIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- notNamespaces:
- description: Optional.
- items:
- type: string
- type: array
- notPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- notRemoteIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- notRequestPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- principals:
- description: Optional.
- items:
- type: string
- type: array
- remoteIpBlocks:
- description: Optional.
- items:
- type: string
- type: array
- requestPrincipals:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- to:
- description: Optional.
- items:
- properties:
- operation:
- description: Operation specifies the operation of a request.
- properties:
- hosts:
- description: Optional.
- items:
- type: string
- type: array
- methods:
- description: Optional.
- items:
- type: string
- type: array
- notHosts:
- description: Optional.
- items:
- type: string
- type: array
- notMethods:
- description: Optional.
- items:
- type: string
- type: array
- notPaths:
- description: Optional.
- items:
- type: string
- type: array
- notPorts:
- description: Optional.
- items:
- type: string
- type: array
- paths:
- description: Optional.
- items:
- type: string
- type: array
- ports:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: object
- type: array
- when:
- description: Optional.
- items:
- properties:
- key:
- description: The name of an Istio attribute.
- type: string
- notValues:
- description: Optional.
- items:
- type: string
- type: array
- values:
- description: Optional.
- items:
- type: string
- type: array
- type: object
- type: array
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
- name: peerauthentications.security.istio.io
-spec:
- group: security.istio.io
- names:
- categories:
- - istio-io
- - security-istio-io
- kind: PeerAuthentication
- listKind: PeerAuthenticationList
- plural: peerauthentications
- shortNames:
- - pa
- singular: peerauthentication
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Defines the mTLS mode used for peer authentication.
- jsonPath: .spec.mtls.mode
- name: Mode
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: PeerAuthentication defines how traffic will be tunneled (or
- not) to the sidecar.
- properties:
- mtls:
- description: Mutual TLS settings for workload.
- properties:
- mode:
- description: Defines the mTLS mode used for peer authentication.
- enum:
- - UNSET
- - DISABLE
- - PERMISSIVE
- - STRICT
- type: string
- type: object
- portLevelMtls:
- additionalProperties:
- properties:
- mode:
- description: Defines the mTLS mode used for peer authentication.
- enum:
- - UNSET
- - DISABLE
- - PERMISSIVE
- - STRICT
- type: string
- type: object
- description: Port specific mutual TLS settings.
- type: object
- selector:
- description: The selector determines the workloads to apply the ChannelAuthentication
- on.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
- name: requestauthentications.security.istio.io
-spec:
- group: security.istio.io
- names:
- categories:
- - istio-io
- - security-istio-io
- kind: RequestAuthentication
- listKind: RequestAuthenticationList
- plural: requestauthentications
- shortNames:
- - ra
- singular: requestauthentication
- scope: Namespaced
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: RequestAuthentication defines what request authentication
- methods are supported by a workload.
- properties:
- jwtRules:
- description: Define the list of JWTs that can be validated at the
- selected workloads' proxy.
- items:
- properties:
- audiences:
- items:
- type: string
- type: array
- forwardOriginalToken:
- description: If set to true, the original token will be kept
- for the upstream request.
- type: boolean
- fromHeaders:
- description: List of header locations from which JWT is expected.
- items:
- properties:
- name:
- description: The HTTP header name.
- type: string
- prefix:
- description: The prefix that should be stripped before
- decoding the token.
- type: string
- type: object
- type: array
- fromParams:
- description: List of query parameters from which JWT is expected.
- items:
- type: string
- type: array
- issuer:
- description: Identifies the issuer that issued the JWT.
- type: string
- jwks:
- description: JSON Web Key Set of public keys to validate signature
- of the JWT.
- type: string
- jwks_uri:
- type: string
- jwksUri:
- type: string
- outputClaimToHeaders:
- description: This field specifies a list of operations to copy
- the claim to HTTP headers on a successfully verified token.
- items:
- properties:
- claim:
- description: The name of the claim to be copied from.
- type: string
- header:
- description: The name of the header to be created.
- type: string
- type: object
- type: array
- outputPayloadToHeader:
- type: string
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - name: v1beta1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: RequestAuthentication defines what request authentication
- methods are supported by a workload.
- properties:
- jwtRules:
- description: Define the list of JWTs that can be validated at the
- selected workloads' proxy.
- items:
- properties:
- audiences:
- items:
- type: string
- type: array
- forwardOriginalToken:
- description: If set to true, the original token will be kept
- for the upstream request.
- type: boolean
- fromHeaders:
- description: List of header locations from which JWT is expected.
- items:
- properties:
- name:
- description: The HTTP header name.
- type: string
- prefix:
- description: The prefix that should be stripped before
- decoding the token.
- type: string
- type: object
- type: array
- fromParams:
- description: List of query parameters from which JWT is expected.
- items:
- type: string
- type: array
- issuer:
- description: Identifies the issuer that issued the JWT.
- type: string
- jwks:
- description: JSON Web Key Set of public keys to validate signature
- of the JWT.
- type: string
- jwks_uri:
- type: string
- jwksUri:
- type: string
- outputClaimToHeaders:
- description: This field specifies a list of operations to copy
- the claim to HTTP headers on a successfully verified token.
- items:
- properties:
- claim:
- description: The name of the claim to be copied from.
- type: string
- header:
- description: The name of the header to be created.
- type: string
- type: object
- type: array
- outputPayloadToHeader:
- type: string
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- "helm.sh/resource-policy": keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: telemetry
- release: istio
- name: telemetries.telemetry.istio.io
-spec:
- group: telemetry.istio.io
- names:
- categories:
- - istio-io
- - telemetry-istio-io
- kind: Telemetry
- listKind: TelemetryList
- plural: telemetries
- shortNames:
- - telemetry
- singular: telemetry
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- description: 'Telemetry configuration for workloads. See more details
- at: https://istio.io/docs/reference/config/telemetry.html'
- properties:
- accessLogging:
- description: Optional.
- items:
- properties:
- disabled:
- description: Controls logging.
- nullable: true
- type: boolean
- filter:
- description: Optional.
- properties:
- expression:
- description: CEL expression for selecting when requests/connections
- should be logged.
- type: string
- type: object
- match:
- description: Allows tailoring of logging behavior to specific
- conditions.
- properties:
- mode:
- enum:
- - CLIENT_AND_SERVER
- - CLIENT
- - SERVER
- type: string
- type: object
- providers:
- description: Optional.
- items:
- properties:
- name:
- description: Required.
- type: string
- type: object
- type: array
- type: object
- type: array
- metrics:
- description: Optional.
- items:
- properties:
- overrides:
- description: Optional.
- items:
- properties:
- disabled:
- description: Optional.
- nullable: true
- type: boolean
- match:
- description: Match allows provides the scope of the override.
- oneOf:
- - not:
- anyOf:
- - required:
- - metric
- - required:
- - customMetric
- - required:
- - metric
- - required:
- - customMetric
- properties:
- customMetric:
- description: Allows free-form specification of a metric.
- type: string
- metric:
- description: One of the well-known Istio Standard
- Metrics.
- enum:
- - ALL_METRICS
- - REQUEST_COUNT
- - REQUEST_DURATION
- - REQUEST_SIZE
- - RESPONSE_SIZE
- - TCP_OPENED_CONNECTIONS
- - TCP_CLOSED_CONNECTIONS
- - TCP_SENT_BYTES
- - TCP_RECEIVED_BYTES
- - GRPC_REQUEST_MESSAGES
- - GRPC_RESPONSE_MESSAGES
- type: string
- mode:
- enum:
- - CLIENT_AND_SERVER
- - CLIENT
- - SERVER
- type: string
- type: object
- tagOverrides:
- additionalProperties:
- properties:
- operation:
- description: Operation controls whether or not to
- update/add a tag, or to remove it.
- enum:
- - UPSERT
- - REMOVE
- type: string
- value:
- description: Value is only considered if the operation
- is `UPSERT`.
- type: string
- type: object
- description: Optional.
- type: object
- type: object
- type: array
- providers:
- description: Optional.
- items:
- properties:
- name:
- description: Required.
- type: string
- type: object
- type: array
- reportingInterval:
- description: Optional.
- type: string
- type: object
- type: array
- selector:
- description: Optional.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- tracing:
- description: Optional.
- items:
- properties:
- customTags:
- additionalProperties:
- oneOf:
- - not:
- anyOf:
- - required:
- - literal
- - required:
- - environment
- - required:
- - header
- - required:
- - literal
- - required:
- - environment
- - required:
- - header
- properties:
- environment:
- description: Environment adds the value of an environment
- variable to each span.
- properties:
- defaultValue:
- description: Optional.
- type: string
- name:
- description: Name of the environment variable from
- which to extract the tag value.
- type: string
- type: object
- header:
- properties:
- defaultValue:
- description: Optional.
- type: string
- name:
- description: Name of the header from which to extract
- the tag value.
- type: string
- type: object
- literal:
- description: Literal adds the same, hard-coded value to
- each span.
- properties:
- value:
- description: The tag value to use.
- type: string
- type: object
- type: object
- description: Optional.
- type: object
- disableSpanReporting:
- description: Controls span reporting.
- nullable: true
- type: boolean
- match:
- description: Allows tailoring of behavior to specific conditions.
- properties:
- mode:
- enum:
- - CLIENT_AND_SERVER
- - CLIENT
- - SERVER
- type: string
- type: object
- providers:
- description: Optional.
- items:
- properties:
- name:
- description: Required.
- type: string
- type: object
- type: array
- randomSamplingPercentage:
- nullable: true
- type: number
- useRequestIdForTraceSampling:
- nullable: true
- type: boolean
- type: object
- type: array
- type: object
- status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml
deleted file mode 100644
index 42e95ee8..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-{{- if .Values.global.configCluster }}
-# SYNC WITH manifests/charts/istio-operator/templates
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: istiooperators.install.istio.io
- labels:
- release: istio
-spec:
- conversion:
- strategy: None
- group: install.istio.io
- names:
- kind: IstioOperator
- listKind: IstioOperatorList
- plural: istiooperators
- singular: istiooperator
- shortNames:
- - iop
- - io
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Istio control plane revision
- jsonPath: .spec.revision
- name: Revision
- type: string
- - description: IOP current state
- jsonPath: .status.status
- name: Status
- type: string
- - description: 'CreationTimestamp is a timestamp representing the server time
- when this object was created. It is not guaranteed to be set in happens-before
- order across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
- lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- subresources:
- status: {}
- name: v1alpha1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml
deleted file mode 100644
index 6b1d6633..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-{{- if .Values.global.configCluster }}
-{{- if not (eq .Values.defaultRevision "") }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: istiod-default-validator
- labels:
- app: istiod
- release: {{ .Release.Name }}
- istio: istiod
- istio.io/rev: {{ .Values.defaultRevision }}
-webhooks:
- - name: validation.istio.io
- clientConfig:
- {{- if .Values.base.validationURL }}
- url: {{ .Values.base.validationURL }}
- {{- else }}
- service:
- {{- if (eq .Values.defaultRevision "default") }}
- name: istiod
- {{- else }}
- name: istiod-{{ .Values.defaultRevision }}
- {{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- path: "/validate"
- {{- end }}
- rules:
- - operations:
- - CREATE
- - UPDATE
- apiGroups:
- - security.istio.io
- - networking.istio.io
- - telemetry.istio.io
- - extensions.istio.io
- {{- if .Values.base.validateGateway }}
- - gateway.networking.k8s.io
- {{- end }}
- apiVersions:
- - "*"
- resources:
- - "*"
- # Fail open until the validation webhook is ready. The webhook controller
- # will update this to `Fail` and patch in the `caBundle` when the webhook
- # endpoint is ready.
- failurePolicy: Ignore
- sideEffects: None
- admissionReviewVersions: ["v1beta1", "v1"]
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml
deleted file mode 100644
index 2675b47a..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
-# if the remotePilotAddress is an IP addr
-apiVersion: v1
-kind: Endpoints
-metadata:
- {{- if .Values.pilot.enabled }}
- name: istiod-remote
- {{- else }}
- name: istiod
- {{- end }}
- namespace: {{ .Release.Namespace }}
-subsets:
-- addresses:
- - ip: {{ .Values.global.remotePilotAddress }}
- ports:
- - port: 15012
- name: tcp-istiod
- protocol: TCP
- - port: 15017
- name: tcp-webhook
- protocol: TCP
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml
deleted file mode 100644
index 69522c67..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml
+++ /dev/null
@@ -1,75 +0,0 @@
-{{- if not .Values.global.omitSidecarInjectorConfigMap }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Release.Namespace }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- release: {{ .Release.Name }}
-data:
-{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
- values: |-
-{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
-
- # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
- # and istiod webhook functionality.
- #
- # New fields should not use Values - it is a 'primary' config object, users should be able
- # to fine tune it or use it with kube-inject.
- config: |-
- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
- {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
- defaultTemplates:
-{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
- - {{ . }}
-{{- end }}
- {{- else }}
- defaultTemplates: [sidecar]
- {{- end }}
- policy: {{ .Values.global.proxy.autoInject }}
- alwaysInjectSelector:
-{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
- neverInjectSelector:
-{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
- injectedAnnotations:
- {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
- "{{ $key }}": {{ $val | quote }}
- {{- end }}
- {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
- which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
- This should make it obvious that their installation is broken.
- */}}
- template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
- templates:
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
- sidecar: |
-{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
- gateway: |
-{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
- grpc-simple: |
-{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
- grpc-agent: |
-{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
- waypoint: |
-{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
-{{- end }}
-{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
- kube-gateway: |
-{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
-{{- end }}
-{{- with .Values.sidecarInjectorWebhook.templates }}
-{{ toYaml . | trim | indent 6 }}
-{{- end }}
-
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml
deleted file mode 100644
index fbffdd65..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml
+++ /dev/null
@@ -1,152 +0,0 @@
-{{- /* Core defines the common configuration used by all webhook segments */}}
-{{/* Copy just what we need to avoid expensive deepCopy */}}
-{{- $whv := dict
- "revision" .Values.revision
- "injectionPath" .Values.istiodRemote.injectionPath
- "injectionURL" .Values.istiodRemote.injectionURL
- "namespace" .Release.Namespace }}
-{{- define "core" }}
-{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
-a unique prefix to each. */}}
-- name: {{.Prefix}}sidecar-injector.istio.io
- clientConfig:
- {{- if .injectionURL }}
- url: "{{ .injectionURL }}"
- {{- else }}
- service:
- name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
- namespace: {{ .namespace }}
- path: "{{ .injectionPath }}"
- port: 443
- {{- end }}
- sideEffects: None
- rules:
- - operations: [ "CREATE" ]
- apiGroups: [""]
- apiVersions: ["v1"]
- resources: ["pods"]
- failurePolicy: Fail
- admissionReviewVersions: ["v1beta1", "v1"]
-{{- end }}
-{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
-{{- if not .Values.global.operatorManageWebhooks }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-{{- if eq .Release.Namespace "istio-system"}}
- name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-{{- else }}
- name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-{{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
- install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
- operator.istio.io/component: "Pilot"
- app: sidecar-injector
- release: {{ .Release.Name }}
-webhooks:
-{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
-
-{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
-{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: In
- values:
- {{- if (eq .Values.revision "") }}
- - "default"
- {{- else }}
- - "{{ .Values.revision }}"
- {{- end }}
- - key: istio-injection
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
-
-{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: DoesNotExist
- - key: istio-injection
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
- - key: istio.io/rev
- operator: In
- values:
- {{- if (eq .Values.revision "") }}
- - "default"
- {{- else }}
- - "{{ .Values.revision }}"
- {{- end }}
-
-
-{{- /* Webhooks for default revision */}}
-{{- if (eq .Values.revision "") }}
-
-{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: In
- values:
- - enabled
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: NotIn
- values:
- - "false"
-
-{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: In
- values:
- - "true"
- - key: istio.io/rev
- operator: DoesNotExist
-
-{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
-{{- /* Special case 3: no labels at all */}}
-{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
- namespaceSelector:
- matchExpressions:
- - key: istio-injection
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
- - key: "kubernetes.io/metadata.name"
- operator: "NotIn"
- values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
- objectSelector:
- matchExpressions:
- - key: sidecar.istio.io/inject
- operator: DoesNotExist
- - key: istio.io/rev
- operator: DoesNotExist
-{{- end }}
-
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml
deleted file mode 100644
index 793b75e6..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istio-reader
- release: {{ .Release.Name }}
-rules:
- - apiGroups:
- - "config.istio.io"
- - "security.istio.io"
- - "networking.istio.io"
- - "authentication.istio.io"
- - "rbac.istio.io"
- resources: ["*"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.istio.io"]
- verbs: [ "get", "watch", "list" ]
- resources: [ "workloadentries" ]
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["discovery.k8s.io"]
- resources: ["endpointslices"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["{{ $mcsAPIGroup }}"]
- resources: ["serviceexports"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: ["{{ $mcsAPIGroup }}"]
- resources: ["serviceimports"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["apps"]
- resources: ["replicasets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["authentication.k8s.io"]
- resources: ["tokenreviews"]
- verbs: ["create"]
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
-{{- if .Values.global.externalIstiod }}
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create", "get", "list", "watch", "update"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
-{{- end}}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml
deleted file mode 100644
index 4f9925c9..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
- labels:
- app: istio-reader
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-subjects:
- - kind: ServiceAccount
- name: istio-reader-service-account
- namespace: {{ .Values.global.istioNamespace }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml
deleted file mode 100644
index d9ce18c2..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# This service account aggregates reader permissions for the revisions in a given cluster
-# Should be used for remote secret creation.
-apiVersion: v1
-kind: ServiceAccount
- {{- if .Values.global.imagePullSecrets }}
-imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
-metadata:
- name: istio-reader-service-account
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istio-reader
- release: {{ .Release.Name }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml
deleted file mode 100644
index c3af8c07..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-{{- if .Values.global.configCluster }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-rules:
-# permissions to verify the webhook is ready and rejecting
-# invalid config. We use --server-dry-run so no config is persisted.
-- apiGroups: ["networking.istio.io"]
- verbs: ["create"]
- resources: ["gateways"]
-
-# For storing CA secret
-- apiGroups: [""]
- resources: ["secrets"]
- # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
- verbs: ["create", "get", "watch", "list", "update", "delete"]
-
-# For status controller, so it can delete the distribution report configmap
-- apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["delete"]
-
-# For gateway deployment controller
-- apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["get", "update", "patch", "create"]
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml
deleted file mode 100644
index f65b3b12..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{- if .Values.global.configCluster }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
-subjects:
- - kind: ServiceAccount
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml
deleted file mode 100644
index 4f8d20f6..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{- if .Values.global.configCluster }}
-apiVersion: v1
-kind: ServiceAccount
- {{- if .Values.global.imagePullSecrets }}
-imagePullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
-metadata:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml
deleted file mode 100644
index 2bc55e66..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-{{- if .Values.global.remotePilotAddress }}
-apiVersion: v1
-kind: Service
-metadata:
- {{- if .Values.pilot.enabled }}
- # when local istiod is enabled, we can't use istiod service name to reach the remote control plane
- name: istiod-remote
- {{- else }}
- # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane
- name: istiod
- {{- end }}
- namespace: {{ .Release.Namespace }}
-spec:
- ports:
- - port: 15012
- name: tcp-istiod
- protocol: TCP
- - port: 443
- targetPort: 15017
- name: tcp-webhook
- protocol: TCP
- {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }}
- # if the remotePilotAddress is not an IP addr, we use ExternalName
- type: ExternalName
- externalName: {{ .Values.global.remotePilotAddress }}
- {{- end }}
----
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml
deleted file mode 100644
index 8374fc05..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml
+++ /dev/null
@@ -1,616 +0,0 @@
-{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
-{{ $prom := not (include "prometheus" . | eq "true") }}
-{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }}
-{{ $sdLogs := not (include "sd-logs" . | eq "true") }}
----
-# Note: http stats filter is wasm enabled only in sidecars.
-{{- if and .Values.telemetry.v2.prometheus.enabled $prom }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stats_outbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stats_inbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stats_outbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- {{- end }}
----
-# Note: tcp stats filter is wasm enabled only in sidecars.
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: tcp_stats_inbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: "envoy.wasm.stats"
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: tcp_stats_outbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: "envoy.wasm.stats"
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: tcp_stats_outbound
- {{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
- runtime: envoy.wasm.runtime.v8
- allow_precompiled: true
- code:
- local:
- filename: /etc/istio/extensions/stats-filter.compiled.wasm
- {{- else }}
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: "envoy.wasm.stats"
- {{- end }}
----
-{{- end }}
-{{/*TODO: this is broken, we do not handle the split quite right! */}}
-{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
-{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
-{{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-sampling-accesslog-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '1\.16.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "istio.stackdriver"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.access_log
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {
- "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
- }
- vm_config:
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: "envoy.wasm.access_log_policy" }
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml
deleted file mode 100644
index 990d817c..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml
+++ /dev/null
@@ -1,486 +0,0 @@
-{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
-{{ $prom := not (include "prometheus" . | eq "true") }}
-{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }}
-{{ $sdLogs := not (include "sd-logs" . | eq "true") }}
----
-# Note: http stats filter is wasm enabled only in sidecars.
-{{- if and .Values.telemetry.v2.prometheus.enabled $prom }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
----
-# Note: tcp stats filter is wasm enabled only in sidecars.
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
----
-{{- end }}
-{{/*TODO: this is broken, we do not handle the split quite right! */}}
-{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
-{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
-{{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-sampling-accesslog-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '1\.17.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "istio.stackdriver"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.access_log
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {
- "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
- }
- vm_config:
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: "envoy.wasm.access_log_policy" }
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml
deleted file mode 100644
index 736ed586..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml
+++ /dev/null
@@ -1,486 +0,0 @@
-{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
-{{ $prom := not (include "prometheus" . | eq "true") }}
-{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }}
-{{ $sdLogs := not (include "sd-logs" . | eq "true") }}
----
-# Note: http stats filter is wasm enabled only in sidecars.
-{{- if and .Values.telemetry.v2.prometheus.enabled $prom }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {
- "disable_host_header_fallback": true
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
----
-# Note: tcp stats filter is wasm enabled only in sidecars.
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value:
- {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
- {}
- {{- else }}
- {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
- {{- end }}
----
-{{- end }}
-{{/*TODO: this is broken, we do not handle the split quite right! */}}
-{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
-{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
-{{- end }}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "disable_host_header_fallback": true,
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- {{- end }}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_inbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }},
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: '^1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.tcp_proxy"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stackdriver
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stackdriver_outbound
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
- {
- "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}",
- "metric_expiry_duration": "3600s"
- }
- {{- else }}
- {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
- {{- end }}
- vm_config:
- vm_id: stackdriver_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: envoy.wasm.null.stackdriver }
----
-{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stackdriver-sampling-accesslog-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- {{- if .Values.meshConfig.rootNamespace }}
- namespace: {{ .Values.meshConfig.rootNamespace }}
- {{- else }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
- labels:
- istio.io/rev: {{ .Values.revision | default "default" }}
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: '1\.18.*'
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "istio.stackdriver"
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.access_log
- typed_config:
- "@type": type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- configuration:
- "@type": "type.googleapis.com/google.protobuf.StringValue"
- value: |
- {
- "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
- }
- vm_config:
- runtime: envoy.wasm.runtime.null
- code:
- local: { inline_string: "envoy.wasm.access_log_policy" }
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml
deleted file mode 100644
index 96c2e68f..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-{{- if .Values.global.configCluster }}
-{{- if .Values.global.configValidation }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
- labels:
- app: istiod
- release: {{ .Release.Name }}
- istio: istiod
- istio.io/rev: {{ .Values.revision | default "default" }}
-webhooks:
- # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
- # are rejecting invalid configs on a per-revision basis.
- - name: rev.validation.istio.io
- clientConfig:
- # Should change from base but cannot for API compat
- {{- if .Values.base.validationURL }}
- url: {{ .Values.base.validationURL }}
- {{- else }}
- service:
- name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- namespace: {{ .Values.global.istioNamespace }}
- path: "/validate"
- {{- end }}
- rules:
- - operations:
- - CREATE
- - UPDATE
- apiGroups:
- - security.istio.io
- - networking.istio.io
- - telemetry.istio.io
- - extensions.istio.io
- {{- if .Values.base.validateGateway }}
- - gateway.networking.k8s.io
- {{- end }}
- apiVersions:
- - "*"
- resources:
- - "*"
- # Fail open until the validation webhook is ready. The webhook controller
- # will update this to `Fail` and patch in the `caBundle` when the webhook
- # endpoint is ready.
- failurePolicy: Ignore
- sideEffects: None
- admissionReviewVersions: ["v1beta1", "v1"]
- objectSelector:
- matchExpressions:
- - key: istio.io/rev
- operator: In
- values:
- {{- if (eq .Values.revision "") }}
- - "default"
- {{- else }}
- - "{{ .Values.revision }}"
- {{- end }}
----
-{{- end }}
-{{- end }}
diff --git a/istio-1.18.2/manifests/charts/istiod-remote/values.yaml b/istio-1.18.2/manifests/charts/istiod-remote/values.yaml
deleted file mode 100644
index aba10e2a..00000000
--- a/istio-1.18.2/manifests/charts/istiod-remote/values.yaml
+++ /dev/null
@@ -1,416 +0,0 @@
-#.Values.pilot for discovery and mesh wide config
-
-## Discovery Settings
-pilot:
- autoscaleEnabled: true
- autoscaleMin: 1
- autoscaleMax: 5
- replicaCount: 1
- rollingMaxSurge: 100%
- rollingMaxUnavailable: 25%
- hub: ""
- tag: ""
- variant: ""
- # Can be a full hub/image:tag
- image: pilot
- traceSampling: 1.0
- # Resources for a small pilot install
- resources:
- requests:
- cpu: 500m
- memory: 2048Mi
- # Set to `type: RuntimeDefault` to use the default profile if available.
- seccompProfile: {}
- env: {}
- cpu:
- targetAverageUtilization: 80
- # if protocol sniffing is enabled for outbound
- enableProtocolSniffingForOutbound: true
- # if protocol sniffing is enabled for inbound
- enableProtocolSniffingForInbound: true
- nodeSelector: {}
- podAnnotations: {}
- serviceAnnotations: {}
- # You can use jwksResolverExtraRootCA to provide a root certificate
- # in PEM format. This will then be trusted by pilot when resolving
- # JWKS URIs.
- jwksResolverExtraRootCA: ""
- # This is used to set the source of configuration for
- # the associated address in configSource, if nothing is specified
- # the default MCP is assumed.
- configSource:
- subscribedResources: []
- plugins: []
- # The following is used to limit how long a sidecar can be connected
- # to a pilot. It balances out load across pilot instances at the cost of
- # increasing system churn.
- keepaliveMaxServerConnectionAge: 30m
- # Additional labels to apply to the deployment.
- deploymentLabels: {}
- ## Mesh config settings
-
- # Install the mesh config map, generated from values.yaml.
- # If false, pilot wil use default values (by default) or user-supplied values.
- configMap: false
- # Additional labels to apply on the pod level for monitoring and logging configuration.
- podLabels: {}
-sidecarInjectorWebhook:
- # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
- # always skip the injection on pods that match that label selector, regardless of the global policy.
- # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
- neverInjectSelector: []
- alwaysInjectSelector: []
- # injectedAnnotations are additional annotations that will be added to the pod spec after injection
- # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
- #
- # annotations:
- # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
- # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
- #
- # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
- # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
- # injectedAnnotations:
- # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
- # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
- injectedAnnotations: {}
- # This enables injection of sidecar in all namespaces,
- # with the exception of namespaces with "istio-injection:disabled" annotation
- # Only one environment should have this enabled.
- enableNamespacesByDefault: false
- rewriteAppHTTPProbe: true
- # Templates defines a set of custom injection templates that can be used. For example, defining:
- #
- # templates:
- # hello: |
- # metadata:
- # labels:
- # hello: world
- #
- # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
- # being injected with the hello=world labels.
- # This is intended for advanced configuration only; most users should use the built in template
- templates: {}
- # Default templates specifies a set of default templates that are used in sidecar injection.
- # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
- # To inject other additional templates, define it using the `templates` option, and add it to
- # the default templates list.
- # For example:
- #
- # templates:
- # hello: |
- # metadata:
- # labels:
- # hello: world
- #
- # defaultTemplates: ["sidecar", "hello"]
- defaultTemplates: []
-istiodRemote:
- # Sidecar injector mutating webhook configuration clientConfig.url value.
- # For example: https://$remotePilotAddress:15017/inject
- # The host should not refer to a service running in the cluster; use a service reference by specifying
- # the clientConfig.service field instead.
- injectionURL: ""
- # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
- # Override to pass env variables, for example: /inject/cluster/remote/net/network2
- injectionPath: "/inject"
-telemetry:
- enabled: false
- v2:
- # For Null VM case now.
- # This also enables metadata exchange.
- enabled: true
- metadataExchange:
- # Indicates whether to enable WebAssembly runtime for metadata exchange filter.
- wasmEnabled: false
- # Indicate if prometheus stats filter is enabled or not
- prometheus:
- enabled: true
- # Indicates whether to enable WebAssembly runtime for stats filter.
- wasmEnabled: false
- # overrides stats EnvoyFilter configuration.
- configOverride:
- gateway: {}
- inboundSidecar: {}
- outboundSidecar: {}
- # stackdriver filter settings.
- stackdriver:
- enabled: false
- logging: false
- monitoring: false
- topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
- disableOutbound: false
- # configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
-
- configOverride: {}
- # e.g.
- # disable_server_access_logging: false
- # disable_host_header_fallback: true
- # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
- accessLogPolicy:
- enabled: false
- # To reduce the number of successful logs, default log window duration is
- # set to 12 hours.
- logWindowDuration: "43200s"
-# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
-revision: ""
-# Revision tags are aliases to Istio control plane revisions
-revisionTags: []
-# For Helm compatibility.
-ownerName: ""
-# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
-# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
-meshConfig:
- enablePrometheusMerge: true
-global:
- # Used to locate istiod.
- istioNamespace: istio-system
- # List of cert-signers to allow "approve" action in the istio cluster role
- #
- # certSigners:
- # - clusterissuers.cert-manager.io/istio-ca
- certSigners: []
- # enable pod disruption budget for the control plane, which is used to
- # ensure Istio control plane components are gradually upgraded or recovered.
- defaultPodDisruptionBudget:
- enabled: true
- # The values aren't mutable due to a current PodDisruptionBudget limitation
- # minAvailable: 1
- # A minimal set of requested resources to applied to all deployments so that
- # Horizontal Pod Autoscaler will be able to function (if set).
- # Each component can overwrite these default values by adding its own resources
- # block in the relevant section below and setting the desired resources values.
- defaultResources:
- requests:
- cpu: 10m
- # memory: 128Mi
- # limits:
- # cpu: 100m
- # memory: 128Mi
- # Default hub for Istio images.
- # Releases are published to docker hub under 'istio' project.
- # Dev builds from prow are on gcr.io
- hub: docker.io/istio
- # Default tag for Istio images.
- tag: 1.18.2
- # Variant of the image to use.
- # Currently supported are: [debug, distroless]
- variant: ""
- # Specify image pull policy if default behavior isn't desired.
- # Default behavior: latest images will be Always else IfNotPresent.
- imagePullPolicy: ""
- # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
- # to use for pulling any images in pods that reference this ServiceAccount.
- # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
- # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
- # Must be set for any cluster configured with private docker registry.
- imagePullSecrets: []
- # - private-registry-key
-
- # Enabled by default in master for maximising testing.
- istiod:
- enableAnalysis: false
- # To output all istio components logs in json format by adding --log_as_json argument to each container argument
- logAsJson: false
- # Comma-separated minimum per-scope logging level of messages to output, in the form of :,:
- # The control plane has different scopes depending on component, but can configure default log level across all components
- # If empty, default scope and level will be used as configured in code
- logging:
- level: "default:info"
- omitSidecarInjectorConfigMap: true
- # Whether to restrict the applications namespace the controller manages;
- # If not set, controller watches all namespaces
- oneNamespace: false
- # Configure whether Operator manages webhook configurations. The current behavior
- # of Istiod is to manage its own webhook configurations.
- # When this option is set as true, Istio Operator, instead of webhooks, manages the
- # webhook configurations. When this option is set as false, webhooks manage their
- # own webhook configurations.
- operatorManageWebhooks: false
- # Custom DNS config for the pod to resolve names of services in other
- # clusters. Use this to add additional search domains, and other settings.
- # see
- # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
- # This does not apply to gateway pods as they typically need a different
- # set of DNS settings than the normal application pods (e.g., in
- # multicluster scenarios).
- # NOTE: If using templates, follow the pattern in the commented example below.
- #podDNSSearchNamespaces:
- #- global
- #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
-
- # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
- # system-node-critical, it is better to configure this in order to make sure your Istio pods
- # will not be killed because of low priority class.
- # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- # for more detail.
- priorityClassName: ""
- proxy:
- image: proxyv2
- # This controls the 'policy' in the sidecar injector.
- autoInject: enabled
- # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
- # cluster domain. Default value is "cluster.local".
- clusterDomain: "cluster.local"
- # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
- # not set, then the global "logLevel" will be used.
- componentLogLevel: "misc:error"
- # If set, newly injected sidecars will have core dumps enabled.
- enableCoreDump: false
- # istio ingress capture allowlist
- # examples:
- # Redirect only selected ports: --includeInboundPorts="80,8080"
- excludeInboundPorts: ""
- includeInboundPorts: "*"
- # istio egress capture allowlist
- # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
- # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
- # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
- # be allowed by the sidecar
- includeIPRanges: "*"
- excludeIPRanges: ""
- includeOutboundPorts: ""
- excludeOutboundPorts: ""
- # Log level for proxy, applies to gateways and sidecars.
- # Expected values are: trace|debug|info|warning|error|critical|off
- logLevel: warning
- #If set to true, istio-proxy container will have privileged securityContext
- privileged: false
- # The number of successive failed probes before indicating readiness failure.
- readinessFailureThreshold: 30
- # The initial delay for readiness probes in seconds.
- readinessInitialDelaySeconds: 1
- # The period between readiness probes.
- readinessPeriodSeconds: 2
- # Resources for the sidecar.
- resources:
- requests:
- cpu: 100m
- memory: 128Mi
- limits:
- cpu: 2000m
- memory: 1024Mi
- # Default port for Pilot agent health checks. A value of 0 will disable health checking.
- statusPort: 15020
- # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
- # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
- tracer: "zipkin"
- proxy_init:
- # Base name for the proxy_init container, used to configure iptables.
- image: proxyv2
- # configure remote pilot and istiod service and endpoint
- remotePilotAddress: ""
- ##############################################################################################
- # The following values are found in other charts. To effectively modify these values, make #
- # make sure they are consistent across your Istio helm charts #
- ##############################################################################################
-
- # The customized CA address to retrieve certificates for the pods in the cluster.
- # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
- # If not set explicitly, default to the Istio discovery address.
- caAddress: ""
- # Configure a remote cluster data plane controlled by an external istiod.
- # When set to true, istiod is not deployed locally and only a subset of the other
- # discovery charts are enabled.
- externalIstiod: true
- # Configure a remote cluster as the config cluster for an external istiod.
- configCluster: false
- # Configure the policy for validating JWT.
- # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
- jwtPolicy: "third-party-jwt"
- # Mesh ID means Mesh Identifier. It should be unique within the scope where
- # meshes will interact with each other, but it is not required to be
- # globally/universally unique. For example, if any of the following are true,
- # then two meshes must have different Mesh IDs:
- # - Meshes will have their telemetry aggregated in one place
- # - Meshes will be federated together
- # - Policy will be written referencing one mesh from the other
- #
- # If an administrator expects that any of these conditions may become true in
- # the future, they should ensure their meshes have different Mesh IDs
- # assigned.
- #
- # Within a multicluster mesh, each cluster must be (manually or auto)
- # configured to have the same Mesh ID value. If an existing cluster 'joins' a
- # multicluster mesh, it will need to be migrated to the new mesh ID. Details
- # of migration TBD, and it may be a disruptive operation to change the Mesh
- # ID post-install.
- #
- # If the mesh admin does not specify a value, Istio will use the value of the
- # mesh's Trust Domain. The best practice is to select a proper Trust Domain
- # value.
- meshID: ""
- # Configure the mesh networks to be used by the Split Horizon EDS.
- #
- # The following example defines two networks with different endpoints association methods.
- # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
- # mapped to network1. The gateway for this network example is specified by its public IP
- # address and port.
- # The second network, `network2`, in this example is defined differently with all endpoints
- # retrieved through the specified Multi-Cluster registry being mapped to network2. The
- # gateway is also defined differently with the name of the gateway service on the remote
- # cluster. The public IP for the gateway will be determined from that remote service (only
- # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
- # it still need to be configured manually).
- #
- # meshNetworks:
- # network1:
- # endpoints:
- # - fromCidr: "192.168.0.1/24"
- # gateways:
- # - address: 1.1.1.1
- # port: 80
- # network2:
- # endpoints:
- # - fromRegistry: reg1
- # gateways:
- # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
- # port: 443
- #
- meshNetworks: {}
- # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
- mountMtlsCerts: false
- multiCluster:
- # Set to true to connect two kubernetes clusters via their respective
- # ingressgateway services when pods in each cluster cannot directly
- # talk to one another. All clusters should be using Istio mTLS and must
- # have a shared root CA for this model to work.
- enabled: false
- # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
- # to properly label proxies
- clusterName: ""
- # Network defines the network this cluster belong to. This name
- # corresponds to the networks in the map of mesh networks.
- network: ""
- # Configure the certificate provider for control plane communication.
- # Currently, two providers are supported: "kubernetes" and "istiod".
- # As some platforms may not have kubernetes signing APIs,
- # Istiod is the default
- pilotCertProvider: istiod
- sds:
- # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
- # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
- # JWT is intended for the CA.
- token:
- aud: istio-ca
- sts:
- # The service port used by Security Token Service (STS) server to handle token exchange requests.
- # Setting this port to a non-zero value enables STS server.
- servicePort: 0
- # The name of the CA for workload certificates.
- # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
- # will be used as the certificates for workloads.
- # The default value is "" and when caName="", the CA will be configured by other
- # mechanisms (e.g., environmental variable CA_PROVIDER).
- caName: ""
- # whether to use autoscaling/v2 template for HPA settings
- # for internal usage only, not to be configured by users.
- autoscalingv2API: true
-base:
- # For istioctl usage to disable istio config crds in base
- enableIstioConfigCRDs: true
- # If enabled, gateway-api types will be validated using the standard upstream validation logic.
- # This is an alternative to deploying the standalone validation server the project provides.
- # This is disabled by default, as the cluster may already have a validation server; while technically
- # it works to have multiple redundant validations, this adds complexity and operational risks.
- # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers.
- validateGateway: false
diff --git a/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml b/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml
deleted file mode 100644
index 1396a7b1..00000000
--- a/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-name: ztunnel
-# This version is never actually shipped. istio/release-builder will replace it at build-time
-# with the appropriate version
-version: 1.18.2
-appVersion: 1.18.2
-description: Helm chart for istio ztunnel components
-keywords:
- - istio-ztunnel
- - istio
-sources:
- - https://github.com/istio/istio
-engine: gotpl
-icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/istio-1.18.2/manifests/charts/ztunnel/README.md b/istio-1.18.2/manifests/charts/ztunnel/README.md
deleted file mode 100644
index f8887a12..00000000
--- a/istio-1.18.2/manifests/charts/ztunnel/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# Istio Ztunnel Helm Chart
-
-This chart installs an Istio ztunnel.
-
-## Setup Repo Info
-
-```console
-helm repo add istio https://istio-release.storage.googleapis.com/charts
-helm repo update
-```
-
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
-
-## Installing the Chart
-
-To install the chart:
-
-```console
-helm install ztunnel istio/ztunnel
-```
-
-## Uninstalling the Chart
-
-To uninstall/delete the chart:
-
-```console
-helm delete ztunnel
-```
-
-## Configuration
-
-To view support configuration options and documentation, run:
-
-```console
-helm show values istio/ztunnel
-```
diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt b/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt
deleted file mode 100644
index 93297520..00000000
--- a/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-ztunnel successfully installed!
-
-To learn more about the release, try:
- $ helm status {{ .Release.Name }}
- $ helm get all {{ .Release.Name }}
diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml b/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml
deleted file mode 100644
index d86deb00..00000000
--- a/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml
+++ /dev/null
@@ -1,121 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: ztunnel
- namespace: {{ .Release.Namespace }}
- labels:
- {{- .Values.labels | toYaml | nindent 4}}
- annotations:
- {{- .Values.annotations | toYaml | nindent 4 }}
-spec:
- updateStrategy:
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 0
- selector:
- matchLabels:
- app: ztunnel
- template:
- metadata:
- labels:
- sidecar.istio.io/inject: "false"
- app: ztunnel
-{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
- annotations:
- cni.projectcalico.org/allowedSourcePrefixes: "[\"0.0.0.0/0\"]"
- ambient.istio.io/redirection: disabled
- sidecar.istio.io/inject: "false"
-{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
- spec:
- serviceAccountName: ztunnel
- tolerations:
- - effect: NoSchedule
- operator: Exists
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoExecute
- operator: Exists
- containers:
- - name: istio-proxy
-{{- if contains "/" .Values.image }}
- image: "{{ .Values.image }}"
-{{- else }}
- image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
-{{- end }}
- resources:
-{{- if .Values.resources }}
-{{ toYaml .Values.resources | trim | indent 10 }}
-{{- end }}
-{{- with .Values.imagePullPolicy }}
- imagePullPolicy: {{ . }}
-{{- end }}
- securityContext:
- allowPrivilegeEscalation: false
- privileged: false
- capabilities:
- drop:
- - ALL
- add:
- - NET_ADMIN
- readOnlyRootFilesystem: true
- runAsGroup: 1337
- runAsNonRoot: false
- runAsUser: 0
- readinessProbe:
- httpGet:
- port: 15021
- path: /healthz/ready
- args:
- - proxy
- - ztunnel
- env:
- - name: CLUSTER_ID
- value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
- {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
- - name: {{ $key }}
- value: "{{ $value }}"
- {{- end }}
- {{- end }}
- {{- with .Values.env }}
- {{- range $key, $val := . }}
- - name: {{ $key }}
- value: "{{ $val }}"
- {{- end }}
- {{- end }}
- volumeMounts:
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- volumes:
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
- audience: istio-ca
- - name: istiod-ca-cert
- configMap:
- name: istio-ca-root-cert
diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml b/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml
deleted file mode 100644
index 5a569b64..00000000
--- a/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
- {{- with .Values.imagePullSecrets }}
-imagePullSecrets:
- {{- range . }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
-metadata:
- name: ztunnel
- namespace: {{ .Release.Namespace }}
- labels:
- {{- .Values.labels | toYaml | nindent 4}}
- annotations:
- {{- .Values.annotations | toYaml | nindent 4 }}
----
diff --git a/istio-1.18.2/manifests/charts/ztunnel/values.yaml b/istio-1.18.2/manifests/charts/ztunnel/values.yaml
deleted file mode 100644
index 67967d01..00000000
--- a/istio-1.18.2/manifests/charts/ztunnel/values.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-# Hub to pull from. Image will be `Hub/Image:Tag-Variant`
-hub: docker.io/istio
-# Tag to pull from. Image will be `Hub/Image:Tag-Variant`
-tag: 1.18.2
-# Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
-variant: ""
-
-# Image name to pull from. Image will be `Hub/Image:Tag-Variant`
-# If Image contains a "/", it will replace the entire `image` in the pod.
-image: ztunnel
-
-# Labels to apply to all top level resources
-labels: {}
-# Annotations to apply to all top level resources
-annotations: {}
-
-# Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
-podAnnotations:
- prometheus.io/port: "15020"
- prometheus.io/scrape: "true"
-
-# Additional labels to apply on the pod level
-podLabels: {}
-
-# Pod resource configuration
-resources:
- requests:
- cpu: 500m
- memory: 2048Mi
-
-# List of secret names to add to the service account as image pull secrets
-imagePullSecrets: []
-
-# A `key: value` mapping of environment variables to add to the pod
-env: {}
-
-# Override for the pod imagePullPolicy
-imagePullPolicy: ""
-
-# Settings for multicluster
-multiCluster:
- # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
- # with Istiod configuration.
- clusterName: ""
-
-# meshConfig defines runtime configuration of components.
-# For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
-# components.
-# TODO: https://github.com/istio/istio/issues/43248
-meshConfig:
- defaultConfig:
- proxyMetadata: {}
-
-# Ambient redirection mode: "iptables" or "ebpf"
-redirectMode: "iptables"
diff --git a/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml b/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml
deleted file mode 100644
index 48303976..00000000
--- a/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
- namespace: istio-system
- name: example-istiocontrolplane
-spec:
- profile: demo
-...
diff --git a/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml b/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml
deleted file mode 100644
index c37e85b0..00000000
--- a/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- profile: empty
- components:
- ingressGateways:
- - enabled: true
- namespace: my-namespace
diff --git a/istio-1.18.2/manifests/profiles/ambient.yaml b/istio-1.18.2/manifests/profiles/ambient.yaml
deleted file mode 100644
index 9900f375..00000000
--- a/istio-1.18.2/manifests/profiles/ambient.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- # You may override parts of meshconfig by uncommenting the following lines.
- meshConfig:
- defaultConfig:
- proxyMetadata:
- ISTIO_META_ENABLE_HBONE: "true"
- # Telemetry API is used with ambient instead of EnvoyFilters
- defaultProviders:
- metrics:
- - prometheus
- extensionProviders:
- - name: prometheus
- prometheus: {}
-
- components:
- cni:
- enabled: true
- ztunnel:
- enabled: true
- ingressGateways:
- - name: istio-ingressgateway
- enabled: false
-
- values:
- pilot:
- env:
- # Setup more secure default that is off in 'default' only for backwards compatibility
- VERIFY_CERTIFICATE_AT_CLIENT: "true"
- ENABLE_AUTO_SNI: "true"
-
- PILOT_ENABLE_HBONE: "true"
- CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
- PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
- cni:
- logLevel: info
- privileged: true
- ambient:
- enabled: true
-
- # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
- excludeNamespaces:
- - kube-system
-
- # TODO: https://github.com/istio/istio/issues/43243
- # variant: distroless
- telemetry:
- # Telemetry handled with Telemetry API only
- enabled: false
- v2:
- enabled: false
diff --git a/istio-1.18.2/manifests/profiles/default.yaml b/istio-1.18.2/manifests/profiles/default.yaml
deleted file mode 100644
index 6e443923..00000000
--- a/istio-1.18.2/manifests/profiles/default.yaml
+++ /dev/null
@@ -1,177 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
- namespace: istio-system
-spec:
- hub: docker.io/istio
- tag: 1.18.2
-
- # You may override parts of meshconfig by uncommenting the following lines.
- meshConfig:
- defaultConfig:
- proxyMetadata: {}
- enablePrometheusMerge: true
- # Opt-out of global http2 upgrades.
- # Destination rule is used to opt-in.
- # h2_upgrade_policy: DO_NOT_UPGRADE
-
- # Traffic management feature
- components:
- base:
- enabled: true
- pilot:
- enabled: true
-
- # Istio Gateway feature
- ingressGateways:
- - name: istio-ingressgateway
- enabled: true
- egressGateways:
- - name: istio-egressgateway
- enabled: false
-
- # Istio CNI feature
- cni:
- enabled: false
-
- # Remote and config cluster configuration for an external istiod
- istiodRemote:
- enabled: false
-
- # Global values passed through to helm global.yaml.
- # Please keep this in sync with manifests/charts/global.yaml
- values:
- defaultRevision: ""
- global:
- istioNamespace: istio-system
- istiod:
- enableAnalysis: false
- logging:
- level: "default:info"
- logAsJson: false
- pilotCertProvider: istiod
- jwtPolicy: third-party-jwt
- proxy:
- image: proxyv2
- clusterDomain: "cluster.local"
- resources:
- requests:
- cpu: 100m
- memory: 128Mi
- limits:
- cpu: 2000m
- memory: 1024Mi
- logLevel: warning
- componentLogLevel: "misc:error"
- privileged: false
- enableCoreDump: false
- statusPort: 15020
- readinessInitialDelaySeconds: 1
- readinessPeriodSeconds: 2
- readinessFailureThreshold: 30
- includeIPRanges: "*"
- excludeIPRanges: ""
- excludeOutboundPorts: ""
- excludeInboundPorts: ""
- autoInject: enabled
- tracer: "zipkin"
- proxy_init:
- image: proxyv2
- # Specify image pull policy if default behavior isn't desired.
- # Default behavior: latest images will be Always else IfNotPresent.
- imagePullPolicy: ""
- operatorManageWebhooks: false
- tracer:
- lightstep: {}
- zipkin: {}
- datadog: {}
- stackdriver: {}
- imagePullSecrets: []
- oneNamespace: false
- defaultNodeSelector: {}
- configValidation: true
- multiCluster:
- enabled: false
- clusterName: ""
- omitSidecarInjectorConfigMap: false
- network: ""
- defaultResources:
- requests:
- cpu: 10m
- defaultPodDisruptionBudget:
- enabled: true
- priorityClassName: ""
- useMCP: false
- sds:
- token:
- aud: istio-ca
- sts:
- servicePort: 0
- meshNetworks: {}
- mountMtlsCerts: false
- base:
- enableCRDTemplates: false
- validationURL: ""
- pilot:
- autoscaleEnabled: true
- autoscaleMin: 1
- autoscaleMax: 5
- replicaCount: 1
- image: pilot
- traceSampling: 1.0
- env: {}
- cpu:
- targetAverageUtilization: 80
- nodeSelector: {}
- keepaliveMaxServerConnectionAge: 30m
- enableProtocolSniffingForOutbound: true
- enableProtocolSniffingForInbound: true
- deploymentLabels:
- podLabels: {}
- configMap: true
-
- telemetry:
- enabled: true
- v2:
- enabled: true
- metadataExchange:
- wasmEnabled: false
- prometheus:
- wasmEnabled: false
- enabled: true
- stackdriver:
- enabled: false
- logging: false
- monitoring: false
- topology: false
- configOverride: {}
-
- istiodRemote:
- injectionURL: ""
-
- gateways:
- istio-egressgateway:
- env: {}
- autoscaleEnabled: true
- type: ClusterIP
- name: istio-egressgateway
- secretVolumes:
- - name: egressgateway-certs
- secretName: istio-egressgateway-certs
- mountPath: /etc/istio/egressgateway-certs
- - name: egressgateway-ca-certs
- secretName: istio-egressgateway-ca-certs
- mountPath: /etc/istio/egressgateway-ca-certs
-
- istio-ingressgateway:
- autoscaleEnabled: true
- type: LoadBalancer
- name: istio-ingressgateway
- env: {}
- secretVolumes:
- - name: ingressgateway-certs
- secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-certs
- - name: ingressgateway-ca-certs
- secretName: istio-ingressgateway-ca-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
diff --git a/istio-1.18.2/manifests/profiles/demo.yaml b/istio-1.18.2/manifests/profiles/demo.yaml
deleted file mode 100644
index 42661553..00000000
--- a/istio-1.18.2/manifests/profiles/demo.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- meshConfig:
- accessLogFile: /dev/stdout
- extensionProviders:
- - name: otel
- envoyOtelAls:
- service: opentelemetry-collector.istio-system.svc.cluster.local
- port: 4317
- - name: skywalking
- skywalking:
- service: tracing.istio-system.svc.cluster.local
- port: 11800
- - name: otel-tracing
- opentelemetry:
- port: 4317
- service: opentelemetry-collector.otel-collector.svc.cluster.local
- components:
- egressGateways:
- - name: istio-egressgateway
- enabled: true
- k8s:
- resources:
- requests:
- cpu: 10m
- memory: 40Mi
-
- ingressGateways:
- - name: istio-ingressgateway
- enabled: true
- k8s:
- resources:
- requests:
- cpu: 10m
- memory: 40Mi
- service:
- ports:
- ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
- # Note that AWS ELB will by default perform health checks on the first port
- # on this list. Setting this to the health check port will ensure that health
- # checks always work. https://github.com/istio/istio/issues/12503
- - port: 15021
- targetPort: 15021
- name: status-port
- - port: 80
- targetPort: 8080
- name: http2
- - port: 443
- targetPort: 8443
- name: https
- - port: 31400
- targetPort: 31400
- name: tcp
- # This is the port where sni routing happens
- - port: 15443
- targetPort: 15443
- name: tls
-
- pilot:
- k8s:
- env:
- - name: PILOT_TRACE_SAMPLING
- value: "100"
- resources:
- requests:
- cpu: 10m
- memory: 100Mi
-
- values:
- global:
- proxy:
- resources:
- requests:
- cpu: 10m
- memory: 40Mi
-
- pilot:
- autoscaleEnabled: false
-
- gateways:
- istio-egressgateway:
- autoscaleEnabled: false
- istio-ingressgateway:
- autoscaleEnabled: false
diff --git a/istio-1.18.2/manifests/profiles/empty.yaml b/istio-1.18.2/manifests/profiles/empty.yaml
deleted file mode 100644
index 07de5b1e..00000000
--- a/istio-1.18.2/manifests/profiles/empty.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-# The empty profile has everything disabled
-# This is useful as a base for custom user configuration
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- components:
- base:
- enabled: false
- pilot:
- enabled: false
- ingressGateways:
- - name: istio-ingressgateway
- enabled: false
diff --git a/istio-1.18.2/manifests/profiles/external.yaml b/istio-1.18.2/manifests/profiles/external.yaml
deleted file mode 100644
index 6a1c65fb..00000000
--- a/istio-1.18.2/manifests/profiles/external.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# Deprecated. Use the "remote" profile instead.
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- components:
- base:
- enabled: false
- pilot:
- enabled: false
- ingressGateways:
- - name: istio-ingressgateway
- enabled: false
- istiodRemote:
- enabled: true
- values:
- global:
- externalIstiod: true
- omitSidecarInjectorConfigMap: true
- configCluster: false
- pilot:
- configMap: false
- telemetry:
- enabled: false
diff --git a/istio-1.18.2/manifests/profiles/minimal.yaml b/istio-1.18.2/manifests/profiles/minimal.yaml
deleted file mode 100644
index 075881ee..00000000
--- a/istio-1.18.2/manifests/profiles/minimal.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# The minimal profile will install just the core control plane
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- components:
- ingressGateways:
- - name: istio-ingressgateway
- enabled: false
diff --git a/istio-1.18.2/manifests/profiles/openshift.yaml b/istio-1.18.2/manifests/profiles/openshift.yaml
deleted file mode 100644
index e483e346..00000000
--- a/istio-1.18.2/manifests/profiles/openshift.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- components:
- cni:
- enabled: true
- namespace: kube-system
- values:
- cni:
- cniBinDir: /var/lib/cni/bin
- cniConfDir: /etc/cni/multus/net.d
- chained: false
- cniConfFileName: "istio-cni.conf"
- excludeNamespaces:
- - istio-system
- - kube-system
- logLevel: info
- privileged: true
- sidecarInjectorWebhook:
- injectedAnnotations:
- k8s.v1.cni.cncf.io/networks: istio-cni
diff --git a/istio-1.18.2/manifests/profiles/preview.yaml b/istio-1.18.2/manifests/profiles/preview.yaml
deleted file mode 100644
index e0d9b636..00000000
--- a/istio-1.18.2/manifests/profiles/preview.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-# The preview profile contains features that are experimental.
-# This is intended to explore new features coming to Istio.
-# Stability, security, and performance are not guaranteed - use at your own risk.
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- meshConfig:
- defaultConfig:
- proxyMetadata:
- # Enable Istio agent to handle DNS requests for known hosts
- # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
- ISTIO_META_DNS_CAPTURE: "true"
- # Enable dynamic bootstrap generation.
- BOOTSTRAP_XDS_AGENT: "true"
- values:
- telemetry:
- v2:
- metadataExchange:
- wasmEnabled: true
- prometheus:
- wasmEnabled: true
diff --git a/istio-1.18.2/manifests/profiles/remote.yaml b/istio-1.18.2/manifests/profiles/remote.yaml
deleted file mode 100644
index 28d024c2..00000000
--- a/istio-1.18.2/manifests/profiles/remote.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
-# Only the injector mutating webhook configuration is installed.
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- components:
- base:
- enabled: false
- pilot:
- enabled: false
- ingressGateways:
- - name: istio-ingressgateway
- enabled: false
- istiodRemote:
- enabled: true
- values:
- global:
- externalIstiod: true
- omitSidecarInjectorConfigMap: true
- configCluster: false
- pilot:
- configMap: false
- telemetry:
- enabled: false
diff --git a/istio-1.18.2/samples/README.md b/istio-1.18.2/samples/README.md
deleted file mode 100644
index a1a140f8..00000000
--- a/istio-1.18.2/samples/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Istio Samples
-
-This directory contains sample applications highlighting various Istio features.
diff --git a/istio-1.18.2/samples/addons/README.md b/istio-1.18.2/samples/addons/README.md
deleted file mode 100644
index 71da0a3c..00000000
--- a/istio-1.18.2/samples/addons/README.md
+++ /dev/null
@@ -1,102 +0,0 @@
-# Telemetry Addons
-
-This directory contains sample deployments of various addons that integrate with Istio. While these applications
-are not a part of Istio, they are essential to making the most of Istio's observability features.
-
-The deployments here are meant to quickly get up and running, and are optimized for this case. As a result,
-they may not be suitable for production. See below for more info on integrating a production grade version of each
-addon.
-
-## Getting started
-
-To quickly deploy all addons:
-
-```shell script
-kubectl apply -f samples/addons
-```
-
-Alternatively, you can deploy individual addons:
-
-```shell script
-kubectl apply -f samples/addons/prometheus.yaml
-```
-
-## Addons
-
-### Prometheus
-
-[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database.
-You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh.
-You can visualize metrics using tools like [Grafana](#grafana) and [Kiali](#kiali).
-
-For more information about integrating with Prometheus, please see the [Prometheus integration page](https://istio.io/docs/ops/integrations/prometheus/).
-
-### Grafana
-
-[Grafana](http://grafana.com/) is an open source monitoring solution that can be used to configure dashboards for Istio.
-You can use Grafana to monitor the health of Istio and of applications within the service mesh.
-
-This sample provides the following dashboards:
-
-* [Mesh Dashboard](https://grafana.com/grafana/dashboards/7639) provides an overview of all services in the mesh.
-* [Service Dashboard](https://grafana.com/grafana/dashboards/7636) provides a detailed breakdown of metrics for a service.
-* [Workload Dashboard](https://grafana.com/grafana/dashboards/7630) provides a detailed breakdown of metrics for a workload.
-* [Performance Dashboard](https://grafana.com/grafana/dashboards/11829) monitors the resource usage of the mesh.
-* [Control Plane Dashboard](https://grafana.com/grafana/dashboards/7645) monitors the health and performance of the control plane.
-* [WASM Extension Dashboard](https://grafana.com/grafana/dashboards/13277) provides an overview of mesh wide WebAssembly extension runtime and loading state.
-
-For more information about integrating with Grafana, please see the [Grafana integration page](https://istio.io/docs/ops/integrations/grafana/).
-
-### Kiali
-
-[Kiali](https://kiali.io/) is an observability console for Istio with service mesh configuration capabilities.
-It helps you to understand the structure of your service mesh by inferring the topology, and also provides the health of your mesh.
-Kiali provides detailed metrics, and a basic [Grafana](#grafana) integration is available for advanced queries.
-Distributed tracing is provided by integrating [Jaeger](#jaeger).
-
-For more information about using Kiali, see the [Visualizing Your Mesh](https://istio.io/docs/tasks/observability/kiali/) task.
-
-### Jaeger
-
-[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems.
-
-Jaeger helps in a variety of tasks including:
-
-* Distributed context propagation
-* Distributed transaction monitoring
-* Root cause analysis
-* Service dependency analysis
-* Performance / latency optimization
-
-For more information about integrating with Jaeger, please see the [Jaeger integration page](https://istio.io/docs/tasks/observability/distributed-tracing/jaeger/).
-
-### Zipkin
-
-[Zipkin](https://zipkin.io/) is a distributed tracing system. It helps gather timing data needed to troubleshoot latency problems in service architectures. Features include both the collection and lookup of this data.
-
-Zipkin is an alternative to Jaeger and is not deployed by default. To replace Jaeger with Zipkin, run `kubectl apply -f samples/addons/extras/zipkin.yaml`.
-You may also want to remove the Jaeger deployment, which will not be used, with `kubectl delete deployment jaeger`, or avoid installing it
-to begin with by following the selective install steps in [Getting Started](#getting-started).
-
-For more information about integrating with Zipkin, please see the [Zipkin integration page](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/).
-
-### Prometheus Operator
-
-The [Prometheus Operator](https://github.com/coreos/prometheus-operator) manages and operators a Prometheus instance.
-
-As an alternative to the standard Prometheus deployment, we provide a `ServiceMonitor` to monitor the Istio control plane and `PodMonitor`
-Envoy proxies. To use these, make sure you have the Prometheus operator deployed, then run `kubectl apply -f samples/addons/extras/prometheus-operator.yaml`.
-
-> **Note**
->
-> The example `PodMonitor` requires [metrics merging](https://istio.io/latest/docs/ops/integrations/prometheus/#option-1-metrics-merging) to be enabled. This is enabled by default.
->
-> **Note**
->
-> The configurations here are only for Istio deployments, and do not scrape metrics from the Kubernetes components.
-> See the [Cluster Monitoring](https://coreos.com/operators/prometheus/docs/latest/user-guides/cluster-monitoring.html) documentation for configuring this.
->
-> **Warning**
->
-> When the example `PodMonitor` is used with OpenShift Monitoring, it must be created in all namespaces where istio-proxies exist.
-> This is because `namespaceSelector` is ignored for tenancy isolation.
diff --git a/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml b/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml
deleted file mode 100644
index 73a926ef..00000000
--- a/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
- name: envoy-stats-monitor
- namespace: istio-system
- labels:
- monitoring: istio-proxies
- release: istio
-spec:
- selector:
- matchExpressions:
- - {key: istio-prometheus-ignore, operator: DoesNotExist}
- namespaceSelector:
- any: true
- jobLabel: envoy-stats
- podMetricsEndpoints:
- - path: /stats/prometheus
- interval: 15s
- relabelings:
- - action: keep
- sourceLabels: [__meta_kubernetes_pod_container_name]
- regex: "istio-proxy"
- - action: keep
- sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape]
- - action: replace
- regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
- replacement: '[$2]:$1'
- sourceLabels:
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- - __meta_kubernetes_pod_ip
- targetLabel: __address__
- - action: replace
- regex: (\d+);((([0-9]+?)(\.|$)){4})
- replacement: $2:$1
- sourceLabels:
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- - __meta_kubernetes_pod_ip
- targetLabel: __address__
- - action: labeldrop
- regex: "__meta_kubernetes_pod_label_(.+)"
- - sourceLabels: [__meta_kubernetes_namespace]
- action: replace
- targetLabel: namespace
- - sourceLabels: [__meta_kubernetes_pod_name]
- action: replace
- targetLabel: pod_name
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- name: istio-component-monitor
- namespace: istio-system
- labels:
- monitoring: istio-components
- release: istio
-spec:
- jobLabel: istio
- targetLabels: [app]
- selector:
- matchExpressions:
- - {key: istio, operator: In, values: [pilot]}
- namespaceSelector:
- any: true
- endpoints:
- - port: http-monitoring
- interval: 15s
diff --git a/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml b/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml
deleted file mode 100644
index cf4039d8..00000000
--- a/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml
+++ /dev/null
@@ -1,530 +0,0 @@
----
-# Source: prometheus/templates/server/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
- namespace: istio-system
- annotations:
- {}
----
-# Source: prometheus/templates/server/cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
- namespace: istio-system
-data:
- alerting_rules.yml: |
- {}
- alerts: |
- {}
- prometheus.yml: |
- global:
- evaluation_interval: 1m
- scrape_interval: 15s
- scrape_timeout: 10s
- rule_files:
- - /etc/config/recording_rules.yml
- - /etc/config/alerting_rules.yml
- - /etc/config/rules
- - /etc/config/alerts
- scrape_configs:
- - job_name: prometheus
- static_configs:
- - targets:
- - localhost:9090
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-apiservers
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: default;kubernetes;https
- source_labels:
- - __meta_kubernetes_namespace
- - __meta_kubernetes_service_name
- - __meta_kubernetes_endpoint_port_name
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-nodes
- kubernetes_sd_configs:
- - role: node
- relabel_configs:
- - action: labelmap
- regex: __meta_kubernetes_node_label_(.+)
- - replacement: kubernetes.default.svc:443
- target_label: __address__
- - regex: (.+)
- replacement: /api/v1/nodes/$1/proxy/metrics
- source_labels:
- - __meta_kubernetes_node_name
- target_label: __metrics_path__
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-nodes-cadvisor
- kubernetes_sd_configs:
- - role: node
- relabel_configs:
- - action: labelmap
- regex: __meta_kubernetes_node_label_(.+)
- - replacement: kubernetes.default.svc:443
- target_label: __address__
- - regex: (.+)
- replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
- source_labels:
- - __meta_kubernetes_node_name
- target_label: __metrics_path__
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - job_name: kubernetes-service-endpoints
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scrape
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_service_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_service_name
- target_label: kubernetes_name
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_node_name
- target_label: kubernetes_node
- - job_name: kubernetes-service-endpoints-slow
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_service_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_service_name
- target_label: kubernetes_name
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_node_name
- target_label: kubernetes_node
- scrape_interval: 5m
- scrape_timeout: 30s
- - honor_labels: true
- job_name: prometheus-pushgateway
- kubernetes_sd_configs:
- - role: service
- relabel_configs:
- - action: keep
- regex: pushgateway
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_probe
- - job_name: kubernetes-services
- kubernetes_sd_configs:
- - role: service
- metrics_path: /probe
- params:
- module:
- - http_2xx
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_probe
- - source_labels:
- - __address__
- target_label: __param_target
- - replacement: blackbox
- target_label: __address__
- - source_labels:
- - __param_target
- target_label: instance
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - source_labels:
- - __meta_kubernetes_service_name
- target_label: kubernetes_name
- - job_name: kubernetes-pods
- kubernetes_sd_configs:
- - role: pod
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scrape
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_pod_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_name
- target_label: kubernetes_pod_name
- - action: drop
- regex: Pending|Succeeded|Failed
- source_labels:
- - __meta_kubernetes_pod_phase
- - job_name: kubernetes-pods-slow
- kubernetes_sd_configs:
- - role: pod
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_pod_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_name
- target_label: kubernetes_pod_name
- - action: drop
- regex: Pending|Succeeded|Failed
- source_labels:
- - __meta_kubernetes_pod_phase
- scrape_interval: 5m
- scrape_timeout: 30s
- - job_name: kubernetes-file-sd-endpoints
- kubernetes_sd_configs:
- - role: endpoints
- file_sd_configs:
- - files:
- - /etc/file_sd/*.json
- relabel_configs:
- - action: keep
- regex: (.+)
- source_labels:
- - __meta_filepath
- - replacement: /stats/prometheus
- target_label: __metrics_path__
-
- recording_rules.yml: |
- {}
- rules: |
- {}
----
-# Source: prometheus/templates/server/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
-rules:
- - apiGroups:
- - ""
- resources:
- - nodes
- - nodes/proxy
- - nodes/metrics
- - services
- - endpoints
- - pods
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - "extensions"
- - "networking.k8s.io"
- resources:
- - ingresses/status
- - ingresses
- verbs:
- - get
- - list
- - watch
- - nonResourceURLs:
- - "/metrics"
- verbs:
- - get
- - apiGroups:
- - "networking.istio.io"
- verbs:
- - get
- - watch
- - list
- resources:
- - workloadentries
- - apiGroups:
- - ""
- verbs:
- - get
- - watch
- - list
- - create
- - update
- - patch
- - delete
- resources:
- - configmaps
----
-# Source: prometheus/templates/server/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
-subjects:
- - kind: ServiceAccount
- name: prometheus
- namespace: istio-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: prometheus
----
-# Source: prometheus/templates/server/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
- namespace: istio-system
-spec:
- ports:
- - name: http
- port: 9090
- protocol: TCP
- targetPort: 9090
- selector:
- component: "server"
- app: prometheus
- release: prometheus
- sessionAffinity: None
- type: "ClusterIP"
----
-# Source: prometheus/templates/server/deploy.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
- namespace: istio-system
-spec:
- selector:
- matchLabels:
- component: "server"
- app: prometheus
- release: prometheus
- replicas: 1
- template:
- metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- sidecar.istio.io/inject: "false"
- spec:
- serviceAccountName: prometheus
- containers:
- - name: prometheus-server-configmap-reload
- image: "jimmidyson/configmap-reload:v0.5.0"
- imagePullPolicy: "IfNotPresent"
- args:
- - --volume-dir=/etc/config
- - --webhook-url=http://127.0.0.1:9090/-/reload
- resources:
- {}
- volumeMounts:
- - name: config-volume
- mountPath: /etc/config
- readOnly: true
- - name: file-sd-volume
- mountPath: /etc/file_sd
- readOnly: true
-
- - name: prometheus-server
- image: "prom/prometheus:v2.24.0"
- imagePullPolicy: "IfNotPresent"
- args:
- - --storage.tsdb.retention.time=15d
- - --config.file=/etc/config/prometheus.yml
- - --storage.tsdb.path=/data
- - --web.console.libraries=/etc/prometheus/console_libraries
- - --web.console.templates=/etc/prometheus/consoles
- - --web.enable-lifecycle
- ports:
- - containerPort: 9090
- readinessProbe:
- httpGet:
- path: /-/ready
- port: 9090
- initialDelaySeconds: 0
- periodSeconds: 5
- timeoutSeconds: 4
- failureThreshold: 3
- successThreshold: 1
- livenessProbe:
- httpGet:
- path: /-/healthy
- port: 9090
- initialDelaySeconds: 30
- periodSeconds: 15
- timeoutSeconds: 10
- failureThreshold: 3
- successThreshold: 1
- resources:
- {}
- volumeMounts:
- - name: config-volume
- mountPath: /etc/config
- - name: storage-volume
- mountPath: /data
- subPath: ""
- - name: file-sd-volume
- mountPath: /etc/file_sd
- - name: vm-discovery
- image: "istioecosystem/vm-discovery:latest"
- imagePullPolicy: "IfNotPresent"
- hostNetwork: false
- dnsPolicy: ClusterFirst
- securityContext:
- fsGroup: 65534
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- terminationGracePeriodSeconds: 300
- volumes:
- - name: config-volume
- configMap:
- name: prometheus
- - name: file-sd-volume
- configMap:
- name: file-sd-config
- optional: true
- - name: storage-volume
- emptyDir:
- {}
\ No newline at end of file
diff --git a/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml b/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml
deleted file mode 100644
index 3d571b98..00000000
--- a/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml
+++ /dev/null
@@ -1,548 +0,0 @@
----
-# Source: prometheus/templates/server/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
- namespace: istio-system
- annotations:
- {}
----
-# Source: prometheus/templates/server/cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
- namespace: istio-system
-data:
- alerting_rules.yml: |
- {}
- alerts: |
- {}
- prometheus.yml: |
- global:
- evaluation_interval: 1m
- scrape_interval: 15s
- scrape_timeout: 10s
- rule_files:
- - /etc/config/recording_rules.yml
- - /etc/config/alerting_rules.yml
- - /etc/config/rules
- - /etc/config/alerts
- scrape_configs:
- - job_name: prometheus
- static_configs:
- - targets:
- - localhost:9090
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-apiservers
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: default;kubernetes;https
- source_labels:
- - __meta_kubernetes_namespace
- - __meta_kubernetes_service_name
- - __meta_kubernetes_endpoint_port_name
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-nodes
- kubernetes_sd_configs:
- - role: node
- relabel_configs:
- - action: labelmap
- regex: __meta_kubernetes_node_label_(.+)
- - replacement: kubernetes.default.svc:443
- target_label: __address__
- - regex: (.+)
- replacement: /api/v1/nodes/$1/proxy/metrics
- source_labels:
- - __meta_kubernetes_node_name
- target_label: __metrics_path__
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-nodes-cadvisor
- kubernetes_sd_configs:
- - role: node
- relabel_configs:
- - action: labelmap
- regex: __meta_kubernetes_node_label_(.+)
- - replacement: kubernetes.default.svc:443
- target_label: __address__
- - regex: (.+)
- replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
- source_labels:
- - __meta_kubernetes_node_name
- target_label: __metrics_path__
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - job_name: kubernetes-service-endpoints
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scrape
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_service_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_service_name
- target_label: kubernetes_name
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_node_name
- target_label: kubernetes_node
- - job_name: kubernetes-service-endpoints-slow
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_service_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_service_name
- target_label: kubernetes_name
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_node_name
- target_label: kubernetes_node
- scrape_interval: 5m
- scrape_timeout: 30s
- - honor_labels: true
- job_name: prometheus-pushgateway
- kubernetes_sd_configs:
- - role: service
- relabel_configs:
- - action: keep
- regex: pushgateway
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_probe
- - job_name: kubernetes-services
- kubernetes_sd_configs:
- - role: service
- metrics_path: /probe
- params:
- module:
- - http_2xx
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_probe
- - source_labels:
- - __address__
- target_label: __param_target
- - replacement: blackbox
- target_label: __address__
- - source_labels:
- - __param_target
- target_label: instance
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - source_labels:
- - __meta_kubernetes_service_name
- target_label: kubernetes_name
- - job_name: kubernetes-pods
- kubernetes_sd_configs:
- - role: pod
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scrape
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_pod_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_name
- target_label: kubernetes_pod_name
- - action: drop
- regex: Pending|Succeeded|Failed
- source_labels:
- - __meta_kubernetes_pod_phase
- - job_name: kubernetes-pods-slow
- kubernetes_sd_configs:
- - role: pod
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_pod_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: kubernetes_namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_name
- target_label: kubernetes_pod_name
- - action: drop
- regex: Pending|Succeeded|Failed
- source_labels:
- - __meta_kubernetes_pod_phase
- scrape_interval: 5m
- scrape_timeout: 30s
- - job_name: kubernetes-file-sd-endpoints
- kubernetes_sd_configs:
- - role: endpoints
- file_sd_configs:
- - files:
- - /etc/file_sd/*.json
- scheme: https
- tls_config:
- ca_file: /etc/prom-certs/root-cert.pem
- cert_file: /etc/prom-certs/cert-chain.pem
- key_file: /etc/prom-certs/key.pem
- insecure_skip_verify: true # Prometheus does not support Istio security naming, thus skip verifying target pod ceritifcate
- relabel_configs:
- - action: keep
- regex: (.+)
- source_labels:
- - __meta_filepath
- - replacement: /stats/prometheus
- target_label: __metrics_path__
-
- recording_rules.yml: |
- {}
- rules: |
- {}
----
-# Source: prometheus/templates/server/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
-rules:
- - apiGroups:
- - ""
- resources:
- - nodes
- - nodes/proxy
- - nodes/metrics
- - services
- - endpoints
- - pods
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - "extensions"
- - "networking.k8s.io"
- resources:
- - ingresses/status
- - ingresses
- verbs:
- - get
- - list
- - watch
- - nonResourceURLs:
- - "/metrics"
- verbs:
- - get
- - apiGroups:
- - "networking.istio.io"
- verbs:
- - get
- - watch
- - list
- resources:
- - workloadentries
- - apiGroups:
- - ""
- verbs:
- - get
- - watch
- - list
- - create
- - update
- - patch
- - delete
- resources:
- - configmaps
----
-# Source: prometheus/templates/server/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
-subjects:
- - kind: ServiceAccount
- name: prometheus
- namespace: istio-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: prometheus
----
-# Source: prometheus/templates/server/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
- namespace: istio-system
-spec:
- ports:
- - name: http
- port: 9090
- protocol: TCP
- targetPort: 9090
- selector:
- component: "server"
- app: prometheus
- release: prometheus
- sessionAffinity: None
- type: "ClusterIP"
----
-# Source: prometheus/templates/server/deploy.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- name: prometheus
- namespace: istio-system
-spec:
- selector:
- matchLabels:
- component: "server"
- app: prometheus
- release: prometheus
- replicas: 1
- template:
- metadata:
- annotations:
- traffic.sidecar.istio.io/includeInboundPorts: "" # do not intercept any inbound ports
- traffic.sidecar.istio.io/includeOutboundIPRanges: "" # do not intercept any outbound traffic
- proxy.istio.io/config: | # configure an env variable `OUTPUT_CERTS` to write certificates to the given folder
- proxyMetadata:
- OUTPUT_CERTS: /etc/istio-output-certs
- sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]' # mount the shared volume at sidecar proxy
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-13.6.0
- heritage: Helm
- sidecar.istio.io/inject: "true"
- spec:
- serviceAccountName: prometheus
- containers:
- - name: prometheus-server-configmap-reload
- image: "jimmidyson/configmap-reload:v0.5.0"
- imagePullPolicy: "IfNotPresent"
- args:
- - --volume-dir=/etc/config
- - --webhook-url=http://127.0.0.1:9090/-/reload
- resources:
- {}
- volumeMounts:
- - name: config-volume
- mountPath: /etc/config
- readOnly: true
- - name: file-sd-volume
- mountPath: /etc/file_sd
- readOnly: true
-
- - name: prometheus-server
- image: "prom/prometheus:v2.24.0"
- imagePullPolicy: "IfNotPresent"
- args:
- - --storage.tsdb.retention.time=15d
- - --config.file=/etc/config/prometheus.yml
- - --storage.tsdb.path=/data
- - --web.console.libraries=/etc/prometheus/console_libraries
- - --web.console.templates=/etc/prometheus/consoles
- - --web.enable-lifecycle
- ports:
- - containerPort: 9090
- readinessProbe:
- httpGet:
- path: /-/ready
- port: 9090
- initialDelaySeconds: 0
- periodSeconds: 5
- timeoutSeconds: 4
- failureThreshold: 3
- successThreshold: 1
- livenessProbe:
- httpGet:
- path: /-/healthy
- port: 9090
- initialDelaySeconds: 30
- periodSeconds: 15
- timeoutSeconds: 10
- failureThreshold: 3
- successThreshold: 1
- resources:
- {}
- volumeMounts:
- - name: config-volume
- mountPath: /etc/config
- - name: storage-volume
- mountPath: /data
- subPath: ""
- - name: file-sd-volume
- mountPath: /etc/file_sd
- - name: istio-certs
- mountPath: /etc/prom-certs/
- - name: vm-discovery
- image: "istioecosystem/vm-discovery:latest"
- imagePullPolicy: "IfNotPresent"
- hostNetwork: false
- dnsPolicy: ClusterFirst
- securityContext:
- fsGroup: 65534
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- terminationGracePeriodSeconds: 300
- volumes:
- - name: config-volume
- configMap:
- name: prometheus
- - name: file-sd-volume
- configMap:
- name: file-sd-config
- optional: true
- - name: istio-certs
- emptyDir:
- medium: Memory
- - name: storage-volume
- emptyDir:
- {}
\ No newline at end of file
diff --git a/istio-1.18.2/samples/addons/extras/skywalking.yaml b/istio-1.18.2/samples/addons/extras/skywalking.yaml
deleted file mode 100644
index 0633b74d..00000000
--- a/istio-1.18.2/samples/addons/extras/skywalking.yaml
+++ /dev/null
@@ -1,133 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: skywalking-oap
- namespace: istio-system
- labels:
- app: skywalking-oap
-spec:
- selector:
- matchLabels:
- app: skywalking-oap
- template:
- metadata:
- labels:
- app: skywalking-oap
- sidecar.istio.io/inject: "false"
- spec:
- containers:
- - name: skywalking-oap
- image: apache/skywalking-oap-server:9.1.0
- env:
- - name: SW_HEALTH_CHECKER
- value: default
- readinessProbe:
- exec:
- command:
- - /skywalking/bin/swctl
- - health
- initialDelaySeconds: 30
- periodSeconds: 5
-
----
-apiVersion: v1
-kind: Service
-metadata:
- name: tracing
- namespace: istio-system
- labels:
- app: skywalking-oap
-spec:
- type: ClusterIP
- ports:
- - name: grpc
- port: 11800
- protocol: TCP
- targetPort: 11800
- - name: http-query
- port: 12800
- protocol: TCP
- targetPort: 12800
- selector:
- app: skywalking-oap
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- name: skywalking-oap
- name: skywalking-oap
- namespace: istio-system
-spec:
- ports:
- - port: 11800
- targetPort: 11800
- name: grpc
- - port: 12800
- targetPort: 12800
- name: http-query
- selector:
- app: skywalking-oap
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: skywalking-ui
- namespace: istio-system
- labels:
- app: skywalking-ui
-spec:
- selector:
- matchLabels:
- app: skywalking-ui
- template:
- metadata:
- labels:
- app: skywalking-ui
- annotations:
- sidecar.istio.io/inject: "false"
- spec:
- containers:
- - name: skywalking-ui
- image: apache/skywalking-ui:9.1.0
- env:
- - name: SW_OAP_ADDRESS
- value: http://skywalking-oap:12800
- readinessProbe:
- httpGet:
- path: /
- port: 8080
- initialDelaySeconds: 30
- periodSeconds: 5
----
-apiVersion: v1
-kind: Service
-metadata:
- name: tracing-ui
- namespace: istio-system
- labels:
- app: skywalking-ui
-spec:
- type: ClusterIP
- ports:
- - name: http
- port: 8080
- protocol: TCP
- targetPort: 8080
- selector:
- app: skywalking-ui
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- name: skywalking-ui
- name: skywalking-ui
- namespace: istio-system
-spec:
- ports:
- - port: 8080
- targetPort: 8080
- name: http
- selector:
- app: skywalking-ui
diff --git a/istio-1.18.2/samples/addons/extras/zipkin.yaml b/istio-1.18.2/samples/addons/extras/zipkin.yaml
deleted file mode 100644
index b9bced3d..00000000
--- a/istio-1.18.2/samples/addons/extras/zipkin.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: zipkin
- namespace: istio-system
- labels:
- app: zipkin
-spec:
- selector:
- matchLabels:
- app: zipkin
- template:
- metadata:
- labels:
- app: zipkin
- sidecar.istio.io/inject: "false"
- spec:
- containers:
- - name: zipkin
- image: openzipkin/zipkin-slim:2.23.14
- env:
- - name: STORAGE_METHOD
- value: "mem"
- readinessProbe:
- httpGet:
- path: /health
- port: 9411
- initialDelaySeconds: 5
- periodSeconds: 5
----
-apiVersion: v1
-kind: Service
-metadata:
- name: tracing
- namespace: istio-system
- labels:
- app: zipkin
-spec:
- type: ClusterIP
- ports:
- - name: http-query
- port: 80
- protocol: TCP
- targetPort: 9411
- selector:
- app: zipkin
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- name: zipkin
- name: zipkin
- namespace: istio-system
-spec:
- ports:
- - port: 9411
- targetPort: 9411
- name: http-query
- selector:
- app: zipkin
diff --git a/istio-1.18.2/samples/addons/grafana.yaml b/istio-1.18.2/samples/addons/grafana.yaml
deleted file mode 100644
index 0cebcf49..00000000
--- a/istio-1.18.2/samples/addons/grafana.yaml
+++ /dev/null
@@ -1,1129 +0,0 @@
----
-# Source: grafana/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- helm.sh/chart: grafana-6.31.1
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/version: "9.0.1"
- app.kubernetes.io/managed-by: Helm
- name: grafana
- namespace: istio-system
----
-# Source: grafana/templates/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana
- namespace: istio-system
- labels:
- helm.sh/chart: grafana-6.31.1
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/version: "9.0.1"
- app.kubernetes.io/managed-by: Helm
-data:
- allow-snippet-annotations: "false"
- grafana.ini: |
- [analytics]
- check_for_updates = true
- [grafana_net]
- url = https://grafana.net
- [log]
- mode = console
- [paths]
- data = /var/lib/grafana/
- logs = /var/log/grafana
- plugins = /var/lib/grafana/plugins
- provisioning = /etc/grafana/provisioning
-
- datasources.yaml: |
- apiVersion: 1
- datasources:
- - access: proxy
- editable: true
- isDefault: true
- jsonData:
- timeInterval: 5s
- name: Prometheus
- orgId: 1
- type: prometheus
- url: http://prometheus:9090
- - access: proxy
- editable: true
- isDefault: false
- jsonData:
- timeInterval: 5s
- name: Loki
- orgId: 1
- type: loki
- url: http://loki:3100
- dashboardproviders.yaml: |
- apiVersion: 1
- providers:
- - disableDeletion: false
- folder: istio
- name: istio
- options:
- path: /var/lib/grafana/dashboards/istio
- orgId: 1
- type: file
- - disableDeletion: false
- folder: istio
- name: istio-services
- options:
- path: /var/lib/grafana/dashboards/istio-services
- orgId: 1
- type: file
----
-# Source: grafana/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: grafana
- namespace: istio-system
- labels:
- helm.sh/chart: grafana-6.31.1
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/version: "9.0.1"
- app.kubernetes.io/managed-by: Helm
-spec:
- type: ClusterIP
- ports:
- - name: service
- port: 3000
- protocol: TCP
- targetPort: 3000
-
- selector:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
----
-# Source: grafana/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: grafana
- namespace: istio-system
- labels:
- helm.sh/chart: grafana-6.31.1
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/version: "9.0.1"
- app.kubernetes.io/managed-by: Helm
-spec:
- replicas: 1
- revisionHistoryLimit: 10
- selector:
- matchLabels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- strategy:
- type: RollingUpdate
- template:
- metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app: grafana
- sidecar.istio.io/inject: "false"
- annotations:
- checksum/config: 21013edd24d239f48f0228579d13d44411baf698367879ae68290467749f6dcf
- checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
- checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
- spec:
-
- serviceAccountName: grafana
- automountServiceAccountToken: true
- securityContext:
- fsGroup: 472
- runAsGroup: 472
- runAsUser: 472
- enableServiceLinks: true
- containers:
- - name: grafana
- image: "grafana/grafana:9.0.1"
- imagePullPolicy: IfNotPresent
- volumeMounts:
- - name: config
- mountPath: "/etc/grafana/grafana.ini"
- subPath: grafana.ini
- - name: storage
- mountPath: "/var/lib/grafana"
- - name: dashboards-istio
- mountPath: "/var/lib/grafana/dashboards/istio"
- - name: dashboards-istio-services
- mountPath: "/var/lib/grafana/dashboards/istio-services"
- - name: config
- mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml"
- subPath: "datasources.yaml"
- - name: config
- mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml"
- subPath: "dashboardproviders.yaml"
- ports:
- - name: service
- containerPort: 3000
- protocol: TCP
- - name: grafana
- containerPort: 3000
- protocol: TCP
- env:
- - name: GF_PATHS_DATA
- value: /var/lib/grafana/
- - name: GF_PATHS_LOGS
- value: /var/log/grafana
- - name: GF_PATHS_PLUGINS
- value: /var/lib/grafana/plugins
- - name: GF_PATHS_PROVISIONING
- value: /etc/grafana/provisioning
- - name: "GF_AUTH_ANONYMOUS_ENABLED"
- value: "true"
- - name: "GF_AUTH_ANONYMOUS_ORG_ROLE"
- value: "Admin"
- - name: "GF_AUTH_BASIC_ENABLED"
- value: "false"
- - name: "GF_SECURITY_ADMIN_PASSWORD"
- value: "-"
- - name: "GF_SECURITY_ADMIN_USER"
- value: "-"
- livenessProbe:
- failureThreshold: 10
- httpGet:
- path: /api/health
- port: 3000
- initialDelaySeconds: 60
- timeoutSeconds: 30
- readinessProbe:
- httpGet:
- path: /api/health
- port: 3000
- resources:
- {}
- volumes:
- - name: config
- configMap:
- name: grafana
-
- - name: dashboards-istio
- configMap:
- name: istio-grafana-dashboards
- - name: dashboards-istio-services
- configMap:
- name: istio-services-grafana-dashboards
- - name: storage
- emptyDir: {}
-
----
-
-apiVersion: v1
-data:
- istio-performance-dashboard.json: |
- {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":true,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":21,"panels":[{"content":"The charts on this dashboard are intended to show Istio main components cost in terms of resources utilization under steady load.\n\n- **vCPU / 1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred / sec:** shows the number of bytes flowing through each Istio component.\n\n\n","gridPos":{"h":6,"w":24,"x":0,"y":1},"id":19,"links":[],"mode":"markdown","timeFrom":null,"timeShift":null,"title":"Performance Dashboard README","transparent":true,"type":"text"}],"title":"Performance Dashboard Notes","type":"row"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":1},"id":6,"panels":[],"title":"vCPU Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":2},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU / 1k rps","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":2},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":10},"id":13,"panels":[],"title":"Memory and Data Rates","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":11},"id":902,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio-ingressgateway","refId":"A"},{"expr":"sum(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"}) / count(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory Usage","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":11},"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Bytes transferred / sec","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":19},"id":17,"panels":[],"title":"Istio Component Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":24,"x":0,"y":20},"id":15,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":32},"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":32},"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":32},"id":702,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_fs_usage_bytes{container=\"istio-proxy\"})","format":"time_series","intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":39},"id":69,"panels":[],"title":"Istiod Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":40},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"sum(container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"C","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":40},"id":602,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2},{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m])) by (container)","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"pilot (self-reported)","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":40},"id":74,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_open_fds{app=\"istiod\"}","format":"time_series","hide":true,"instant":false,"interval":"","intervalFactor":2,"legendFormat":"Open FDs (pilot)","refId":"A"},{"expr":"container_fs_usage_bytes{ container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"{{ container }}","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":40},"id":402,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"10s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Istio Performance Dashboard","uid":"vu8e0VWZk","version":22}
- pilot-dashboard.json: |
- {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":1,"links":[],"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":60,"panels":[],"title":"Deployed Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":5,"w":24,"x":0,"y":1},"id":56,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build{component=\"pilot\"}) by (tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Versions","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":6},"id":62,"panels":[],"title":"Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":7},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (container)","refId":"B","step":2},{"expr":"container_memory_working_set_bytes{container=~\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar (container)","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":7},"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Discovery (container)","refId":"A"},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (process)","refId":"C","step":2},{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Sidecar (container)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"CPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":7},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"container_fs_usage_bytes{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"Discovery","refId":"B","step":2},{"expr":"container_fs_usage_bytes{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":7},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":14},"id":58,"panels":[],"title":"Pilot Push Information","type":"row"},{"aliasColors":{},"bars":true,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the rate of pilot pushes","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":15},"id":622,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":false,"linewidth":1,"links":[],"nullPointMode":"null as zero","paceLength":10,"percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":true,"steppedLine":false,"targets":[{"expr":"sum(irate(pilot_xds_pushes{type=\"cds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Cluster","refId":"C"},{"expr":"sum(irate(pilot_xds_pushes{type=\"eds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Endpoints","refId":"D"},{"expr":"sum(irate(pilot_xds_pushes{type=\"lds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Listeners","refId":"A"},{"expr":"sum(irate(pilot_xds_pushes{type=\"rds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Routes","refId":"E"},{"expr":"sum(irate(pilot_xds_pushes{type=\"sds\"}[1m]))","interval":"","legendFormat":"Secrets","refId":"B"},{"expr":"sum(irate(pilot_xds_pushes{type=\"nds\"}[1m]))","interval":"","legendFormat":"Nametables","refId":"F"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Pushes","tooltip":{"shared":false,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":["total"]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":"0","show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Captures a variety of pilot errors","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":15},"id":67,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(pilot_xds_cds_reject{app=\"istiod\"}) or (absent(pilot_xds_cds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected CDS Configs","refId":"C"},{"expr":"sum(pilot_xds_eds_reject{app=\"istiod\"}) or (absent(pilot_xds_eds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected EDS Configs","refId":"D"},{"expr":"sum(pilot_xds_rds_reject{app=\"istiod\"}) or (absent(pilot_xds_rds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected RDS Configs","refId":"A"},{"expr":"sum(pilot_xds_lds_reject{app=\"istiod\"}) or (absent(pilot_xds_lds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected LDS Configs","refId":"B"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Write Timeouts","refId":"F"},{"expr":"sum(rate(pilot_total_xds_internal_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Internal Errors","refId":"H"},{"expr":"sum(rate(pilot_total_xds_rejects{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Config Rejection Rate","refId":"E"},{"expr":"sum(rate(pilot_xds_push_context_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Push Context Errors","refId":"K"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Push Timeouts","refId":"G"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Errors","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the total time it takes to push a config update to a proxy","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":15},"id":624,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"histogram_quantile(0.5, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p50 ","refId":"A"},{"expr":"histogram_quantile(0.9, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p90","refId":"B"},{"expr":"histogram_quantile(0.99, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99","refId":"C"},{"expr":"histogram_quantile(0.999, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99.9","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Proxy Push Time","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"s","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":23},"id":45,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null as zero","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"pilot_conflict_inbound_listener{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Inbound Listeners","refId":"B"},{"expr":"pilot_conflict_outbound_listener_http_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (http over current tcp)","refId":"A"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current tcp)","refId":"C"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_http{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current http)","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Conflicts","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":23},"id":47,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(pilot_virt_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Virtual Services","refId":"A"},{"expr":"avg(pilot_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Services","refId":"B"},{"expr":"sum(pilot_xds{app=\"istiod\"}) by (pod)","format":"time_series","intervalFactor":1,"legendFormat":"Connected Endpoints {{pod}}","refId":"E"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"ADS Monitoring","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":64,"panels":[],"title":"Envoy Information","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows details about Envoy proxies in the mesh","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":32},"id":40,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(envoy_cluster_upstream_cx_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connections","refId":"C"},{"expr":"sum(irate(envoy_cluster_upstream_cx_connect_fail{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connection Failures","refId":"A"},{"expr":"sum(increase(envoy_server_hot_restart_epoch[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Envoy Restarts","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Envoy Details","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":32},"id":41,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})","format":"time_series","intervalFactor":2,"legendFormat":"XDS Active Connections","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Active Connections","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the size of XDS requests and responses","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":32},"id":42,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"max(rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Max","refId":"D"},{"expr":"quantile(0.5, rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Average","refId":"B"},{"expr":"max(rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Max","refId":"A"},{"expr":"quantile(.5, rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Average","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Requests Size","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":null,"gridPos":{"h":1,"w":24,"x":0,"y":40},"id":626,"panels":[],"title":"Webhooks","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":41},"hiddenSeries":false,"id":629,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(galley_validation_passed[1m]))","interval":"","legendFormat":"Validations (Success)","refId":"A"},{"expr":"sum(rate(galley_validation_failed[1m]))","interval":"","legendFormat":"Validation (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Configuration Validation","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"description":"","fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":41},"hiddenSeries":false,"id":630,"legend":{"avg":false,"current":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(sidecar_injection_success_total[1m]))","interval":"","legendFormat":"Injections (Success)","refId":"A"},{"expr":"sum(rate(sidecar_injection_failure_total[1m]))","interval":"","legendFormat":"Injections (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Sidecar Injection","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Control Plane Dashboard","uid":"3--MLVZZk","version":11}
-kind: ConfigMap
-metadata:
- creationTimestamp: null
- name: istio-grafana-dashboards
- namespace: istio-system
-
----
-
-apiVersion: v1
-data:
- istio-extension-dashboard.json: |
- {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":0},"id":3,"panels":[],"title":"Wasm VMs","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"","fieldConfig":{"defaults":{"custom":{"align":null},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":1},"hiddenSeries":false,"id":2,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_active)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_active)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Active","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:123","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:124","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":1},"hiddenSeries":false,"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_created)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_created)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Created","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:68","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:69","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":9},"id":7,"panels":[],"title":"Wasm Module Remote Load","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":0,"y":10},"hiddenSeries":false,"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_entries)","interval":"","legendFormat":"entries","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Entry","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:178","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:179","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":8,"y":10},"hiddenSeries":false,"id":8,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_hits)","interval":"","legendFormat":"hits","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_cache_misses)","interval":"","legendFormat":"misses","refId":"B"},{"expr":"avg(envoy_wasm_remote_load_cache_negative_hits)","interval":"","legendFormat":"negative hits","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Visit","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:233","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:234","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":16,"y":10},"hiddenSeries":false,"id":10,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_fetch_failures)","interval":"","legendFormat":"failures","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_fetch_successes)","interval":"","legendFormat":"successes","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Remote Fetch","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:288","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:289","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":18},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":19},"hiddenSeries":false,"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:396","format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:397","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":19},"hiddenSeries":false,"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:447","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:448","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":false,"schemaVersion":26,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["10s","30s","1m","5m","15m","30m","1h","2h","1d"]},"timezone":"","title":"Istio Wasm Extension Dashboard","uid":"7PAV7ctGz","version":17}
- istio-mesh-dashboard.json: |
- {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[{"content":"","gridPos":{"h":3,"w":24,"x":0,"y":0},"height":"50px","id":13,"links":[],"mode":"html","style":{"font-size":"18pt"},"title":"","transparent":true,"type":"text"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":3},"id":20,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"round(sum(irate(istio_requests_total{reporter=\"source\"}[1m])), 0.001)","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"Global Request Volume","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"percentunit","gauge":{"maxValue":100,"minValue":80,"show":false,"thresholdLabels":false,"thresholdMarkers":false},"gridPos":{"h":3,"w":6,"x":6,"y":3},"id":21,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"95, 99, 99.5","title":"Global Success Rate (non-5xx responses)","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":3},"id":22,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"4.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"4xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":3},"id":23,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"5.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"5xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":113,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Virtual Services","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":114,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Destination Rules","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":115,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Gateways","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":116,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Workload Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":117,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Service Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":90,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"PeerAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":91,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"RequestAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":92,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Authorization Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":21,"w":24,"x":0,"y":9},"hideTimeOverride":false,"id":73,"links":[],"pageSize":null,"repeat":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"Workload dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Requests","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[],"type":"number","unit":"ops"},{"alias":"P50 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"s"},{"alias":"P90 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #C","thresholds":[],"type":"number","unit":"s"},{"alias":"P99 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #D","thresholds":[],"type":"number","unit":"s"},{"alias":"Success Rate","colorMode":"cell","colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #E","thresholds":[".95"," 1.00"],"type":"number","unit":"percentunit"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-workload=${__cell_2:raw}&var-namespace=${__cell_3:raw}","pattern":"destination_workload_var","thresholds":[],"type":"number","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_requests_total{reporter=\"source\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"A"},{"expr":"label_join((histogram_quantile(0.50, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"B"},{"expr":"label_join((histogram_quantile(0.90, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"C"},{"expr":"label_join((histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"D"},{"expr":"label_join((sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"interval":"","intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"E"}],"timeFrom":null,"title":"HTTP/GRPC Workloads","transform":"table","type":"table"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":18,"w":24,"x":0,"y":30},"hideTimeOverride":false,"id":109,"links":[],"pageSize":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"Bytes Sent","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[""],"type":"number","unit":"Bps"},{"alias":"Bytes Received","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"Bps"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload_var","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"number","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"A"},{"expr":"label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"B"}],"timeFrom":null,"title":"TCP Workloads","transform":"table","type":"table"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":9,"w":24,"x":0,"y":48},"id":111,"legend":{"alignAsTable":false,"avg":false,"current":false,"max":false,"min":false,"rightSide":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Mesh Dashboard","uid":"G8wLrJIZk","version":5}
- istio-service-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"--
- Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations
- & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1595591291797,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":106,\"panels\":[{\"content\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245,
- 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])),
- 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Client
- Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50,
- 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m]))
- / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95,
- 99, 99.5\",\"title\":\"Client Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Client
- Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237,
- 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":4},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\",
- destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP
- Received Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245,
- 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":8},\"id\":97,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])),
- 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Server
- Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50,
- 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":8},\"id\":98,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m]))
- / sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95,
- 99, 99.5\",\"title\":\"Server Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":8},\"hiddenSeries\":false,\"id\":99,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m]))
- by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Server
- Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237,
- 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":8},\"id\":100,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\",
- destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP
- Sent Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":104,\"panels\":[{\"content\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":2},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":5},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null
- as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=~\\\"$qrep\\\",source_workload=~\\\"$srcwl\\\",source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace,
- response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":5},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":11},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50,
- sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90,
- sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95,
- sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99,
- sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50,
- sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90,
- sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95,
- sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99,
- sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":11},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":11},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response
- Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes
- Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\",
- reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace),
- 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\",
- reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace),
- 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes
- Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Client
- Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":102,\"panels\":[{\"content\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":3},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":6},\"hiddenSeries\":false,\"id\":90,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null
- as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=\\\"destination\\\",destination_workload=~\\\"$dstwl\\\",destination_workload_namespace=~\\\"$dstns\\\"}[5m]))
- by (destination_workload, destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} : {{ response_code
- }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", reporter=\\\"destination\\\", destination_workload=~\\\"$dstwl\\\",
- destination_workload_namespace=~\\\"$dstns\\\"}[5m])) by (destination_workload,
- destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} : {{ response_code
- }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Requests By Destination Workload And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":6},\"hiddenSeries\":false,\"id\":91,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m]))
- by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m]))
- by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m]))
- by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m]))
- by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Success Rate (non-5xx responses) By Destination Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":12},\"hiddenSeries\":false,\"id\":94,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50,
- sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90,
- sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95,
- sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99,
- sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50,
- sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90,
- sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95,
- sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99,
- sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Request Duration By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":12},\"hiddenSeries\":false,\"id\":95,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Request Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":12},\"hiddenSeries\":false,\"id\":96,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response
- Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":18},\"hiddenSeries\":false,\"id\":92,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",
- destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m]))
- by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{ destination_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes
- Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":18},\"hiddenSeries\":false,\"id\":93,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\",
- reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\",
- destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload,
- destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\",
- reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\",
- destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload,
- destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_workload }}.{{destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes
- Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Service
- Workloads\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Service\",\"multi\":false,\"name\":\"service\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{})
- by (destination_service) or sum(istio_tcp_sent_bytes_total{}) by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client
- Cluster\",\"multi\":true,\"name\":\"srccluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\",
- destination_service=\\\"$service\\\"}) by (source_cluster) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\",
- destination_service=~\\\"$service\\\"}) by (source_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client
- Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\",
- destination_service=\\\"$service\\\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\",
- destination_service=~\\\"$service\\\"}) by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client
- Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\",
- destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"})
- by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\",
- destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"})
- by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service
- Workload Cluster\",\"multi\":true,\"name\":\"dstcluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\",
- destination_service=\\\"$service\\\"}) by (destination_cluster) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\",
- destination_service=~\\\"$service\\\"}) by (destination_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service
- Workload Namespace\",\"multi\":true,\"name\":\"dstns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\",
- destination_service=\\\"$service\\\"}) by (destination_workload_namespace) or
- sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\"})
- by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service
- Workload\",\"multi\":true,\"name\":\"dstwl\",\"options\":[],\"query\":\"query_result(
- sum(istio_requests_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\",
- destination_cluster=~\\\"$dstcluster\\\", destination_workload_namespace=~\\\"$dstns\\\"})
- by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\",
- destination_service=~\\\"$service\\\", destination_cluster=~\\\"$dstcluster\\\",
- destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio
- Service Dashboard\",\"uid\":\"LJ_uJAvmk\",\"version\":1}\n"
- istio-workload-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"--
- Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations
- & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1531345461465,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":95,\"panels\":[{\"content\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245,
- 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":8,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m])),
- 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Incoming
- Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50,
- 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":8,\"x\":8,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\"}[5m]))
- / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95,
- 99, 99.5\",\"title\":\"Incoming Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":8,\"x\":16,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or
- histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or
- histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or
- histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Request
- Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237,
- 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":0,\"y\":8},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\",
- destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\"}[1m]))
- + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\",
- destination_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP
- Server Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237,
- 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":12,\"y\":8},\"id\":85,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value
- to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31,
- 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\",
- source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\"}[1m]))
- + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", source_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP
- Client Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":93,\"panels\":[{\"content\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null
- as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",
- destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\",
- reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\",
- destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\",
- reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\",
- destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace)
- / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\",
- destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace)
- / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m]))
- by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming
- Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\",
- destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\",
- destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\",
- source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace,
- le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}}
- P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response
- Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\",
- connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\",
- destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\",
- connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\",
- destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes
- Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\",
- reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\",
- reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\",
- source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m]))
- by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes
- Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Inbound
- Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":91,\"panels\":[{\"content\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":14},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":70,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null
- as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal=~\\\"spiffe.*\\\",
- source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\",
- reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service,
- response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal!~\\\"spiffe.*\\\",
- source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\",
- reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service,
- response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing
- Requests By Destination And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":71,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m]))
- by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m]))
- by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m]))
- by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m]))
- by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing
- Success Rate (non-5xx responses) By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":23},\"hiddenSeries\":false,\"id\":72,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99,
- sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\",
- source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing
- Request Duration By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":23},\"hiddenSeries\":false,\"id\":73,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing
- Request Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":23},\"hiddenSeries\":false,\"id\":74,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99,
- sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response
- Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":29},\"hiddenSeries\":false,\"id\":76,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy=\\\"mutual_tls\\\",
- reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy!=\\\"mutual_tls\\\",
- reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\",
- destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes
- Sent on Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":29},\"hiddenSeries\":false,\"id\":78,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\",
- connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\",
- connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\",
- source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m]))
- by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{
- destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes
- Received from Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Outbound
- Services\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Namespace\",\"multi\":false,\"name\":\"namespace\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total)
- by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*_namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Workload\",\"multi\":false,\"name\":\"workload\",\"options\":[],\"query\":\"query_result((sum(istio_requests_total{destination_workload_namespace=~\\\"$namespace\\\"})
- by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\\\"$namespace\\\"})
- by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\\\"$namespace\\\"})
- by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\\\"$namespace\\\"})
- by (source_workload)))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound
- Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\",
- destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"})
- by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\",
- destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"})
- by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound
- Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\",
- destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\",
- destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\",
- source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Destination
- Service\",\"multi\":true,\"name\":\"dstsvc\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"source\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"})
- by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\\\"source\\\",
- source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"})
- by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio
- Workload Dashboard\",\"uid\":\"UbsSZTDik\",\"version\":1}\n"
-kind: ConfigMap
-metadata:
- creationTimestamp: null
- name: istio-services-grafana-dashboards
- namespace: istio-system
diff --git a/istio-1.18.2/samples/addons/jaeger.yaml b/istio-1.18.2/samples/addons/jaeger.yaml
deleted file mode 100644
index 41896ee1..00000000
--- a/istio-1.18.2/samples/addons/jaeger.yaml
+++ /dev/null
@@ -1,117 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: jaeger
- namespace: istio-system
- labels:
- app: jaeger
-spec:
- selector:
- matchLabels:
- app: jaeger
- template:
- metadata:
- labels:
- app: jaeger
- sidecar.istio.io/inject: "false"
- annotations:
- prometheus.io/scrape: "true"
- prometheus.io/port: "14269"
- spec:
- containers:
- - name: jaeger
- image: "docker.io/jaegertracing/all-in-one:1.35"
- env:
- - name: BADGER_EPHEMERAL
- value: "false"
- - name: SPAN_STORAGE_TYPE
- value: "badger"
- - name: BADGER_DIRECTORY_VALUE
- value: "/badger/data"
- - name: BADGER_DIRECTORY_KEY
- value: "/badger/key"
- - name: COLLECTOR_ZIPKIN_HOST_PORT
- value: ":9411"
- - name: MEMORY_MAX_TRACES
- value: "50000"
- - name: QUERY_BASE_PATH
- value: /jaeger
- livenessProbe:
- httpGet:
- path: /
- port: 14269
- readinessProbe:
- httpGet:
- path: /
- port: 14269
- volumeMounts:
- - name: data
- mountPath: /badger
- resources:
- requests:
- cpu: 10m
- volumes:
- - name: data
- emptyDir: {}
----
-apiVersion: v1
-kind: Service
-metadata:
- name: tracing
- namespace: istio-system
- labels:
- app: jaeger
-spec:
- type: ClusterIP
- ports:
- - name: http-query
- port: 80
- protocol: TCP
- targetPort: 16686
- # Note: Change port name if you add '--query.grpc.tls.enabled=true'
- - name: grpc-query
- port: 16685
- protocol: TCP
- targetPort: 16685
- selector:
- app: jaeger
----
-# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin.
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- name: zipkin
- name: zipkin
- namespace: istio-system
-spec:
- ports:
- - port: 9411
- targetPort: 9411
- name: http-query
- selector:
- app: jaeger
----
-apiVersion: v1
-kind: Service
-metadata:
- name: jaeger-collector
- namespace: istio-system
- labels:
- app: jaeger
-spec:
- type: ClusterIP
- ports:
- - name: jaeger-collector-http
- port: 14268
- targetPort: 14268
- protocol: TCP
- - name: jaeger-collector-grpc
- port: 14250
- targetPort: 14250
- protocol: TCP
- - port: 9411
- targetPort: 9411
- name: http-zipkin
- selector:
- app: jaeger
diff --git a/istio-1.18.2/samples/addons/kiali.yaml b/istio-1.18.2/samples/addons/kiali.yaml
deleted file mode 100644
index 41ab9672..00000000
--- a/istio-1.18.2/samples/addons/kiali.yaml
+++ /dev/null
@@ -1,551 +0,0 @@
----
-# Source: kiali-server/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kiali
- namespace: istio-system
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
-...
----
-# Source: kiali-server/templates/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: kiali
- namespace: istio-system
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
-data:
- config.yaml: |
- auth:
- openid: {}
- openshift:
- client_id_prefix: kiali
- strategy: anonymous
- deployment:
- accessible_namespaces:
- - '**'
- additional_service_yaml: {}
- affinity:
- node: {}
- pod: {}
- pod_anti: {}
- configmap_annotations: {}
- custom_secrets: []
- host_aliases: []
- hpa:
- api_version: autoscaling/v2beta2
- spec: {}
- image_digest: ""
- image_name: quay.io/kiali/kiali
- image_pull_policy: Always
- image_pull_secrets: []
- image_version: v1.67
- ingress:
- additional_labels: {}
- class_name: nginx
- override_yaml:
- metadata: {}
- ingress_enabled: false
- instance_name: kiali
- logger:
- log_format: text
- log_level: info
- sampler_rate: "1"
- time_field_format: 2006-01-02T15:04:05Z07:00
- namespace: istio-system
- node_selector: {}
- pod_annotations: {}
- pod_labels:
- sidecar.istio.io/inject: "false"
- priority_class_name: ""
- replicas: 1
- resources:
- limits:
- memory: 1Gi
- requests:
- cpu: 10m
- memory: 64Mi
- secret_name: kiali
- security_context: {}
- service_annotations: {}
- service_type: ""
- tolerations: []
- version_label: v1.67.0
- view_only_mode: false
- external_services:
- custom_dashboards:
- enabled: true
- istio:
- root_namespace: istio-system
- identity:
- cert_file: ""
- private_key_file: ""
- istio_namespace: istio-system
- kiali_feature_flags:
- certificates_information_indicators:
- enabled: true
- secrets:
- - cacerts
- - istio-ca-secret
- clustering:
- autodetect_secrets:
- enabled: true
- label: kiali.io/multiCluster=true
- clusters: []
- disabled_features: []
- validations:
- ignore:
- - KIA1201
- login_token:
- signing_key: CHANGEME00000000
- server:
- metrics_enabled: true
- metrics_port: 9090
- port: 20001
- web_root: /kiali
-...
----
-# Source: kiali-server/templates/role-viewer.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kiali-viewer
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
-rules:
-- apiGroups: [""]
- resources:
- - configmaps
- - endpoints
- - pods/log
- verbs:
- - get
- - list
- - watch
-- apiGroups: [""]
- resources:
- - namespaces
- - pods
- - replicationcontrollers
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups: [""]
- resources:
- - pods/portforward
- verbs:
- - create
- - post
-- apiGroups: ["extensions", "apps"]
- resources:
- - daemonsets
- - deployments
- - replicasets
- - statefulsets
- verbs:
- - get
- - list
- - watch
-- apiGroups: ["batch"]
- resources:
- - cronjobs
- - jobs
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.istio.io
- - security.istio.io
- - extensions.istio.io
- - telemetry.istio.io
- - gateway.networking.k8s.io
- resources: ["*"]
- verbs:
- - get
- - list
- - watch
-- apiGroups: ["apps.openshift.io"]
- resources:
- - deploymentconfigs
- verbs:
- - get
- - list
- - watch
-- apiGroups: ["project.openshift.io"]
- resources:
- - projects
- verbs:
- - get
-- apiGroups: ["route.openshift.io"]
- resources:
- - routes
- verbs:
- - get
-- apiGroups: ["authentication.k8s.io"]
- resources:
- - tokenreviews
- verbs:
- - create
-...
----
-# Source: kiali-server/templates/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kiali
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
-rules:
-- apiGroups: [""]
- resources:
- - configmaps
- - endpoints
- - pods/log
- verbs:
- - get
- - list
- - watch
-- apiGroups: [""]
- resources:
- - namespaces
- - pods
- - replicationcontrollers
- - services
- verbs:
- - get
- - list
- - watch
- - patch
-- apiGroups: [""]
- resources:
- - pods/portforward
- verbs:
- - create
- - post
-- apiGroups: ["extensions", "apps"]
- resources:
- - daemonsets
- - deployments
- - replicasets
- - statefulsets
- verbs:
- - get
- - list
- - watch
- - patch
-- apiGroups: ["batch"]
- resources:
- - cronjobs
- - jobs
- verbs:
- - get
- - list
- - watch
- - patch
-- apiGroups:
- - networking.istio.io
- - security.istio.io
- - extensions.istio.io
- - telemetry.istio.io
- - gateway.networking.k8s.io
- resources: ["*"]
- verbs:
- - get
- - list
- - watch
- - create
- - delete
- - patch
-- apiGroups: ["apps.openshift.io"]
- resources:
- - deploymentconfigs
- verbs:
- - get
- - list
- - watch
- - patch
-- apiGroups: ["project.openshift.io"]
- resources:
- - projects
- verbs:
- - get
-- apiGroups: ["route.openshift.io"]
- resources:
- - routes
- verbs:
- - get
-- apiGroups: ["authentication.k8s.io"]
- resources:
- - tokenreviews
- verbs:
- - create
-...
----
-# Source: kiali-server/templates/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: kiali
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kiali
-subjects:
-- kind: ServiceAccount
- name: kiali
- namespace: istio-system
-...
----
-# Source: kiali-server/templates/role-controlplane.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: kiali-controlplane
- namespace: istio-system
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
-rules:
-- apiGroups: [""]
- resourceNames:
- - cacerts
- - istio-ca-secret
- resources:
- - secrets
- verbs:
- - get
- - list
- - watch
-...
----
-# Source: kiali-server/templates/rolebinding-controlplane.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: kiali-controlplane
- namespace: istio-system
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kiali-controlplane
-subjects:
-- kind: ServiceAccount
- name: kiali
- namespace: istio-system
-...
----
-# Source: kiali-server/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: kiali
- namespace: istio-system
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
- annotations:
-spec:
- ports:
- - name: http
- appProtocol: http
- protocol: TCP
- port: 20001
- - name: http-metrics
- appProtocol: http
- protocol: TCP
- port: 9090
- selector:
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
-...
----
-# Source: kiali-server/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: kiali
- namespace: istio-system
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- strategy:
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 1
- type: RollingUpdate
- template:
- metadata:
- name: kiali
- labels:
- helm.sh/chart: kiali-server-1.67.0
- app: kiali
- app.kubernetes.io/name: kiali
- app.kubernetes.io/instance: kiali
- version: "v1.67.0"
- app.kubernetes.io/version: "v1.67.0"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: "kiali"
- sidecar.istio.io/inject: "false"
- annotations:
- checksum/config: 88419f205248a3fdba75ba592ce095a39000318ed6056baaa08ea19d716e94c1
- prometheus.io/scrape: "true"
- prometheus.io/port: "9090"
- kiali.io/dashboards: go,kiali
- spec:
- serviceAccountName: kiali
- containers:
- - image: "quay.io/kiali/kiali:v1.67"
- imagePullPolicy: Always
- name: kiali
- command:
- - "/opt/kiali/kiali"
- - "-config"
- - "/kiali-configuration/config.yaml"
- securityContext:
- allowPrivilegeEscalation: false
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- capabilities:
- drop:
- - ALL
- ports:
- - name: api-port
- containerPort: 20001
- - name: http-metrics
- containerPort: 9090
- readinessProbe:
- httpGet:
- path: /kiali/healthz
- port: api-port
- scheme: HTTP
- initialDelaySeconds: 5
- periodSeconds: 30
- livenessProbe:
- httpGet:
- path: /kiali/healthz
- port: api-port
- scheme: HTTP
- initialDelaySeconds: 5
- periodSeconds: 30
- env:
- - name: ACTIVE_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LOG_LEVEL
- value: "info"
- - name: LOG_FORMAT
- value: "text"
- - name: LOG_TIME_FIELD_FORMAT
- value: "2006-01-02T15:04:05Z07:00"
- - name: LOG_SAMPLER_RATE
- value: "1"
- volumeMounts:
- - name: kiali-configuration
- mountPath: "/kiali-configuration"
- - name: kiali-cert
- mountPath: "/kiali-cert"
- - name: kiali-secret
- mountPath: "/kiali-secret"
- - name: kiali-cabundle
- mountPath: "/kiali-cabundle"
- resources:
- limits:
- memory: 1Gi
- requests:
- cpu: 10m
- memory: 64Mi
- volumes:
- - name: kiali-configuration
- configMap:
- name: kiali
- - name: kiali-cert
- secret:
- secretName: istio.kiali-service-account
- optional: true
- - name: kiali-secret
- secret:
- secretName: kiali
- optional: true
- - name: kiali-cabundle
- configMap:
- name: kiali-cabundle
- optional: true
-...
diff --git a/istio-1.18.2/samples/addons/loki.yaml b/istio-1.18.2/samples/addons/loki.yaml
deleted file mode 100644
index edabc36a..00000000
--- a/istio-1.18.2/samples/addons/loki.yaml
+++ /dev/null
@@ -1,283 +0,0 @@
----
-# Source: loki/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: loki
- labels:
- helm.sh/chart: loki-4.8.0
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/version: "2.7.3"
- app.kubernetes.io/managed-by: Helm
-automountServiceAccountToken: true
----
-# Source: loki/templates/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: loki
- labels:
- helm.sh/chart: loki-4.8.0
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/version: "2.7.3"
- app.kubernetes.io/managed-by: Helm
-data:
- config.yaml: |
- auth_enabled: false
- common:
- compactor_address: 'loki'
- path_prefix: /var/loki
- replication_factor: 1
- storage:
- filesystem:
- chunks_directory: /var/loki/chunks
- rules_directory: /var/loki/rules
- limits_config:
- enforce_metric_name: false
- max_cache_freshness_per_query: 10m
- reject_old_samples: true
- reject_old_samples_max_age: 168h
- split_queries_by_interval: 15m
- memberlist:
- join_members:
- - loki-memberlist
- query_range:
- align_queries_with_step: true
- ruler:
- storage:
- type: local
- runtime_config:
- file: /etc/loki/runtime-config/runtime-config.yaml
- schema_config:
- configs:
- - from: "2022-01-11"
- index:
- period: 24h
- prefix: loki_index_
- object_store: filesystem
- schema: v12
- store: boltdb-shipper
- server:
- grpc_listen_port: 9095
- http_listen_port: 3100
- storage_config:
- hedging:
- at: 250ms
- max_per_second: 20
- up_to: 3
- table_manager:
- retention_deletes_enabled: false
- retention_period: 0
----
-# Source: loki/templates/runtime-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: loki-runtime
- labels:
- helm.sh/chart: loki-4.8.0
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/version: "2.7.3"
- app.kubernetes.io/managed-by: Helm
-data:
- runtime-config.yaml: |
-
- {}
----
-# Source: loki/templates/service-memberlist.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: loki-memberlist
- labels:
- helm.sh/chart: loki-4.8.0
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/version: "2.7.3"
- app.kubernetes.io/managed-by: Helm
-spec:
- type: ClusterIP
- clusterIP: None
- ports:
- - name: tcp
- port: 7946
- targetPort: http-memberlist
- protocol: TCP
- selector:
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/part-of: memberlist
----
-# Source: loki/templates/single-binary/service-headless.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: loki-headless
- namespace: istio-system
- labels:
- helm.sh/chart: loki-4.8.0
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/version: "2.7.3"
- app.kubernetes.io/managed-by: Helm
- variant: headless
- prometheus.io/service-monitor: "false"
-spec:
- clusterIP: None
- ports:
- - name: http-metrics
- port: 3100
- targetPort: http-metrics
- protocol: TCP
- selector:
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
----
-# Source: loki/templates/single-binary/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: loki
- labels:
- helm.sh/chart: loki-4.8.0
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/version: "2.7.3"
- app.kubernetes.io/managed-by: Helm
-spec:
- type: ClusterIP
- ports:
- - name: http-metrics
- port: 3100
- targetPort: http-metrics
- protocol: TCP
- - name: grpc
- port: 9095
- targetPort: grpc
- protocol: TCP
- selector:
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/component: single-binary
----
-# Source: loki/templates/single-binary/statefulset.yaml
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
- name: loki
- labels:
- helm.sh/chart: loki-4.8.0
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/version: "2.7.3"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: single-binary
- app.kubernetes.io/part-of: memberlist
-spec:
- replicas: 1
- podManagementPolicy: Parallel
- updateStrategy:
- rollingUpdate:
- partition: 0
- serviceName: loki-headless
- revisionHistoryLimit: 10
-
- persistentVolumeClaimRetentionPolicy:
- whenDeleted: Delete
- whenScaled: Delete
- selector:
- matchLabels:
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/component: single-binary
- template:
- metadata:
- annotations:
- checksum/config: a9239b6352e34bbfc748669ed46cb24211fc3491ee7f2c6381af805f8f08fe29
- labels:
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/component: single-binary
- app.kubernetes.io/part-of: memberlist
- spec:
- serviceAccountName: loki
- automountServiceAccountToken: true
- enableServiceLinks: true
-
- securityContext:
- fsGroup: 10001
- runAsGroup: 10001
- runAsNonRoot: true
- runAsUser: 10001
- terminationGracePeriodSeconds: 30
- containers:
- - name: loki
- image: docker.io/grafana/loki:2.7.3
- imagePullPolicy: IfNotPresent
- args:
- - -config.file=/etc/loki/config/config.yaml
- - -target=all
- ports:
- - name: http-metrics
- containerPort: 3100
- protocol: TCP
- - name: grpc
- containerPort: 9095
- protocol: TCP
- - name: http-memberlist
- containerPort: 7946
- protocol: TCP
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- readinessProbe:
- httpGet:
- path: /ready
- port: http-metrics
- initialDelaySeconds: 30
- timeoutSeconds: 1
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- - name: config
- mountPath: /etc/loki/config
- - name: runtime-config
- mountPath: /etc/loki/runtime-config
- - name: storage
- mountPath: /var/loki
- resources:
- {}
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: loki
- app.kubernetes.io/instance: loki
- app.kubernetes.io/component: single-binary
- topologyKey: kubernetes.io/hostname
-
- volumes:
- - name: tmp
- emptyDir: {}
- - name: config
- configMap:
- name: loki
- - name: runtime-config
- configMap:
- name: loki-runtime
- volumeClaimTemplates:
- - metadata:
- name: storage
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: "10Gi"
diff --git a/istio-1.18.2/samples/addons/prometheus.yaml b/istio-1.18.2/samples/addons/prometheus.yaml
deleted file mode 100644
index f11e794a..00000000
--- a/istio-1.18.2/samples/addons/prometheus.yaml
+++ /dev/null
@@ -1,531 +0,0 @@
----
-# Source: prometheus/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-19.6.1
- heritage: Helm
- name: prometheus
- namespace: istio-system
- annotations:
- {}
----
-# Source: prometheus/templates/cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-19.6.1
- heritage: Helm
- name: prometheus
- namespace: istio-system
-data:
- allow-snippet-annotations: "false"
- alerting_rules.yml: |
- {}
- alerts: |
- {}
- prometheus.yml: |
- global:
- evaluation_interval: 1m
- scrape_interval: 15s
- scrape_timeout: 10s
- rule_files:
- - /etc/config/recording_rules.yml
- - /etc/config/alerting_rules.yml
- - /etc/config/rules
- - /etc/config/alerts
- scrape_configs:
- - job_name: prometheus
- static_configs:
- - targets:
- - localhost:9090
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-apiservers
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: default;kubernetes;https
- source_labels:
- - __meta_kubernetes_namespace
- - __meta_kubernetes_service_name
- - __meta_kubernetes_endpoint_port_name
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-nodes
- kubernetes_sd_configs:
- - role: node
- relabel_configs:
- - action: labelmap
- regex: __meta_kubernetes_node_label_(.+)
- - replacement: kubernetes.default.svc:443
- target_label: __address__
- - regex: (.+)
- replacement: /api/v1/nodes/$1/proxy/metrics
- source_labels:
- - __meta_kubernetes_node_name
- target_label: __metrics_path__
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- job_name: kubernetes-nodes-cadvisor
- kubernetes_sd_configs:
- - role: node
- relabel_configs:
- - action: labelmap
- regex: __meta_kubernetes_node_label_(.+)
- - replacement: kubernetes.default.svc:443
- target_label: __address__
- - regex: (.+)
- replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
- source_labels:
- - __meta_kubernetes_node_name
- target_label: __metrics_path__
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- insecure_skip_verify: true
- - honor_labels: true
- job_name: kubernetes-service-endpoints
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scrape
- - action: drop
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: (.+?)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_service_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
- replacement: __param_$1
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_service_name
- target_label: service
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_node_name
- target_label: node
- - honor_labels: true
- job_name: kubernetes-service-endpoints-slow
- kubernetes_sd_configs:
- - role: endpoints
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: (.+?)(?::\d+)?;(\d+)
- replacement: $1:$2
- source_labels:
- - __address__
- - __meta_kubernetes_service_annotation_prometheus_io_port
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
- replacement: __param_$1
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_service_name
- target_label: service
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_node_name
- target_label: node
- scrape_interval: 5m
- scrape_timeout: 30s
- - honor_labels: true
- job_name: prometheus-pushgateway
- kubernetes_sd_configs:
- - role: service
- relabel_configs:
- - action: keep
- regex: pushgateway
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_probe
- - honor_labels: true
- job_name: kubernetes-services
- kubernetes_sd_configs:
- - role: service
- metrics_path: /probe
- params:
- module:
- - http_2xx
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_service_annotation_prometheus_io_probe
- - source_labels:
- - __address__
- target_label: __param_target
- - replacement: blackbox
- target_label: __address__
- - source_labels:
- - __param_target
- target_label: instance
- - action: labelmap
- regex: __meta_kubernetes_service_label_(.+)
- - source_labels:
- - __meta_kubernetes_namespace
- target_label: namespace
- - source_labels:
- - __meta_kubernetes_service_name
- target_label: service
- - honor_labels: true
- job_name: kubernetes-pods
- kubernetes_sd_configs:
- - role: pod
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scrape
- - action: drop
- regex: true
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
- replacement: '[$2]:$1'
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- - __meta_kubernetes_pod_ip
- target_label: __address__
- - action: replace
- regex: (\d+);((([0-9]+?)(\.|$)){4})
- replacement: $2:$1
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- - __meta_kubernetes_pod_ip
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)
- replacement: __param_$1
- - action: labelmap
- regex: __meta_kubernetes_pod_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_name
- target_label: pod
- - action: drop
- regex: Pending|Succeeded|Failed|Completed
- source_labels:
- - __meta_kubernetes_pod_phase
- - honor_labels: true
- job_name: kubernetes-pods-slow
- kubernetes_sd_configs:
- - role: pod
- relabel_configs:
- - action: keep
- regex: true
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow
- - action: replace
- regex: (https?)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_scheme
- target_label: __scheme__
- - action: replace
- regex: (.+)
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_path
- target_label: __metrics_path__
- - action: replace
- regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
- replacement: '[$2]:$1'
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- - __meta_kubernetes_pod_ip
- target_label: __address__
- - action: replace
- regex: (\d+);((([0-9]+?)(\.|$)){4})
- replacement: $2:$1
- source_labels:
- - __meta_kubernetes_pod_annotation_prometheus_io_port
- - __meta_kubernetes_pod_ip
- target_label: __address__
- - action: labelmap
- regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)
- replacement: __param_$1
- - action: labelmap
- regex: __meta_kubernetes_pod_label_(.+)
- - action: replace
- source_labels:
- - __meta_kubernetes_namespace
- target_label: namespace
- - action: replace
- source_labels:
- - __meta_kubernetes_pod_name
- target_label: pod
- - action: drop
- regex: Pending|Succeeded|Failed|Completed
- source_labels:
- - __meta_kubernetes_pod_phase
- scrape_interval: 5m
- scrape_timeout: 30s
- recording_rules.yml: |
- {}
- rules: |
- {}
----
-# Source: prometheus/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-19.6.1
- heritage: Helm
- name: prometheus
-rules:
- - apiGroups:
- - ""
- resources:
- - nodes
- - nodes/proxy
- - nodes/metrics
- - services
- - endpoints
- - pods
- - ingresses
- - configmaps
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - "extensions"
- - "networking.k8s.io"
- resources:
- - ingresses/status
- - ingresses
- verbs:
- - get
- - list
- - watch
- - nonResourceURLs:
- - "/metrics"
- verbs:
- - get
----
-# Source: prometheus/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-19.6.1
- heritage: Helm
- name: prometheus
-subjects:
- - kind: ServiceAccount
- name: prometheus
- namespace: istio-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: prometheus
----
-# Source: prometheus/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-19.6.1
- heritage: Helm
- name: prometheus
- namespace: istio-system
-spec:
- ports:
- - name: http
- port: 9090
- protocol: TCP
- targetPort: 9090
- selector:
- component: "server"
- app: prometheus
- release: prometheus
- sessionAffinity: None
- type: "ClusterIP"
----
-# Source: prometheus/templates/deploy.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-19.6.1
- heritage: Helm
- name: prometheus
- namespace: istio-system
-spec:
- selector:
- matchLabels:
- component: "server"
- app: prometheus
- release: prometheus
- replicas: 1
- strategy:
- type: Recreate
- rollingUpdate: null
- template:
- metadata:
- labels:
- component: "server"
- app: prometheus
- release: prometheus
- chart: prometheus-19.6.1
- heritage: Helm
-
- sidecar.istio.io/inject: "false"
- spec:
- enableServiceLinks: true
- serviceAccountName: prometheus
- containers:
- - name: prometheus-server-configmap-reload
- image: "jimmidyson/configmap-reload:v0.8.0"
- imagePullPolicy: "IfNotPresent"
- args:
- - --volume-dir=/etc/config
- - --webhook-url=http://127.0.0.1:9090/-/reload
- resources:
- {}
- volumeMounts:
- - name: config-volume
- mountPath: /etc/config
- readOnly: true
-
- - name: prometheus-server
- image: "prom/prometheus:v2.41.0"
- imagePullPolicy: "IfNotPresent"
- args:
- - --storage.tsdb.retention.time=15d
- - --config.file=/etc/config/prometheus.yml
- - --storage.tsdb.path=/data
- - --web.console.libraries=/etc/prometheus/console_libraries
- - --web.console.templates=/etc/prometheus/consoles
- - --web.enable-lifecycle
- ports:
- - containerPort: 9090
- readinessProbe:
- httpGet:
- path: /-/ready
- port: 9090
- scheme: HTTP
- initialDelaySeconds: 0
- periodSeconds: 5
- timeoutSeconds: 4
- failureThreshold: 3
- successThreshold: 1
- livenessProbe:
- httpGet:
- path: /-/healthy
- port: 9090
- scheme: HTTP
- initialDelaySeconds: 30
- periodSeconds: 15
- timeoutSeconds: 10
- failureThreshold: 3
- successThreshold: 1
- resources:
- {}
- volumeMounts:
- - name: config-volume
- mountPath: /etc/config
- - name: storage-volume
- mountPath: /data
- subPath: ""
- dnsPolicy: ClusterFirst
- securityContext:
- fsGroup: 65534
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- terminationGracePeriodSeconds: 300
- volumes:
- - name: config-volume
- configMap:
- name: prometheus
- - name: storage-volume
- emptyDir:
- {}
diff --git a/istio-1.18.2/samples/bookinfo/README.md b/istio-1.18.2/samples/bookinfo/README.md
deleted file mode 100644
index 7683b21b..00000000
--- a/istio-1.18.2/samples/bookinfo/README.md
+++ /dev/null
@@ -1,100 +0,0 @@
-# Bookinfo Sample
-
-See .
-
-**Note**: We need the owner of the PR to perform the appropriate testing with built/pushed images to their own docker repository before we would build/push images to the official Istio repository.
-
-## Build docker images
-
-```bash
-cd samples/bookinfo
-src/build-services.sh
-```
-
-Where `` is the tag and `` is the docker registry to tag the images.
-
-For example:
-
-```bash
-$ src/build-services.sh 1.16.3 docker.io/shamsher31
-Sending build context to Docker daemon 1.218MB
-Step 1/16 : FROM python:3.7.7-slim
-3.7.7-slim: Pulling from library/python
-8559a31e96f4: Pull complete
-...
-Successfully built 1b293582cc2e
-Successfully tagged shamsher31/examples-bookinfo-ratings-v2:1.16.3
-Successfully tagged shamsher31/examples-bookinfo-ratings-v2:latest
-```
-
-The bookinfo versions are different from Istio versions since the sample should work with any version of Istio.
-
-## Push docker images to docker hub
-
-After the local build is successful, you need to update the YAML file with the latest tag that you used during the build eg: `1.16.3`.
-
-Run the following script to build the docker images, push them to docker hub, and to update the YAML files in one step.
-
-```bash
-./build_push_update_images.sh
-```
-
-For example:
-
-```bash
-$ ./build_push_update_images.sh 1.16.3 --prefix=shamsher31
-...
-1.16.3: digest: sha256:70634d3847a190b9826975c8 size: 3883
-Pushing: shamsher31/examples-bookinfo-reviews-v2:1.16.3
-The push refers to a repository [docker.io/shamsher31/examples-bookinfo-reviews-v2]
-...
-```
-
-Verify that expected tag eg: `1.16.3` is updated in `platform/kube/bookinfo*.yaml` files.
-
-## Tests
-
-Test that the bookinfo samples work with the latest tag eg: `1.16.3` that you pushed.
-
-```bash
-$ cd ../../
-$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
-serviceaccount/bookinfo-details created
-deployment.apps/details-v1 created
-serviceaccount/bookinfo-ratings created
-...
-```
-
-Wait for all the pods to be in `Running` start.
-
-```bash
-$ kubectl get pods
-NAME READY STATUS RESTARTS AGE
-details-v1-7f556f5c6b-485l2 2/2 Running 0 10m
-productpage-v1-84c8f95c8d-tlml2 2/2 Running 0 10m
-ratings-v1-66777f856b-2ls78 2/2 Running 0 10m
-reviews-v1-64c47f4f44-rx642 2/2 Running 0 10m
-reviews-v2-66b6b95f44-s5nt6 2/2 Running 0 10m
-reviews-v3-7f69dd7fd4-zjvc8 2/2 Running 0 10m
-```
-
-Once all the pods are in the `Running` state. Test if the bookinfo works through cli.
-
-```bash
-$ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o ".*"
-Simple Bookstore App
-```
-
-You can also test it by hitting productpage in the browser.
-
-```bash
-http://192.168.39.116:31395/productpage
-```
-
-You should see the following in the browser.
-
-![star](https://user-images.githubusercontent.com/2920003/86032538-212ff900-ba55-11ea-9492-d4bc90656a02.png)
-
-**Note**: If everything works as mentioned above, request a new official set of images be built and pushed from the reviewer, and add another commit to the original PR with the version changes.
-
-Bookinfo is tested by istio.io integration tests. You can find them under [tests](https://github.com/istio/istio.io/tree/master/tests) in the [istio/istio.io](https://github.com/istio/istio.io) repository.
diff --git a/istio-1.18.2/samples/bookinfo/build_push_update_images.sh b/istio-1.18.2/samples/bookinfo/build_push_update_images.sh
deleted file mode 100755
index dfdff985..00000000
--- a/istio-1.18.2/samples/bookinfo/build_push_update_images.sh
+++ /dev/null
@@ -1,130 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2018 Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -o errexit
-
-display_usage() {
- echo
- echo "USAGE: ./build_push_update_images.sh [-h|--help] [--prefix=value] [--scan-images] [--multiarch-images]"
- echo " version: Version of the sample app images (Required)"
- echo " -h|--help: Prints usage information"
- echo " --prefix: Use the value as the prefix for image names. By default, 'istio' is used"
- echo -e " --scan-images: Enable security vulnerability scans for docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled."
- echo -e " --multiarch-images : Enables building and pushing multiarch docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled."
-}
-
-# Print usage information for help
-if [[ "$1" == "-h" || "$1" == "--help" ]]; then
- display_usage
- exit 0
-fi
-
-# Check if there is at least one input argument
-if [[ -z "$1" ]] ; then
- echo "Missing version parameter"
- display_usage
- exit 1
-else
- VERSION="$1"
- shift
-fi
-
-# Process the input arguments. By default, image scanning is disabled.
-PREFIX=istio
-ENABLE_IMAGE_SCAN=false
-ENABLE_MULTIARCH_IMAGES=false
-echo "$@"
-for i in "$@"
-do
- case "$i" in
- --prefix=* )
- PREFIX="${i#--prefix=}" ;;
- --scan-images )
- ENABLE_IMAGE_SCAN=true ;;
- --multiarch-images )
- ENABLE_MULTIARCH_IMAGES=true ;;
- -h|--help )
- echo
- echo "Build the docker images for bookinfo sample apps, push them to docker hub and update the yaml files."
- display_usage
- exit 0 ;;
- * )
- echo "Unknown argument: $i"
- display_usage
- exit 1 ;;
- esac
-done
-
-# Build docker images
-ENABLE_MULTIARCH_IMAGES="${ENABLE_MULTIARCH_IMAGES}" src/build-services.sh "${VERSION}" "${PREFIX}"
-
-# Currently the `--load` argument does not work for multi arch images
-# Remove this once https://github.com/docker/buildx/issues/59 is addressed.
-if [[ "${ENABLE_MULTIARCH_IMAGES}" == "false" ]]; then
- # Get all the new image names and tags
- for v in ${VERSION} "latest"
- do
- IMAGES+=$(docker images -f reference="${PREFIX}/examples-bookinfo*:$v" --format "{{.Repository}}:$v")
- IMAGES+=" "
- done
-
- # Check that $IMAGES contains the images we've just built
- if [[ "${IMAGES}" =~ ^\ +$ ]] ; then
- echo "Found no images matching prefix \"${PREFIX}/examples-bookinfo\"."
- echo "Try running the script without specifying the image registry in --prefix (e.g. --prefix=/foo instead of --prefix=docker.io/foo)."
- exit 1
- fi
-fi
-
-#
-# Run security vulnerability scanning on bookinfo sample app images using
-# trivy. If the image has vulnerabilities, the file will have a .failed
-# suffix. A successful scan will have a .passed suffix.
-function run_vulnerability_scanning() {
- RESULT_DIR="vulnerability_scan_results"
- mkdir -p "$RESULT_DIR"
- # skip-dir added to prevent timeout of review images
- set +e
- trivy image --ignore-unfixed --no-progress --exit-code 2 --skip-dirs /opt/ol/wlp --output "$RESULT_DIR/$1_$VERSION.failed" "$2"
- test $? -ne 0 || mv "$RESULT_DIR/$1_$VERSION.failed" "$RESULT_DIR/$1_$VERSION.passed"
- set -e
-}
-
-# Push images. Scan images if ENABLE_IMAGE_SCAN is true.
-for IMAGE in ${IMAGES};
-do
- # Multiarch images have already been pushed using buildx build
- if [[ "${ENABLE_MULTIARCH_IMAGES}" == "false" ]]; then
- echo "Pushing: ${IMAGE}"
- docker push "${IMAGE}";
- fi
-
- # $IMAGE has the following format: istio/examples-bookinfo*:"$v".
- # We want to get the sample app name from $IMAGE (the examples-bookinfo* portion)
- # to create the file to store the results of the scan for that image. The first
- # part of the $IMAGE_NAME gets examples-bookinfo*:"$v", and the second part gets
- # 'examples-bookinfo*'.
- if [[ "$ENABLE_IMAGE_SCAN" == "true" ]]; then
- echo "Scanning ${IMAGE} for security vulnerabilities"
- IMAGE_NAME=${IMAGE#*/}
- IMAGE_NAME=${IMAGE_NAME%:*}
- run_vulnerability_scanning "${IMAGE_NAME}" "${IMAGE}"
- fi
-done
-
-# Update image references in the yaml files
-find ./platform -name "*bookinfo*.yaml" -exec sed -i.bak "s#image:.*\\(\\/examples-bookinfo-.*\\):.*#image: ${PREFIX//\//\\/}\\1:$VERSION#g" {} +
-
diff --git a/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml b/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml
deleted file mode 100644
index 4edaba40..00000000
--- a/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-# IOP configuration used to install the demo profile without gateways.
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- profile: demo
- components:
- ingressGateways:
- - name: istio-ingressgateway
- enabled: false
- egressGateways:
- - name: istio-egressgateway
- enabled: false
diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
deleted file mode 100644
index 3870a4cc..00000000
--- a/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: Gateway
-metadata:
- name: bookinfo-gateway
-spec:
- gatewayClassName: istio
- listeners:
- - name: http
- port: 80
- protocol: HTTP
- allowedRoutes:
- namespaces:
- from: Same
----
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: bookinfo
-spec:
- parentRefs:
- - name: bookinfo-gateway
- rules:
- - matches:
- - path:
- type: Exact
- value: /productpage
- - path:
- type: PathPrefix
- value: /static
- - path:
- type: Exact
- value: /login
- - path:
- type: Exact
- value: /logout
- - path:
- type: PathPrefix
- value: /api/v1/products
- backendRefs:
- - name: productpage
- port: 9080
diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml
deleted file mode 100644
index 9496ed2e..00000000
--- a/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: reviews
-spec:
- parentRefs:
- - kind: Service
- name: reviews
- port: 9080
- rules:
- - backendRefs:
- - name: reviews-v1
- port: 9080
----
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: productpage
-spec:
- parentRefs:
- - kind: Service
- name: productpage
- port: 9080
- rules:
- - backendRefs:
- - name: productpage-v1
- port: 9080
----
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: ratings
-spec:
- parentRefs:
- - kind: Service
- name: ratings
- port: 9080
- rules:
- - backendRefs:
- - name: ratings-v1
- port: 9080
----
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: details
-spec:
- parentRefs:
- - kind: Service
- name: details
- port: 9080
- rules:
- - backendRefs:
- - name: details-v1
- port: 9080
----
diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml
deleted file mode 100644
index 76bbea8f..00000000
--- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: reviews
-spec:
- parentRefs:
- - kind: Service
- name: reviews
- port: 9080
- rules:
- - backendRefs:
- - name: reviews-v1
- port: 9080
- weight: 50
- - name: reviews-v3
- port: 9080
- weight: 50
diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml
deleted file mode 100644
index f74349fe..00000000
--- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: reviews
-spec:
- parentRefs:
- - kind: Service
- name: reviews
- port: 9080
- rules:
- - backendRefs:
- - name: reviews-v1
- port: 9080
- weight: 90
- - name: reviews-v2
- port: 9080
- weight: 10
diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml
deleted file mode 100644
index 8e11bcd9..00000000
--- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: reviews
-spec:
- parentRefs:
- - kind: Service
- name: reviews
- port: 9080
- rules:
- - backendRefs:
- - name: reviews-v1
- port: 9080
diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml
deleted file mode 100644
index b5515fd1..00000000
--- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: reviews
-spec:
- parentRefs:
- - kind: Service
- name: reviews
- port: 9080
- rules:
- - backendRefs:
- - name: reviews-v3
- port: 9080
diff --git a/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml b/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml
deleted file mode 100644
index 948682dc..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
- name: bookinfo-gateway
-spec:
- # The selector matches the ingress gateway pod labels.
- # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress"
- selector:
- istio: ingressgateway # use istio default controller
- servers:
- - port:
- number: 80
- name: http
- protocol: HTTP
- hosts:
- - "*"
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: bookinfo
-spec:
- hosts:
- - "*"
- gateways:
- - bookinfo-gateway
- http:
- - match:
- - uri:
- exact: /productpage
- - uri:
- prefix: /static
- - uri:
- exact: /login
- - uri:
- exact: /logout
- - uri:
- prefix: /api/v1/products
- route:
- - destination:
- host: productpage
- port:
- number: 9080
diff --git a/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml b/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml
deleted file mode 100644
index 3fa65378..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
- name: cert-manager-gateway
- namespace: istio-system
-spec:
- selector:
- istio: ingressgateway
- servers:
- - port:
- number: 80
- name: http
- protocol: HTTP
- hosts:
- - "*"
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: cert-manager
- namespace: istio-system
-spec:
- hosts:
- - "*"
- gateways:
- - cert-manager-gateway
- http:
- - match:
- - uri:
- prefix: /.well-known/acme-challenge/
- route:
- - destination:
- host: cert-manager-resolver
- port:
- number: 8089
diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml
deleted file mode 100644
index 2a19c3fb..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: productpage
-spec:
- host: productpage
- trafficPolicy:
- tls:
- mode: ISTIO_MUTUAL
- subsets:
- - name: v1
- labels:
- version: v1
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: reviews
-spec:
- host: reviews
- trafficPolicy:
- tls:
- mode: ISTIO_MUTUAL
- subsets:
- - name: v1
- labels:
- version: v1
- - name: v2
- labels:
- version: v2
- - name: v3
- labels:
- version: v3
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: ratings
-spec:
- host: ratings
- trafficPolicy:
- tls:
- mode: ISTIO_MUTUAL
- subsets:
- - name: v1
- labels:
- version: v1
- - name: v2
- labels:
- version: v2
- - name: v2-mysql
- labels:
- version: v2-mysql
- - name: v2-mysql-vm
- labels:
- version: v2-mysql-vm
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: details
-spec:
- host: details
- trafficPolicy:
- tls:
- mode: ISTIO_MUTUAL
- subsets:
- - name: v1
- labels:
- version: v1
- - name: v2
- labels:
- version: v2
----
diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml
deleted file mode 100644
index 96be6993..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml
+++ /dev/null
@@ -1,62 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: productpage
-spec:
- host: productpage
- subsets:
- - name: v1
- labels:
- version: v1
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: reviews
-spec:
- host: reviews
- subsets:
- - name: v1
- labels:
- version: v1
- - name: v2
- labels:
- version: v2
- - name: v3
- labels:
- version: v3
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: ratings
-spec:
- host: ratings
- subsets:
- - name: v1
- labels:
- version: v1
- - name: v2
- labels:
- version: v2
- - name: v2-mysql
- labels:
- version: v2-mysql
- - name: v2-mysql-vm
- labels:
- version: v2-mysql-vm
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: details
-spec:
- host: details
- subsets:
- - name: v1
- labels:
- version: v1
- - name: v2
- labels:
- version: v2
----
diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml
deleted file mode 100644
index 69f30f1d..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: reviews
-spec:
- host: reviews
- trafficPolicy:
- loadBalancer:
- simple: RANDOM
- subsets:
- - name: v1
- labels:
- version: v1
- - name: v2
- labels:
- version: v2
- - name: v3
- labels:
- version: v3
diff --git a/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml b/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml
deleted file mode 100644
index d35e3ac1..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: googleapis
-spec:
- hosts:
- - www.googleapis.com
- ports:
- - number: 80
- name: http
- protocol: HTTP
- - number: 443
- name: https
- protocol: HTTPS
- resolution: DNS
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: rewrite-port-for-googleapis
-spec:
- hosts:
- - www.googleapis.com
- http:
- - match:
- - port: 80
- route:
- - destination:
- host: www.googleapis.com
- port:
- number: 443
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: originate-tls-for-googleapis
-spec:
- host: www.googleapis.com
- trafficPolicy:
- loadBalancer:
- simple: ROUND_ROBIN
- portLevelSettings:
- - port:
- number: 443
- tls:
- mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com
diff --git a/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml b/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml
deleted file mode 100644
index c4550925..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: details
-spec:
- hosts:
- - details
- http:
- - fault:
- abort:
- httpStatus: 555
- percentage:
- value: 100
- route:
- - destination:
- host: details
- subset: v1
- - route:
- - destination:
- host: details
- subset: v1
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: details
-spec:
- host: details
- subsets:
- - name: v1
- labels:
- version: v1
\ No newline at end of file
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml
deleted file mode 100644
index 6811e31d..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: productpage
-spec:
- hosts:
- - productpage
- http:
- - route:
- - destination:
- host: productpage
- subset: v1
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v1
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: ratings
-spec:
- hosts:
- - ratings
- http:
- - route:
- - destination:
- host: ratings
- subset: v1
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: details
-spec:
- hosts:
- - details
- http:
- - route:
- - destination:
- host: details
- subset: v1
----
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml
deleted file mode 100644
index 5f21fa53..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: details
-spec:
- hosts:
- - details
- http:
- - route:
- - destination:
- host: details
- subset: v2
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml
deleted file mode 100644
index 1698ec24..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v3
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: ratings
-spec:
- hosts:
- - ratings
- http:
- - route:
- - destination:
- host: ratings
- subset: v2
----
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml
deleted file mode 100644
index fdf88270..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v3
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: ratings
-spec:
- hosts:
- - ratings
- http:
- - route:
- - destination:
- host: ratings
- subset: v2-mysql-vm
----
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml
deleted file mode 100644
index 03a700ea..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v3
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: ratings
-spec:
- hosts:
- - ratings
- http:
- - route:
- - destination:
- host: ratings
- subset: v2-mysql
----
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml
deleted file mode 100644
index 51c6fe9c..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: ratings
-spec:
- hosts:
- - ratings
- http:
- - match:
- - headers:
- end-user:
- exact: jason
- fault:
- abort:
- percentage:
- value: 100.0
- httpStatus: 500
- route:
- - destination:
- host: ratings
- subset: v1
- - route:
- - destination:
- host: ratings
- subset: v1
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml
deleted file mode 100644
index 6c4e19da..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: ratings
-spec:
- hosts:
- - ratings
- http:
- - match:
- - headers:
- end-user:
- exact: jason
- fault:
- delay:
- percentage:
- value: 100.0
- fixedDelay: 7s
- route:
- - destination:
- host: ratings
- subset: v1
- - route:
- - destination:
- host: ratings
- subset: v1
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml
deleted file mode 100644
index aad8c317..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v1
- weight: 50
- - destination:
- host: reviews
- subset: v3
- weight: 50
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml
deleted file mode 100644
index 7304d867..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v1
- weight: 80
- - destination:
- host: reviews
- subset: v2
- weight: 20
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml
deleted file mode 100644
index d211dd16..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v1
- weight: 90
- - destination:
- host: reviews
- subset: v2
- weight: 10
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml
deleted file mode 100644
index fb357136..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - match:
- - headers:
- end-user:
- exact: jason
- route:
- - destination:
- host: reviews
- subset: v2
- - route:
- - destination:
- host: reviews
- subset: v3
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml
deleted file mode 100644
index ea07efb2..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - match:
- - headers:
- end-user:
- exact: jason
- route:
- - destination:
- host: reviews
- subset: v2
- - route:
- - destination:
- host: reviews
- subset: v1
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml
deleted file mode 100644
index 7ae7b804..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v2
- weight: 50
- - destination:
- host: reviews
- subset: v3
- weight: 50
diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml
deleted file mode 100644
index 5da999d4..00000000
--- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews
-spec:
- hosts:
- - reviews
- http:
- - route:
- - destination:
- host: reviews
- subset: v3
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/README.md b/istio-1.18.2/samples/bookinfo/platform/kube/README.md
deleted file mode 100644
index d1189bec..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/README.md
+++ /dev/null
@@ -1,2 +0,0 @@
-See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio
-docs for instructions on how to run this demo application.
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml
deleted file mode 100644
index bce874dc..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: ClusterIssuer
-metadata:
- name: letsencrypt-staging
- namespace: istio-system
-spec:
- acme:
- # The ACME server URL
- server: https://acme-staging-v02.api.letsencrypt.org/directory
- # Email address used for ACME registration
- email: stage@istio.io
- # Name of a secret used to store the ACME account private key
- privateKeySecretRef:
- name: letsencrypt-staging
- # Enable the HTTP-01 challenge provider
- http01: {}
----
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: Certificate
-metadata:
- name: istio-ingressgateway-certs
- namespace: istio-system
-spec:
- secretName: istio-ingressgateway-certs
- issuerRef:
- name: letsencrypt-staging
- kind: ClusterIssuer
- commonName: bookinfo.example.com
- dnsNames:
- - bookinfo.example.com
- acme:
- config:
- - http01:
- ingressClass: none
- domains:
- - bookinfo.example.com
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml
deleted file mode 100644
index 474410c8..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Service
-metadata:
- name: mongodb
- labels:
- app: mongodb
- service: mongodb
-spec:
- ports:
- - port: 27017
- name: mongo
- selector:
- app: mongodb
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: mongodb-v1
- labels:
- app: mongodb
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: mongodb
- version: v1
- template:
- metadata:
- labels:
- app: mongodb
- version: v1
- spec:
- containers:
- - name: mongodb
- image: docker.io/istio/examples-bookinfo-mongodb:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 27017
- volumeMounts:
- - name: data-db
- mountPath: /data/db
- volumes:
- - name: data-db
- emptyDir: {}
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
deleted file mode 100644
index e5a0e73c..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Details service v2
-##################################################################################################
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: details-v2
- labels:
- app: details
- version: v2
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: details
- version: v2
- template:
- metadata:
- labels:
- app: details
- version: v2
- spec:
- containers:
- - name: details
- image: docker.io/istio/examples-bookinfo-details-v2:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- env:
- - name: DO_NOT_ENCRYPT
- value: "true"
- securityContext:
- runAsUser: 1000
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml
deleted file mode 100644
index 6cb7db36..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Details service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: details
- labels:
- app: details
- service: details
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: details
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: details-v1
- labels:
- app: details
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: details
- version: v1
- template:
- metadata:
- labels:
- app: details
- version: v1
- spec:
- containers:
- - name: details
- image: docker.io/istio/examples-bookinfo-details-v1:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml
deleted file mode 100644
index e2143399..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-###########################################################################
-# Ingress resource (gateway)
-##########################################################################
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: gateway
- annotations:
- kubernetes.io/ingress.class: "istio"
-spec:
- rules:
- - http:
- paths:
- - path: /productpage
- pathType: Exact
- backend:
- service:
- name: productpage
- port:
- number: 9080
- - path: /static/
- pathType: Prefix
- backend:
- service:
- name: productpage
- port:
- number: 9080
- - path: /login
- pathType: Exact
- backend:
- service:
- name: productpage
- port:
- number: 9080
- - path: /logout
- pathType: Exact
- backend:
- service:
- name: productpage
- port:
- number: 9080
- - path: /api/v1/products
- pathType: Prefix
- backend:
- service:
- name: productpage
- port:
- number: 9080
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml
deleted file mode 100644
index 073fee46..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml
+++ /dev/null
@@ -1,79 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Mysql db services
-# credentials: root/password
-##################################################################################################
-apiVersion: v1
-kind: Secret
-metadata:
- name: mysql-credentials
-type: Opaque
-data:
- rootpasswd: cGFzc3dvcmQ=
----
-apiVersion: v1
-kind: Service
-metadata:
- name: mysqldb
- labels:
- app: mysqldb
- service: mysqldb
-spec:
- ports:
- - port: 3306
- name: tcp
- selector:
- app: mysqldb
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: mysqldb-v1
- labels:
- app: mysqldb
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: mysqldb
- version: v1
- template:
- metadata:
- labels:
- app: mysqldb
- version: v1
- spec:
- containers:
- - name: mysqldb
- image: docker.io/istio/examples-bookinfo-mysqldb:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 3306
- env:
- - name: MYSQL_ROOT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: mysql-credentials
- key: rootpasswd
- args: ["--default-authentication-plugin","mysql_native_password"]
- volumeMounts:
- - name: var-lib-mysql
- mountPath: /var/lib/mysql
- volumes:
- - name: var-lib-mysql
- emptyDir: {}
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml
deleted file mode 100644
index 5b65de63..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml
+++ /dev/null
@@ -1,369 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# This file defines the same services, service accounts, and deployments as bookinfo.yaml with
-# added securityContext fields to allow the bookinfo demo to run on a PodSecurityAdmission
-# enabled cluster that enforces the baseline policy.
-##################################################################################################
-
-##################################################################################################
-# Details service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: details
- labels:
- app: details
- service: details
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: details
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-details
- labels:
- account: details
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: details-v1
- labels:
- app: details
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: details
- version: v1
- template:
- metadata:
- labels:
- app: details
- version: v1
- spec:
- serviceAccountName: bookinfo-details
- containers:
- - name: details
- image: docker.io/istio/examples-bookinfo-details-v1:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- runAsNonRoot: true
----
-##################################################################################################
-# Ratings service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: ratings
- labels:
- app: ratings
- service: ratings
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: ratings
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-ratings
- labels:
- account: ratings
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: ratings-v1
- labels:
- app: ratings
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: ratings
- version: v1
- template:
- metadata:
- labels:
- app: ratings
- version: v1
- spec:
- serviceAccountName: bookinfo-ratings
- containers:
- - name: ratings
- image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- runAsNonRoot: true
----
-##################################################################################################
-# Reviews service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: reviews
- labels:
- app: reviews
- service: reviews
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: reviews
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-reviews
- labels:
- account: reviews
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: reviews-v1
- labels:
- app: reviews
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: reviews
- version: v1
- template:
- metadata:
- labels:
- app: reviews
- version: v1
- spec:
- serviceAccountName: bookinfo-reviews
- containers:
- - name: reviews
- image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- - name: LOG_DIR
- value: "/tmp/logs"
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- - name: wlp-output
- mountPath: /opt/ibm/wlp/output
- securityContext:
- runAsUser: 1000
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- runAsNonRoot: true
- volumes:
- - name: wlp-output
- emptyDir: {}
- - name: tmp
- emptyDir: {}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: reviews-v2
- labels:
- app: reviews
- version: v2
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: reviews
- version: v2
- template:
- metadata:
- labels:
- app: reviews
- version: v2
- spec:
- serviceAccountName: bookinfo-reviews
- containers:
- - name: reviews
- image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- - name: LOG_DIR
- value: "/tmp/logs"
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- - name: wlp-output
- mountPath: /opt/ibm/wlp/output
- securityContext:
- runAsUser: 1000
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- runAsNonRoot: true
- volumes:
- - name: wlp-output
- emptyDir: {}
- - name: tmp
- emptyDir: {}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: reviews-v3
- labels:
- app: reviews
- version: v3
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: reviews
- version: v3
- template:
- metadata:
- labels:
- app: reviews
- version: v3
- spec:
- serviceAccountName: bookinfo-reviews
- containers:
- - name: reviews
- image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- - name: LOG_DIR
- value: "/tmp/logs"
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- - name: wlp-output
- mountPath: /opt/ibm/wlp/output
- securityContext:
- runAsUser: 1000
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- runAsNonRoot: true
- volumes:
- - name: wlp-output
- emptyDir: {}
- - name: tmp
- emptyDir: {}
----
-##################################################################################################
-# Productpage services
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: productpage
- labels:
- app: productpage
- service: productpage
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: productpage
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-productpage
- labels:
- account: productpage
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: productpage-v1
- labels:
- app: productpage
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: productpage
- version: v1
- template:
- metadata:
- annotations:
- prometheus.io/scrape: "true"
- prometheus.io/port: "9080"
- prometheus.io/path: "/metrics"
- labels:
- app: productpage
- version: v1
- spec:
- serviceAccountName: bookinfo-productpage
- containers:
- - name: productpage
- image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- securityContext:
- runAsUser: 1000
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- runAsNonRoot: true
- volumes:
- - name: tmp
- emptyDir: {}
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml
deleted file mode 100644
index 61c4b7f1..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Ratings service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: ratings
- labels:
- app: ratings
- service: ratings
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: ratings
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
deleted file mode 100644
index 1024c75c..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: ratings-v2-mysql-vm
- labels:
- app: ratings
- version: v2-mysql-vm
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: ratings
- version: v2-mysql-vm
- template:
- metadata:
- labels:
- app: ratings
- version: v2-mysql-vm
- spec:
- containers:
- - name: ratings
- image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- # This assumes you registered your mysql vm as
- # istioctl register -n vm mysqldb 1.2.3.4 3306
- - name: DB_TYPE
- value: "mysql"
- - name: MYSQL_DB_HOST
- value: mysqldb.vm.svc.cluster.local
- - name: MYSQL_DB_PORT
- value: "3306"
- - name: MYSQL_DB_USER
- value: root
- - name: MYSQL_DB_PASSWORD
- value: password
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
deleted file mode 100644
index 09c4610a..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: ratings-v2-mysql
- labels:
- app: ratings
- version: v2-mysql
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: ratings
- version: v2-mysql
- template:
- metadata:
- labels:
- app: ratings
- version: v2-mysql
- spec:
- containers:
- - name: ratings
- image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- # ratings-v2 will use mongodb as the default db backend.
- # if you would like to use mysqldb then you can use this file
- # which sets DB_TYPE = 'mysql' and the rest of the parameters shown
- # here and also create the # mysqldb service using bookinfo-mysql.yaml
- # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml
- - name: DB_TYPE
- value: "mysql"
- - name: MYSQL_DB_HOST
- value: mysqldb
- - name: MYSQL_DB_PORT
- value: "3306"
- - name: MYSQL_DB_USER
- value: root
- - name: MYSQL_DB_PASSWORD
- value: password
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
deleted file mode 100644
index a645d19a..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
+++ /dev/null
@@ -1,65 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-ratings-v2
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: ratings-v2
- labels:
- app: ratings
- version: v2
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: ratings
- version: v2
- template:
- metadata:
- labels:
- app: ratings
- version: v2
- spec:
- serviceAccountName: bookinfo-ratings-v2
- containers:
- - name: ratings
- image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- # ratings-v2 will use mongodb as the default db backend.
- # if you would like to use mysqldb then set DB_TYPE = 'mysql', set
- # the rest of the parameters shown here and also create the
- # mysqldb service using bookinfo-mysql.yaml
- # - name: DB_TYPE #default to
- # value: "mysql"
- # - name: MYSQL_DB_HOST
- # value: mysqldb
- # - name: MYSQL_DB_PORT
- # value: "3306"
- # - name: MYSQL_DB_USER
- # value: root
- # - name: MYSQL_DB_PASSWORD
- # value: password
- - name: MONGO_DB_URL
- value: mongodb://mongodb:27017/test
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml
deleted file mode 100644
index 08c9040d..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Ratings service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: ratings
- labels:
- app: ratings
- service: ratings
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: ratings
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: ratings-v1
- labels:
- app: ratings
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: ratings
- version: v1
- template:
- metadata:
- labels:
- app: ratings
- version: v1
- spec:
- containers:
- - name: ratings
- image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
deleted file mode 100644
index 4acc6b26..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Reviews service v2
-##################################################################################################
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: reviews-v2
- labels:
- app: reviews
- version: v2
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: reviews
- version: v2
- template:
- metadata:
- labels:
- app: reviews
- version: v2
- spec:
- containers:
- - name: reviews
- image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- - name: LOG_DIR
- value: "/tmp/logs"
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- - name: wlp-output
- mountPath: /opt/ibm/wlp/output
- securityContext:
- runAsUser: 1000
- volumes:
- - name: wlp-output
- emptyDir: {}
- - name: tmp
- emptyDir: {}
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml
deleted file mode 100644
index c374bbee..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml
+++ /dev/null
@@ -1,72 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: reviews-v1
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: reviews
- version: v1
----
-apiVersion: v1
-kind: Service
-metadata:
- name: reviews-v2
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: reviews
- version: v2
----
-apiVersion: v1
-kind: Service
-metadata:
- name: reviews-v3
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: reviews
- version: v3
----
-apiVersion: v1
-kind: Service
-metadata:
- name: productpage-v1
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: productpage
- version: v1
----
-apiVersion: v1
-kind: Service
-metadata:
- name: ratings-v1
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: ratings
- version: v1
----
-apiVersion: v1
-kind: Service
-metadata:
- name: details-v1
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: details
- version: v1
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml
deleted file mode 100644
index 4699e3e7..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml
+++ /dev/null
@@ -1,347 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# This file defines the services, service accounts, and deployments for the Bookinfo sample.
-#
-# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments:
-#
-# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
-#
-# Alternatively, you can deploy any resource separately:
-#
-# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service
-# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount
-# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment
-##################################################################################################
-
-##################################################################################################
-# Details service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: details
- labels:
- app: details
- service: details
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: details
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-details
- labels:
- account: details
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: details-v1
- labels:
- app: details
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: details
- version: v1
- template:
- metadata:
- labels:
- app: details
- version: v1
- spec:
- serviceAccountName: bookinfo-details
- containers:
- - name: details
- image: docker.io/istio/examples-bookinfo-details-v1:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
----
-##################################################################################################
-# Ratings service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: ratings
- labels:
- app: ratings
- service: ratings
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: ratings
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-ratings
- labels:
- account: ratings
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: ratings-v1
- labels:
- app: ratings
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: ratings
- version: v1
- template:
- metadata:
- labels:
- app: ratings
- version: v1
- spec:
- serviceAccountName: bookinfo-ratings
- containers:
- - name: ratings
- image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- securityContext:
- runAsUser: 1000
----
-##################################################################################################
-# Reviews service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: reviews
- labels:
- app: reviews
- service: reviews
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: reviews
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-reviews
- labels:
- account: reviews
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: reviews-v1
- labels:
- app: reviews
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: reviews
- version: v1
- template:
- metadata:
- labels:
- app: reviews
- version: v1
- spec:
- serviceAccountName: bookinfo-reviews
- containers:
- - name: reviews
- image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- - name: LOG_DIR
- value: "/tmp/logs"
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- - name: wlp-output
- mountPath: /opt/ibm/wlp/output
- securityContext:
- runAsUser: 1000
- volumes:
- - name: wlp-output
- emptyDir: {}
- - name: tmp
- emptyDir: {}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: reviews-v2
- labels:
- app: reviews
- version: v2
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: reviews
- version: v2
- template:
- metadata:
- labels:
- app: reviews
- version: v2
- spec:
- serviceAccountName: bookinfo-reviews
- containers:
- - name: reviews
- image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- - name: LOG_DIR
- value: "/tmp/logs"
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- - name: wlp-output
- mountPath: /opt/ibm/wlp/output
- securityContext:
- runAsUser: 1000
- volumes:
- - name: wlp-output
- emptyDir: {}
- - name: tmp
- emptyDir: {}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: reviews-v3
- labels:
- app: reviews
- version: v3
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: reviews
- version: v3
- template:
- metadata:
- labels:
- app: reviews
- version: v3
- spec:
- serviceAccountName: bookinfo-reviews
- containers:
- - name: reviews
- image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0
- imagePullPolicy: IfNotPresent
- env:
- - name: LOG_DIR
- value: "/tmp/logs"
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- - name: wlp-output
- mountPath: /opt/ibm/wlp/output
- securityContext:
- runAsUser: 1000
- volumes:
- - name: wlp-output
- emptyDir: {}
- - name: tmp
- emptyDir: {}
----
-##################################################################################################
-# Productpage services
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: productpage
- labels:
- app: productpage
- service: productpage
-spec:
- ports:
- - port: 9080
- name: http
- selector:
- app: productpage
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookinfo-productpage
- labels:
- account: productpage
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: productpage-v1
- labels:
- app: productpage
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: productpage
- version: v1
- template:
- metadata:
- annotations:
- prometheus.io/scrape: "true"
- prometheus.io/port: "9080"
- prometheus.io/path: "/metrics"
- labels:
- app: productpage
- version: v1
- spec:
- serviceAccountName: bookinfo-productpage
- containers:
- - name: productpage
- image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9080
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- securityContext:
- runAsUser: 1000
- volumes:
- - name: tmp
- emptyDir: {}
----
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh b/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh
deleted file mode 100755
index bdf700d1..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/bash
-#
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-
-# only ask if in interactive mode
-if [[ -t 0 && -z ${NAMESPACE} ]];then
- echo -n "namespace ? [default] "
- read -r NAMESPACE
-fi
-
-# verify if the namespace exists, otherwise use default namespace
-if [[ -n ${NAMESPACE} ]];then
- ns=$(kubectl get namespace "${NAMESPACE}" --no-headers --output=go-template="{{.metadata.name}}" 2>/dev/null)
- if [[ -z ${ns} ]];then
- echo "NAMESPACE ${NAMESPACE} not found."
- NAMESPACE=default
- fi
-fi
-
-# if no namespace is provided, use default namespace
-if [[ -z ${NAMESPACE} ]];then
- NAMESPACE=default
-fi
-
-echo "using NAMESPACE=${NAMESPACE}"
-
-# clean up Istio traffic management resources that may have been used
-protos=( destinationrules virtualservices gateways )
-for proto in "${protos[@]}"; do
- for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do
- kubectl delete -n "${NAMESPACE}" "$resource";
- done
-done
-
-# clean up Gateway API resources that may have been used
-if kubectl get crd gateways.gateway.networking.k8s.io >/dev/null 2>&1; then
- protos=( httproutes gateways.gateway.networking.k8s.io )
- for proto in "${protos[@]}"; do
- for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do
- kubectl delete -n "${NAMESPACE}" "$resource";
- done
- done
- kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo-versions.yaml" >/dev/null 2>&1
-fi
-
-OUTPUT=$(mktemp)
-export OUTPUT
-echo "Application cleanup may take up to one minute"
-kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo.yaml" > "${OUTPUT}" 2>&1
-ret=$?
-function cleanup() {
- rm -f "${OUTPUT}"
-}
-
-trap cleanup EXIT
-
-if [[ ${ret} -eq 0 ]];then
- cat "${OUTPUT}"
-else
- # ignore NotFound errors
- OUT2=$(grep -v NotFound "${OUTPUT}")
- if [[ -n ${OUT2} ]];then
- cat "${OUTPUT}"
- exit ${ret}
- fi
-fi
-
-# wait for 30 sec for bookinfo to clean up
-sleep 30
-
-echo "Application cleanup successful"
diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml
deleted file mode 100644
index aadba2e0..00000000
--- a/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Productpage services
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: productpage
- labels:
- app: productpage
- service: productpage
-spec:
- type: NodePort
- ports:
- - port: 9080
- name: http
- selector:
- app: productpage
----
diff --git a/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml b/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml
deleted file mode 100644
index ef96dc56..00000000
--- a/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml
+++ /dev/null
@@ -1,88 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: filter-ratelimit
- namespace: istio-system
-spec:
- workloadSelector:
- # select by label in the same namespace
- labels:
- istio: ingressgateway
- configPatches:
- # The Envoy config you want to modify
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- listener:
- filterChain:
- filter:
- name: "envoy.filters.network.http_connection_manager"
- subFilter:
- name: "envoy.filters.http.router"
- patch:
- operation: INSERT_BEFORE
- value:
- name: envoy.ratelimit
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
- # domain can be anything! Match it to the ratelimter service config
- domain: productpage-ratelimit
- failure_mode_deny: true
- rate_limit_service:
- grpc_service:
- envoy_grpc:
- cluster_name: rate_limit_cluster
- timeout: 10s
- - applyTo: CLUSTER
- match:
- cluster:
- service: ratelimit.default.svc.cluster.local
- patch:
- operation: ADD
- value:
- name: rate_limit_cluster
- type: STRICT_DNS
- connect_timeout: 10s
- lb_policy: ROUND_ROBIN
- http2_protocol_options: {}
- load_assignment:
- cluster_name: rate_limit_cluster
- endpoints:
- - lb_endpoints:
- - endpoint:
- address:
- socket_address:
- address: ratelimit.default.svc.cluster.local
- port_value: 8081
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: filter-ratelimit-svc
- namespace: istio-system
-spec:
- workloadSelector:
- labels:
- istio: ingressgateway
- configPatches:
- - applyTo: VIRTUAL_HOST
- match:
- context: GATEWAY
- routeConfiguration:
- vhost:
- name: ""
- route:
- action: ANY
- patch:
- operation: MERGE
- value:
- rate_limits:
- - actions: # any actions in here
- # Multiple actions nest the descriptors
- # - generic_key:
- # descriptor_value: "test"
- - request_headers:
- header_name: ":path"
- descriptor_key: "PATH"
- # - remote_address: {}
- # - destination_cluster: {}
\ No newline at end of file
diff --git a/istio-1.18.2/samples/bookinfo/src/build-services.sh b/istio-1.18.2/samples/bookinfo/src/build-services.sh
deleted file mode 100755
index aa3d6432..00000000
--- a/istio-1.18.2/samples/bookinfo/src/build-services.sh
+++ /dev/null
@@ -1,103 +0,0 @@
-#!/bin/bash
-#
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -ox errexit
-
-display_usage() {
- echo
- echo "USAGE: ./build-services.sh [-h|--help]"
- echo " -h|--help: Prints usage information"
- echo " version: Version of the sample app images (Required)"
- echo " prefix: Use the value as the prefix for image names (Required)"
-}
-
-if [ "$#" -ne 2 ]; then
- if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
- display_usage
- exit 0
- else
- echo "Incorrect parameters" "$@"
- display_usage
- exit 1
- fi
-fi
-
-VERSION=$1
-PREFIX=$2
-SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-
-# Docker build variables
-ENABLE_MULTIARCH_IMAGES=${ENABLE_MULTIARCH_IMAGES:-"false"}
-
-if [ "${ENABLE_MULTIARCH_IMAGES}" == "true" ]; then
- PLATFORMS="linux/arm64,linux/amd64"
- DOCKER_BUILD_ARGS="docker buildx build --platform ${PLATFORMS} --push"
- # Install QEMU emulators
- docker run --rm --privileged tonistiigi/binfmt --install all
- docker buildx rm multi-builder || :
- docker buildx create --use --name multi-builder --platform ${PLATFORMS}
- docker buildx use multi-builder
-else
- DOCKER_BUILD_ARGS="docker build"
-fi
-
-pushd "$SCRIPTDIR/productpage"
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-productpage-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v1:latest" .
- # flooding
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:latest" --build-arg flood_factor=100 .
-popd
-
-pushd "$SCRIPTDIR/details"
- # plain build -- no calling external book service to fetch topics
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-details-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v1:latest" --build-arg service_version=v1 .
- # with calling external book service to fetch topic for the book
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-details-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v2:latest" --build-arg service_version=v2 \
- --build-arg enable_external_book_service=true .
-popd
-
-
-pushd "$SCRIPTDIR/reviews"
- # java build the app.
- docker run --rm -u root -v "$(pwd)":/home/gradle/project -w /home/gradle/project gradle:4.8.1 gradle clean build
-
- pushd reviews-wlpcfg
- # plain build -- no ratings
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v1:latest" --build-arg service_version=v1 .
- # with ratings black stars
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v2:latest" --build-arg service_version=v2 \
- --build-arg enable_ratings=true .
- # with ratings red stars
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v3:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v3:latest" --build-arg service_version=v3 \
- --build-arg enable_ratings=true --build-arg star_color=red .
- popd
-popd
-
-pushd "$SCRIPTDIR/ratings"
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v1:latest" --build-arg service_version=v1 .
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v2:latest" --build-arg service_version=v2 .
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:latest" --build-arg service_version=v-faulty .
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:latest" --build-arg service_version=v-delayed .
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:latest" --build-arg service_version=v-unavailable .
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:latest" --build-arg service_version=v-unhealthy .
-popd
-
-pushd "$SCRIPTDIR/mysql"
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-mysqldb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mysqldb:latest" .
-popd
-
-pushd "$SCRIPTDIR/mongodb"
- ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-mongodb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mongodb:latest" .
-popd
diff --git a/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json b/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json
deleted file mode 100644
index b4563b50..00000000
--- a/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json
+++ /dev/null
@@ -1,2 +0,0 @@
-{rating: 5}
-{rating: 4}
diff --git a/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh b/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh
deleted file mode 100644
index 7e230ee5..00000000
--- a/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -e
-mongoimport --host localhost --db test --collection ratings --drop --file /app/data/ratings_data.json
diff --git a/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt b/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt
deleted file mode 100644
index 5e5ddf22..00000000
--- a/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt
+++ /dev/null
@@ -1,32 +0,0 @@
-certifi==2022.12.7
-chardet==3.0.4
-Click==7.0
-contextlib2==0.5.5
-dominate==2.3.5
-Flask==2.1.1
-Flask-Bootstrap==3.3.7.1
-Flask-JSON==0.3.3
-future==0.17.1
-futures==3.1.1
-gevent==21.12.0
-greenlet==1.1.2
-idna==2.8
-itsdangerous==1.1.0
-jaeger-client==3.13.0
-Jinja2==2.11.3
-json2html==1.2.1
-MarkupSafe==0.23
-nose==1.3.7
-opentracing==1.2.2
-opentracing-instrumentation==2.4.3
-prometheus-client==0.15.0
-requests==2.28.1
-simplejson==3.16.0
-six==1.12.0
-threadloop==1.0.2
-thrift==0.11.0
-tornado==5.1
-urllib3==1.26.5
-visitor==0.1.3
-Werkzeug==2.2.3
-wrapt==1.11.1
diff --git a/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt b/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt
deleted file mode 100644
index f756640f..00000000
--- a/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt
+++ /dev/null
@@ -1 +0,0 @@
-requests-mock==1.5.2
diff --git a/istio-1.18.2/samples/bookinfo/src/ratings/package.json b/istio-1.18.2/samples/bookinfo/src/ratings/package.json
deleted file mode 100644
index f0498224..00000000
--- a/istio-1.18.2/samples/bookinfo/src/ratings/package.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
- "scripts": {
- "start": "node ratings.js"
- },
- "dependencies": {
- "httpdispatcher": "1.0.0",
- "mongodb": "^3.6.0",
- "mysql": "^2.15.0"
- },
- "private": true
-}
diff --git a/istio-1.18.2/samples/bookinfo/swagger.yaml b/istio-1.18.2/samples/bookinfo/swagger.yaml
deleted file mode 100644
index 6782e732..00000000
--- a/istio-1.18.2/samples/bookinfo/swagger.yaml
+++ /dev/null
@@ -1,248 +0,0 @@
-swagger: "2.0"
-info:
- description: "This is the API of the Istio BookInfo sample application."
- version: "1.0.0"
- title: "BookInfo API"
- termsOfService: "https://istio.io/"
- license:
- name: "Apache 2.0"
- url: "http://www.apache.org/licenses/LICENSE-2.0.html"
-basePath: "/api/v1"
-tags:
-- name: "product"
- description: "Information about a product (in this case a book)"
-- name: "review"
- description: "Review information for a product"
-- name: "rating"
- description: "Rating information for a product"
-externalDocs:
- description: "Learn more about the Istio BookInfo application"
- url: "https://istio.io/docs/samples/bookinfo.html"
-paths:
- /products:
- get:
- tags:
- - "product"
- summary: "List all products"
- description: "List all products available in the application with a minimum amount of information."
- operationId: "getProducts"
- consumes:
- - "application/json"
- produces:
- - "application/json"
- responses:
- 200:
- description: "successful operation"
- schema:
- type: "array"
- items:
- $ref: "#/definitions/Product"
- /products/{id}:
- get:
- tags:
- - "product"
- summary: "Get individual product"
- description: "Get detailed information about an individual product with the given id."
- operationId: "getProduct"
- consumes:
- - "application/json"
- produces:
- - "application/json"
- parameters:
- - name: "id"
- in: "path"
- description: "Product id"
- required: true
- type: "integer"
- format: "int32"
- responses:
- 200:
- description: "successful operation"
- schema:
- $ref: "#/definitions/ProductDetails"
- 400:
- description: "Invalid product id"
- /products/{id}/reviews:
- get:
- tags:
- - "review"
- summary: "Get reviews for a product"
- description: "Get reviews for a product, including review text and possibly ratings information."
- operationId: "getProductReviews"
- consumes:
- - "application/json"
- produces:
- - "application/json"
- parameters:
- - name: "id"
- in: "path"
- description: "Product id"
- required: true
- type: "integer"
- format: "int32"
- responses:
- 200:
- description: "successful operation"
- schema:
- $ref: "#/definitions/ProductReviews"
- 400:
- description: "Invalid product id"
- /products/{id}/ratings:
- get:
- tags:
- - "rating"
- summary: "Get ratings for a product"
- description: "Get ratings for a product, including stars and their color."
- operationId: "getProductRatings"
- consumes:
- - "application/json"
- produces:
- - "application/json"
- parameters:
- - name: "id"
- in: "path"
- description: "Product id"
- required: true
- type: "integer"
- format: "int32"
- responses:
- 200:
- description: "successful operation"
- schema:
- $ref: "#/definitions/ProductRatings"
- 400:
- description: "Invalid product id"
-
-
-definitions:
- Product:
- type: "object"
- description: "Basic information about a product"
- properties:
- id:
- type: "integer"
- format: "int32"
- description: "Product id"
- title:
- type: "string"
- description: "Title of the book"
- descriptionHtml:
- type: "string"
- description: "Description of the book - may contain HTML tags"
- required:
- - "id"
- - "title"
- - "descriptionHtml"
- ProductDetails:
- type: "object"
- description: "Detailed information about a product"
- properties:
- id:
- type: "integer"
- format: "int32"
- description: "Product id"
- publisher:
- type: "string"
- description: "Publisher of the book"
- language:
- type: "string"
- description: "Language of the book"
- author:
- type: "string"
- description: "Author of the book"
- ISBN-10:
- type: "string"
- description: "ISBN-10 of the book"
- ISBN-13:
- type: "string"
- description: "ISBN-13 of the book"
- year:
- type: "integer"
- format: "int32"
- description: "Year the book was first published in"
- type:
- type: "string"
- enum:
- - "paperback"
- - "hardcover"
- description: "Type of the book"
- pages:
- type: "integer"
- format: "int32"
- description: "Number of pages of the book"
- required:
- - "id"
- - "publisher"
- - "language"
- - "author"
- - "ISBN-10"
- - "ISBN-13"
- - "year"
- - "type"
- - "pages"
- ProductReviews:
- type: "object"
- description: "Object containing reviews for a product"
- properties:
- id:
- type: "integer"
- format: "int32"
- description: "Product id"
- reviews:
- type: "array"
- description: "List of reviews"
- items:
- $ref: "#/definitions/Review"
- required:
- - "id"
- - "reviews"
- Review:
- type: "object"
- description: "Review of a product"
- properties:
- reviewer:
- type: "string"
- description: "Name of the reviewer"
- text:
- type: "string"
- description: "Review text"
- rating:
- $ref: "#/definitions/Rating"
- required:
- - "reviewer"
- - "text"
- Rating:
- type: "object"
- description: "Rating of a product"
- properties:
- stars:
- type: "integer"
- format: "int32"
- minimum: 1
- maximum: 5
- description: "Number of stars"
- color:
- type: "string"
- enum:
- - "red"
- - "black"
- description: "Color in which stars should be displayed"
- required:
- - "stars"
- - "color"
- ProductRatings:
- type: "object"
- description: "Object containing ratings of a product"
- properties:
- id:
- type: "integer"
- format: "int32"
- description: "Product id"
- ratings:
- type: "object"
- description: "A hashmap where keys are reviewer names, values are number of stars"
- additionalProperties:
- type: "string"
- required:
- - "id"
- - "ratings"
\ No newline at end of file
diff --git a/istio-1.18.2/samples/certs/README.md b/istio-1.18.2/samples/certs/README.md
deleted file mode 100644
index 6daeaab4..00000000
--- a/istio-1.18.2/samples/certs/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-# Istio plugin CA sample certificates
-
-This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such
-a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA.
-Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/).
-
-The included sample files are:
-
-- `root-cert.pem`: root CA certificate.
-- `root-cert-alt.pem`: alterative CA certificate.
-- `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key.
-- `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key.
-- `cert-chain.pem`: certificate trust chain.
-- `cert-chain-alt.pem`: alternative certificate chain.
-- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`.
-- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`.
-- `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate.
-- `workload-bar-root-certs.pem`: root and intermediate CA certificates for bar workload certificate.
-- `leaf-workload-foo-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo`.
-- `leaf-workload-bar-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar`.
-
-The workload cert and key are generated by:
-
-```shell script
- ./generate-workload.sh foo
- ./generate-workload.sh bar
-```
-
-To generate certs signed by the alternative root `root-cert-alt.pem`
-
-```shell script
-./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root
-./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root
-```
diff --git a/istio-1.18.2/samples/certs/ca-cert-alt.pem b/istio-1.18.2/samples/certs/ca-cert-alt.pem
deleted file mode 100644
index b790d1d2..00000000
--- a/istio-1.18.2/samples/certs/ca-cert-alt.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFVjCCAz6gAwIBAgIUPTPKZWcaC54iCXmHXS7VUFrQpJswDQYJKoZIhvcNAQEL
-BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw
-MDM1NjM3WhcNMzMwMjE3MDM1NjM3WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE
-AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI
-hvcNAQEBBQADggIPADCCAgoCggIBAJcfHGT0wipRUckkWR1GXs51+Tl017K1Yza4
-eExg+iEFFmzGW/qpH+g2uUk8g/fqEOQrFbtQsFZgH/PtqJDM19tM+sVj9MWVNHTu
-f8yb9pjP2Y6O6xTySAYfnZFwfdOt7ewFRBXu+vHKpPzXrrJdJWQG+NoPuYLany5a
-I2hgHxPOCKxYlwbyjwdN8PgUlcj7m/bEW3rhwkyWBIw/Cp+/YZIwxCSWl1MBDrjw
-srzrVmM+76BJO4twKjqtJR7+j6PSNk7NDjSCItfmtCNDSiSfaPWPwmhTkGPov6Bd
-PopnkoGgqDtSBqBRMuS0sEMhjsI2/e2+X6+musRYdTgxSSy2LEg3//nETbC4c+q5
-TrgOTerjO0J28i3iBSS5PVDYr63v02C35Tyn38TRgmp/QETkYAfITrcSnZnTQoR4
-4Nnd8d5qw6XN3cRR/R9A4cccaTAmNVDm+iZk1jNiV6sJ/P1fDHDQACPpyYntduy0
-UCUHeaasbFdfl4eST9/uPALZygS9se7tjm7xTFZcQ7wGqu2DOMWw6ocPL/Mv6nX9
-NJpY98qCAwhE29LUqq+ptDhSQZCVh5dfrrx9nA3UmANylO6AXNc3oxerS6izJLe5
-bQA4FHIZQeqyWqPR+wEpyEUgO1N6+uMlviwMvchAHGYXbzH3o6Z/mOuunn/MVbGW
-f0wU2+9lAgMBAAGjaTBnMB0GA1UdDgQWBBTfaZR3DtzO/E6WWIgn2snHJL/BRzAS
-BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdp
-c3Rpb2QuaXN0aW8tc3lzdGVtLnN2YzANBgkqhkiG9w0BAQsFAAOCAgEAPxOeQAxC
-dEkFQgdmUl/6g6PbqNardN63rzt3el3gVC27RtctI9RgyAOS9Yw/GodQTfao2k1a
-WcdqdmK12/eTBccuoJCDuHQx5NgCnIciaOcjE/IdCkNAtZY8T3mRJ0avnm0nxVwo
-A3o313NzpJJuZAco8RlaIeM6o7jxD3Z9Pi70xegYwMdopGgm1eVg3kL/TzGhVHty
-tFHIuc8LZijQmxFcez28o/eDc5obCRjTOJOe0LYF7CmpkiGiEU0VmfG+iW3rZBKw
-JM9/P0dWZZMzaSeDHVWBJPeEZJmKmp2SVtL+4flTj2cQjaboFYINggIO7MzUufcr
-xeJ/A2sR2z4zJxBWtiTo5wB7uZju09l6Be4r8p/4OtAxBr/4zSo1iZ7rEyP5wS+k
-KevhhHfsnZ/YVEFUcaNqSgJddXjM1RSIssJywvIwQh/6VlUlLNYW/89nEcd+agYz
-kBazZIQOUefnvMnEWWlZovabqwVEPBhJ74zTtOn1Z333GnomjJK2vHh5cVMbqxD1
-sTgFx1W+RICgctPWAJxbxOhWunX6edXY1q0pb/dMnAqyIxRg32TEHrHXMCVEP5Hk
-Vf6HHDDV7UKhq+S3PVOdo6MHimz6OZenA8cgjyf4jrkd25MrXXL4ergzMEliRg2D
-wa4gQqdWzPHE8uCBSAWEAxZCMJ2l2vULltU=
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/istio-1.18.2/samples/certs/ca-cert.pem b/istio-1.18.2/samples/certs/ca-cert.pem
deleted file mode 100644
index a460e036..00000000
--- a/istio-1.18.2/samples/certs/ca-cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
-CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x
-ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9
-iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z
-APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K
-M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom
-ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8
-LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T
-BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC
-AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w
-A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8
-PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y
-05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN
-Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn
-aFKltOc+RAjzDklcUPeG4Y6eMA==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/ca-key-alt.pem b/istio-1.18.2/samples/certs/ca-key-alt.pem
deleted file mode 100644
index 872543dd..00000000
--- a/istio-1.18.2/samples/certs/ca-key-alt.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAlx8cZPTCKlFRySRZHUZeznX5OXTXsrVjNrh4TGD6IQUWbMZb
-+qkf6Da5STyD9+oQ5CsVu1CwVmAf8+2okMzX20z6xWP0xZU0dO5/zJv2mM/Zjo7r
-FPJIBh+dkXB9063t7AVEFe768cqk/Neusl0lZAb42g+5gtqfLlojaGAfE84IrFiX
-BvKPB03w+BSVyPub9sRbeuHCTJYEjD8Kn79hkjDEJJaXUwEOuPCyvOtWYz7voEk7
-i3AqOq0lHv6Po9I2Ts0ONIIi1+a0I0NKJJ9o9Y/CaFOQY+i/oF0+imeSgaCoO1IG
-oFEy5LSwQyGOwjb97b5fr6a6xFh1ODFJLLYsSDf/+cRNsLhz6rlOuA5N6uM7Qnby
-LeIFJLk9UNivre/TYLflPKffxNGCan9ARORgB8hOtxKdmdNChHjg2d3x3mrDpc3d
-xFH9H0DhxxxpMCY1UOb6JmTWM2JXqwn8/V8McNAAI+nJie127LRQJQd5pqxsV1+X
-h5JP3+48AtnKBL2x7u2ObvFMVlxDvAaq7YM4xbDqhw8v8y/qdf00mlj3yoIDCETb
-0tSqr6m0OFJBkJWHl1+uvH2cDdSYA3KU7oBc1zejF6tLqLMkt7ltADgUchlB6rJa
-o9H7ASnIRSA7U3r64yW+LAy9yEAcZhdvMfejpn+Y666ef8xVsZZ/TBTb72UCAwEA
-AQKCAgAkT5pf+5uH1YBER1KOQTFYhGo8zwFg9EqBhHOLTqXrNzC7NDI3mVmMT1HX
-8g13jSs/18Zh+rJUHsaussUU/dND40xCD5FpxD8VdZUJkdP/xbltkpOTtd9ucTxI
-DPJ+4UTQuDcy2fg8Dsfz5NMaEl2AmlhC9RJLCcLDvW7Sjn4JITFeT+8CAVgylhy3
-TyLqZuKDuYyNix9HjahMFn20AqUsHkGS1QhJLnDeKR+ZWyantCCZr9750xqifKX1
-u47B+ymHZ6fpH/fFTq6r5mgzQoZSspcwwBtqlistGhqD4P0H3pVto3jqHniPEYdk
-qfSGX/ZFoL+XEgXAVczckqMVdjRPS3eq23xLlp3kkSN7I1JVGxfEbatVUSy+WBT6
-IatSXUenbloD9NTcE2v08OTLG2xgAFNl6gC4kTxEnJuXAccFIMXMrbcmiZh4xZxq
-SLv/HwRENy3MjE3WMocAZ7ypfUbKEIsVYMaTvyQzXEr7yyTT9qpL2gJRCqaimUbb
-YoUXc/RreGgDY3S5S6OETdFXHeps2ObTXUqMWU1pF+X1lKA5c2H7bl5PBRu0KJ9s
-uPEln0tmZ02299S1ropCeqjA7YQcrqQnEsbIwt64pynRnFCUJyTSYmUX1C/ewYIa
-2AC7CiMQf7eBUZlTuR9G6zqhimEqgd0ZIPvOvDzkBWG51WrMJQKCAQEAxWgZ4jzQ
-RBTfXRIpjFZ93KM2Jy8RCDPesTnXvPK73h7AyvMx32ygm6j0m6yUHV8RN75CE2rM
-Vb1ogeL1LHgFjZLsM+3SrQUSfW7uZZ4+Fkm/JYF4Qmflch4jJH4MnPy/HgO75nRs
-ai2xMil8YnR8QZFpvTrutRkTRK6bSm8N98vjV+bbVw8eFL/dVgLHpdHTLoFBo4Zd
-o7CaA4Aje8AabeWd7Yp0cjTGWHWLHFzxDnD9gfWN5eL8ay1QZwW3BFUw+eLuIrRu
-UbC54e8RK0lXSAwbGCbof8+nfd7i+vh4lwM5D0HLMmmvpRs5+2BVuOI8gwtxxrwn
-T4SFlIEdRRjxDwKCAQEAw/oLsYDrVPzATQkQ6Kec7ayGBWf9+G209MKOHkRNJdC0
-kms7yMckqTWEs5tMgBD8V0BrajmB8cbjR0g6Fe2M2W+mFZ+x55Lw8j/qNEbHKNor
-p3W50leiSlWbntuaIAnzKDR2QamtEToz6IhMG3mtpxVZBf+fRRoaB/dK098BGHQ9
-J7uTeydf19kwGZoaVZ1EGSsVZTGMQEsNhZzFHbqOUaxiD3+UykyIZ1hO8jNlTdB0
-6yqBbgdetcb1Op6vFVVWswxMeJzDUc5S1ehGYXkthHHbIAXAy4iBEo+fVdxFs5nZ
-zk3uauyyKZQ7qM2Cu8sa5TrsRd4GncKNdubNO/2wSwKCAQEAspMiXxMuP3g2OsZU
-SXxwbOhD85xTJv1tJRszOtzF8AAX3T+0TO3COC3V4QF0F0HJnIiC03fYEnO+F0lN
-CoYkV9ahz7QC0bt153wzMj+84IKj5HTDaib8W4hBuCBCnrzQ0oEEOEv3SvG8iqkW
-uSWwxcuaQLEQAUkGsinVlrbxhsitBvZyUsX9Kz4JJmZrXmh6RmZtD1VcXdhC6om/
-D5JPFj0R6TFHd4ygJKNoTScSdULnQOn2DBCS0Q1z304/Ki86l8KeM0zPQxzAek6+
-VE8LIsS4uddwmTYqyOWYpPmidNFYi6G0BA2w84W2pNyXjyExJkZzDRll4jv6bsWB
-yeDvJwKCAQEAvp/CrgbLYaB0YLpX0yXudBUjS7DqjbIQmR+BY5lmPUkzy1Q5E8P5
-OgnPqXB+yfc7rJcBpJKJfibKPjTYIyosnfeG4nOydaEtc0WORwktgeQtIDdX52zM
-dGeu9qd+1Hk5JrtY5+fmauJlSWMCPJtvuRz/ueD6CBoqheMZytqY0zOFpNdEzj7v
-cCJXMh/+S5asfZq1tferB4K5hWSHK7Kh6nm17INZtCkbaQKxz88EU9tXTsPKn77V
-dhUvxbRCc4rNyV1GKO+64SDC3ESR6RAYoUKqNQzDinadrfM7tiWLOvaEsLKHHURc
-zCremQRFjOsznxNgbVlYsC1ksuovaZIK3wKCAQAHEUZJwbsr1FJ0qmBOjY6ZbssG
-icHEweWdXlxaFKjXj+iRdUWRRnmZRhNB1jMCub1jqXweoAnhq3xq3DyVMe0oZMrh
-7C5zzsiJYdOuv+PKw0jm+/jylyVxS9FYv++gBZvAwMUt1NFgNgSb2Que+hVPXfwW
-MVaVRCKaA38e18WjNeILOTVD0+NeViAaxhBZPz3kTIuLEPiRJxxeC9XQbjPkUz6k
-iDxGSc+Epi+TcOqtYjCC/jQiHExcZD3vlIcnXH3tX/mnPdnM8rPnVoEmx/VUHnq1
-/4JPVP8XBMQABRG3BWgn2OqJiPssLk5DukomAWGxSXzGVjUIaxWzwyFD+ZTR
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/istio-1.18.2/samples/certs/ca-key.pem b/istio-1.18.2/samples/certs/ca-key.pem
deleted file mode 100644
index faa77f38..00000000
--- a/istio-1.18.2/samples/certs/ca-key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1
-3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd
-Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd
-PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs
-ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ
-t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B
-C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN
-ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU
-8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg
-oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf
-QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w
-J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp
-FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/
-CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e
-DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE
-Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN
-cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt
-yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO
-wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY
-qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D
-Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5
-cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7
-mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa
-8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+
-lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw==
------END RSA PRIVATE KEY-----
diff --git a/istio-1.18.2/samples/certs/cert-chain-alt.pem b/istio-1.18.2/samples/certs/cert-chain-alt.pem
deleted file mode 100644
index dbbd5039..00000000
--- a/istio-1.18.2/samples/certs/cert-chain-alt.pem
+++ /dev/null
@@ -1,61 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFVjCCAz6gAwIBAgIUPTPKZWcaC54iCXmHXS7VUFrQpJswDQYJKoZIhvcNAQEL
-BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw
-MDM1NjM3WhcNMzMwMjE3MDM1NjM3WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE
-AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI
-hvcNAQEBBQADggIPADCCAgoCggIBAJcfHGT0wipRUckkWR1GXs51+Tl017K1Yza4
-eExg+iEFFmzGW/qpH+g2uUk8g/fqEOQrFbtQsFZgH/PtqJDM19tM+sVj9MWVNHTu
-f8yb9pjP2Y6O6xTySAYfnZFwfdOt7ewFRBXu+vHKpPzXrrJdJWQG+NoPuYLany5a
-I2hgHxPOCKxYlwbyjwdN8PgUlcj7m/bEW3rhwkyWBIw/Cp+/YZIwxCSWl1MBDrjw
-srzrVmM+76BJO4twKjqtJR7+j6PSNk7NDjSCItfmtCNDSiSfaPWPwmhTkGPov6Bd
-PopnkoGgqDtSBqBRMuS0sEMhjsI2/e2+X6+musRYdTgxSSy2LEg3//nETbC4c+q5
-TrgOTerjO0J28i3iBSS5PVDYr63v02C35Tyn38TRgmp/QETkYAfITrcSnZnTQoR4
-4Nnd8d5qw6XN3cRR/R9A4cccaTAmNVDm+iZk1jNiV6sJ/P1fDHDQACPpyYntduy0
-UCUHeaasbFdfl4eST9/uPALZygS9se7tjm7xTFZcQ7wGqu2DOMWw6ocPL/Mv6nX9
-NJpY98qCAwhE29LUqq+ptDhSQZCVh5dfrrx9nA3UmANylO6AXNc3oxerS6izJLe5
-bQA4FHIZQeqyWqPR+wEpyEUgO1N6+uMlviwMvchAHGYXbzH3o6Z/mOuunn/MVbGW
-f0wU2+9lAgMBAAGjaTBnMB0GA1UdDgQWBBTfaZR3DtzO/E6WWIgn2snHJL/BRzAS
-BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdp
-c3Rpb2QuaXN0aW8tc3lzdGVtLnN2YzANBgkqhkiG9w0BAQsFAAOCAgEAPxOeQAxC
-dEkFQgdmUl/6g6PbqNardN63rzt3el3gVC27RtctI9RgyAOS9Yw/GodQTfao2k1a
-WcdqdmK12/eTBccuoJCDuHQx5NgCnIciaOcjE/IdCkNAtZY8T3mRJ0avnm0nxVwo
-A3o313NzpJJuZAco8RlaIeM6o7jxD3Z9Pi70xegYwMdopGgm1eVg3kL/TzGhVHty
-tFHIuc8LZijQmxFcez28o/eDc5obCRjTOJOe0LYF7CmpkiGiEU0VmfG+iW3rZBKw
-JM9/P0dWZZMzaSeDHVWBJPeEZJmKmp2SVtL+4flTj2cQjaboFYINggIO7MzUufcr
-xeJ/A2sR2z4zJxBWtiTo5wB7uZju09l6Be4r8p/4OtAxBr/4zSo1iZ7rEyP5wS+k
-KevhhHfsnZ/YVEFUcaNqSgJddXjM1RSIssJywvIwQh/6VlUlLNYW/89nEcd+agYz
-kBazZIQOUefnvMnEWWlZovabqwVEPBhJ74zTtOn1Z333GnomjJK2vHh5cVMbqxD1
-sTgFx1W+RICgctPWAJxbxOhWunX6edXY1q0pb/dMnAqyIxRg32TEHrHXMCVEP5Hk
-Vf6HHDDV7UKhq+S3PVOdo6MHimz6OZenA8cgjyf4jrkd25MrXXL4ergzMEliRg2D
-wa4gQqdWzPHE8uCBSAWEAxZCMJ2l2vULltU=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFFDCCAvygAwIBAgIUXl9kIYp2G+37cwt+ruWqmKHpFVkwDQYJKoZIhvcNAQEL
-BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw
-MDM1NjI2WhcNMzMwMjE3MDM1NjI2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE
-AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMS9oq7l
-OR+vqj+99FcquCZiZB9d3AGmn4CUIzUsHLKwG/H4OZucHNaI+C/2IE+cHpqHq1RV
-XqOdE5fMoBsHTjRN24K/WMHVr76IiTdla3e5OGvb8XtFTqH80bPcahWU6J5SKaP5
-nuj6D0OCDuPgV5fDNkMBp6qH3b+zbSBLDKLyepMeHUdfUXKuUjAFCRzPuKuCzJy+
-xNHu61OuRzILSUL7O8kTSK/1iz0mIFAqSxeS6AFDGsQIJRhKEhQSbmH924dGGQ5p
-7bm8mFEYPYzyEw7l6zqaEKYEzoVhQrulJzUEVITVK9npW/GAREQK8KcabCakJf6L
-wiTMZkWzrY2h7d7U/4Ib/7N3/1HREG6rLjZy08owaf09PNhKE1eqc32rwcJUdbsq
-PiRqPRuIuGtNG69/CT+4I7liKoErJrxy4GfAxLRcFrkTA9Smo8lHsShbW/RvCEdr
-2eXHolxmfgogDr3kYkrG3jYgUyYqaNIdasVQwRkfQByQpxp3ItL66NLLd1jn9ImO
-IHAfWF2CCXdJtXKzksswOs/UW8gu8Y33YzfHZMxRQu5MlDEgKR6TJMDymYVedFAf
-BeqpJepIN4zhpV/DnfC4qfhKf5KWCPWHkZgOKwl6sxOVk25ozDeiatXMfHFztTJI
-1hWRF9cQNWdmHwVx19Yi2VfMwpgsnLDbeb+/AgMBAAGjQjBAMB0GA1UdDgQWBBQV
-XzlSBYPXo+qiYX/1gUkx+t9GrTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAQj5EFGuY8jnXsvrcDEyo3kl+GAar60p3
-OB8BvMQzywYzmalztRluQr77dsTCDo9w+SL7/AKsJqljNJmzQg0Yst0YzPFAFUgt
-8PdCFDgjuSfzlrKukcRj7yd2rzs+MQP3amOuWIj5gq7lUWAPNMp0bhU1lIS2eAk7
-Ew8s4BkgMI2fW8z22uEw49j+720n9q3xIpmfGA7SISe32Z3bu10fXrsIii++Zo9p
-ItX7B5pKaLCwANjUejzC3NZ5HdL+yV9dXWXrVZrTvdFxRiqhNJtV64YTsSH+kVp8
-cCYyNA90CBVQU8ZyomNnOxqOsrBL1NvZllBmX1f3SnVa2Kw+RxJLtEx9lmKT3aiX
-v0kPPhoU+qpA3eOVvbT0CbSBEl56wclPMd7xYMykkNU/AVc3lZ7YFcjb19YNxzff
-AKktnJrFx3FHf03aeAnvJ35FxitrcpV4NvLvq5ViCHVw6IMO5h274Z/HoGHVvcle
-OPtLRiI5Fkaexa6Y/+SPMDFsCfQJzL4ZWmnGSA+Z6YMD5atviQGEbSP4bCwIgOax
-dsSyRo1cTRaOVCGVxed/s+ChbRnvljPd35zl79o+1zOOxJ2ttswYJRkjSsvn+BCL
-GZj8c/5MkLtTwvL62wZVhCIHtZoS4LNUqdkyYvRJMZTV72YuEPTfl8NKhmMislqR
-5LPKUi9adm4=
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/cert-chain.pem b/istio-1.18.2/samples/certs/cert-chain.pem
deleted file mode 100644
index a460e036..00000000
--- a/istio-1.18.2/samples/certs/cert-chain.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
-CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x
-ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9
-iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z
-APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K
-M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom
-ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8
-LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T
-BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC
-AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w
-A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8
-PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y
-05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN
-Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn
-aFKltOc+RAjzDklcUPeG4Y6eMA==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/generate-workload.sh b/istio-1.18.2/samples/certs/generate-workload.sh
deleted file mode 100755
index 2ff08c8e..00000000
--- a/istio-1.18.2/samples/certs/generate-workload.sh
+++ /dev/null
@@ -1,111 +0,0 @@
-#!/bin/bash
-#
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -euo pipefail
-
-name=${1:-foo}
-ns=${2:-$name}
-sa=${3:-$name}
-tmp=${4:-""}
-rootselect=${5:-""}
-san="spiffe://trust-domain-$name/ns/$ns/sa/$sa"
-
-DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-
-FINAL_DIR=$DIR
-if [ -n "$tmp" ]; then
- if [ -d "$tmp" ]; then
- FINAL_DIR=$tmp
- cp "$DIR"/root-cert.pem "$FINAL_DIR"
- cp "$DIR"/ca-cert.pem "$FINAL_DIR"
- cp "$DIR"/ca-key.pem "$FINAL_DIR"
- cp "$DIR"/cert-chain.pem "$FINAL_DIR"
-
- cp "$DIR"/root-cert-alt.pem "$FINAL_DIR"
- cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR"
- cp "$DIR"/ca-key-alt.pem "$FINAL_DIR"
- cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR"
-
- else
- echo "tmp argument is not a directory: $tmp"
- exit 1
- fi
-fi
-
-function cleanup() {
- if [ -f "$FINAL_DIR"/.srl ]; then
- rm "$FINAL_DIR"/.srl
- fi
- if [ -f "$FINAL_DIR"/ca-cert.srl ]; then
- rm "$FINAL_DIR"/ca-cert.srl
- fi
- if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then
- rm "$FINAL_DIR"/ca-cert-alt.srl
- fi
- if [ -f "$FINAL_DIR"/workload.cfg ]; then
- rm "$FINAL_DIR"/workload.cfg
- fi
- if [ -f "$FINAL_DIR"/workload.csr ]; then
- rm "$FINAL_DIR"/workload.csr
- fi
-}
-
-trap cleanup EXIT
-
-openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048
-
-cat > "$FINAL_DIR"/workload.cfg <> "$FINAL_DIR/workload-$sa-cert.pem"
-cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem"
-cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem"
-
-echo "Generated workload-$sa-[cert|key].pem with URI SAN $san"
-openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem"
-
diff --git a/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem b/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem
deleted file mode 100644
index b5f4752c..00000000
--- a/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL
-BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT
-CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X
-DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd
-GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR
-91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI
-j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE
-OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw
-Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P
-AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
-Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv
-bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre
-gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C
-FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/
-4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT
-ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE
-JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9
-8w==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem b/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem
deleted file mode 100644
index fee6dcf8..00000000
--- a/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL
-BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT
-CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X
-DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp
-tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er
-3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh
-MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5
-IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG
-+PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P
-AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
-Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v
-bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV
-WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC
-FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/
-q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og
-MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE
-Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT
-bw==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/root-cert-alt.pem b/istio-1.18.2/samples/certs/root-cert-alt.pem
deleted file mode 100644
index 8dc20f9d..00000000
--- a/istio-1.18.2/samples/certs/root-cert-alt.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFFDCCAvygAwIBAgIUXl9kIYp2G+37cwt+ruWqmKHpFVkwDQYJKoZIhvcNAQEL
-BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw
-MDM1NjI2WhcNMzMwMjE3MDM1NjI2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE
-AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMS9oq7l
-OR+vqj+99FcquCZiZB9d3AGmn4CUIzUsHLKwG/H4OZucHNaI+C/2IE+cHpqHq1RV
-XqOdE5fMoBsHTjRN24K/WMHVr76IiTdla3e5OGvb8XtFTqH80bPcahWU6J5SKaP5
-nuj6D0OCDuPgV5fDNkMBp6qH3b+zbSBLDKLyepMeHUdfUXKuUjAFCRzPuKuCzJy+
-xNHu61OuRzILSUL7O8kTSK/1iz0mIFAqSxeS6AFDGsQIJRhKEhQSbmH924dGGQ5p
-7bm8mFEYPYzyEw7l6zqaEKYEzoVhQrulJzUEVITVK9npW/GAREQK8KcabCakJf6L
-wiTMZkWzrY2h7d7U/4Ib/7N3/1HREG6rLjZy08owaf09PNhKE1eqc32rwcJUdbsq
-PiRqPRuIuGtNG69/CT+4I7liKoErJrxy4GfAxLRcFrkTA9Smo8lHsShbW/RvCEdr
-2eXHolxmfgogDr3kYkrG3jYgUyYqaNIdasVQwRkfQByQpxp3ItL66NLLd1jn9ImO
-IHAfWF2CCXdJtXKzksswOs/UW8gu8Y33YzfHZMxRQu5MlDEgKR6TJMDymYVedFAf
-BeqpJepIN4zhpV/DnfC4qfhKf5KWCPWHkZgOKwl6sxOVk25ozDeiatXMfHFztTJI
-1hWRF9cQNWdmHwVx19Yi2VfMwpgsnLDbeb+/AgMBAAGjQjBAMB0GA1UdDgQWBBQV
-XzlSBYPXo+qiYX/1gUkx+t9GrTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAQj5EFGuY8jnXsvrcDEyo3kl+GAar60p3
-OB8BvMQzywYzmalztRluQr77dsTCDo9w+SL7/AKsJqljNJmzQg0Yst0YzPFAFUgt
-8PdCFDgjuSfzlrKukcRj7yd2rzs+MQP3amOuWIj5gq7lUWAPNMp0bhU1lIS2eAk7
-Ew8s4BkgMI2fW8z22uEw49j+720n9q3xIpmfGA7SISe32Z3bu10fXrsIii++Zo9p
-ItX7B5pKaLCwANjUejzC3NZ5HdL+yV9dXWXrVZrTvdFxRiqhNJtV64YTsSH+kVp8
-cCYyNA90CBVQU8ZyomNnOxqOsrBL1NvZllBmX1f3SnVa2Kw+RxJLtEx9lmKT3aiX
-v0kPPhoU+qpA3eOVvbT0CbSBEl56wclPMd7xYMykkNU/AVc3lZ7YFcjb19YNxzff
-AKktnJrFx3FHf03aeAnvJ35FxitrcpV4NvLvq5ViCHVw6IMO5h274Z/HoGHVvcle
-OPtLRiI5Fkaexa6Y/+SPMDFsCfQJzL4ZWmnGSA+Z6YMD5atviQGEbSP4bCwIgOax
-dsSyRo1cTRaOVCGVxed/s+ChbRnvljPd35zl79o+1zOOxJ2ttswYJRkjSsvn+BCL
-GZj8c/5MkLtTwvL62wZVhCIHtZoS4LNUqdkyYvRJMZTV72YuEPTfl8NKhmMislqR
-5LPKUi9adm4=
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/istio-1.18.2/samples/certs/root-cert.pem b/istio-1.18.2/samples/certs/root-cert.pem
deleted file mode 100644
index 64c3fd50..00000000
--- a/istio-1.18.2/samples/certs/root-cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
-DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv
-MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB
-FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN
-8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu
-IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw
-uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv
-YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw
-zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh
-euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ
-ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W
-tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK
-WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy
-AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx
-xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a
-3g==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/workload-bar-cert.pem b/istio-1.18.2/samples/certs/workload-bar-cert.pem
deleted file mode 100644
index 1b59e9c5..00000000
--- a/istio-1.18.2/samples/certs/workload-bar-cert.pem
+++ /dev/null
@@ -1,43 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL
-BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT
-CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X
-DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd
-GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR
-91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI
-j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE
-OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw
-Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P
-AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
-Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv
-bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre
-gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C
-FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/
-4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT
-ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE
-JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9
-8w==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
-CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x
-ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9
-iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z
-APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K
-M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom
-ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8
-LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T
-BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC
-AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w
-A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8
-PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y
-05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN
-Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn
-aFKltOc+RAjzDklcUPeG4Y6eMA==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/workload-bar-key.pem b/istio-1.18.2/samples/certs/workload-bar-key.pem
deleted file mode 100644
index 1b7889a9..00000000
--- a/istio-1.18.2/samples/certs/workload-bar-key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA6p867UZ0Fc1u8L2Jayoc5YgRB4pM7xRNJg7N+VcpAd0YILjZ
-NK765FEfzTxCfLPwJ7p4knVTA/6btLbNl81tjUvZUm9ZuhC0ULt6BvGnZ5H3WsnZ
-aZGJA7pmgCZAb5RVpUyOpa2s7In+2TONdKyRldxtSRaSs88CTGxIFFagJciPbfR1
-EqCC/NmAiAGbg18OOt2PsCbARkDS3OI8XL/mH7pckSoPxwU7MqPRKinzQYQ7NIHz
-MOdkKiYXPwJm/ZZSQmOeCPus4P5ygLUuhYmJSVMUx0CeDBJY+zJqqlm0MPAK34Kz
-nWWGRBBcLpve30P1sdtcDFiwRwdqpH50pVUciwIDAQABAoIBABVjCmYSpAZQwaok
-POCN6DBsJNFBJB4vBZFQjCoMbeqDku14rCQHR0uEsZdtxMnFRUD52H/RPg4BKYRh
-nYAW88OLhHXlPJKfbzBkxozXfmEMhzW5bJ4Y7Bpw5WMNGZaSOPRmdCJaIIc3VQnL
-jztxd5vnifa9ngXR+u2oeTGRa+vFncwtf+lDjid6KOsclFEOVRquT9e3BgccwWJL
-O7k8GZzHCWj+jxeExrcoD5NMulHZGDTc49ZZeqpVIwQnhFEe+e6LcZ7jaHs1AgUK
-v3cHVQUoeHa+NYATeoyXWUJzD0vW6fTgxUrf+GNrtdmbwaoGW4+FmsYKB0YD2FO3
-bQ5cQWECgYEA+sXSllaDmrwFhX7Tga7nHN74maGk0V4eUnVQ2rkwRXgwaUh+V3K7
-5jJ1ZTZuWYbAWup+rVt0cAb0Ja8zBnnkHRdwe0gQqtoj+5YdD8RAluBJePFigp77
-pK+JfdiYnA0JC3Z+7gkeWM/uY9ojDuasX83yVf7Kgm+7HMUrh5dGaDMCgYEA74M5
-Q32oM8zxGm9ck82rh7ox0NwTeIrwr5U42QFqT0h26nR3m51l8odj3rz0WnRtOfAl
-sjJ3y5tygdVLMzwpuHzpA/iq7YRY04+g7Q5MoVAImLKzKJzIxZra+6eo2ctcQCBO
-U90+jY4C4/YgvTYKnndFvlVXcXXNyhPJKlfLAkkCgYEA8yOWmHjtRLuERvi+rYAd
-SJrPQnW9TdoJYD2q1Ua0jMaJear2BGeT0w+dTzLFLzw9iGjPxdlkPbIgSeFigabx
-C1vMjVtD/cNfG/Fh4AWR8jcoRYEU2Dy5E+W2UzQMU1E4McsEKlrg948zPdEkKLBy
-9LjDe6l8Q5d9PdnV6LM9ao0CgYAnY7NVMCMrcbbtHAdjn11oUuzCZo8lMeRnW+kf
-dyYep9I2uLS6+OW9PxrjlLuy7JbSAnaQmdAtwgDQ7V0SrgBGgPRpXMnvieZ51JMo
-qUNc/CaNxkXElhRGuzLsVCRmvRUMzsNS833IFeTPzLiRpYOVkBP+O1bIKBGR/DMH
-La0LUQKBgQD0Jea309Qr3CZIDp8IYnthYHIezDPmRBbyMKK5kTj/GC19JIXJoonw
-nUw9vpVp+WdBy+ZP/567eUp9RrG9xP+OrirWeUT8UFdmpc+JbI54b2tX0UgUePKm
-oKXf/DlOM5K2gDaIL+wlFYuxdrLtFCxvFP+7ihueivunjbtENQqdGA==
------END RSA PRIVATE KEY-----
diff --git a/istio-1.18.2/samples/certs/workload-bar-root-certs.pem b/istio-1.18.2/samples/certs/workload-bar-root-certs.pem
deleted file mode 100644
index 9a43073e..00000000
--- a/istio-1.18.2/samples/certs/workload-bar-root-certs.pem
+++ /dev/null
@@ -1,46 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
-CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x
-ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9
-iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z
-APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K
-M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom
-ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8
-LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T
-BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC
-AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w
-A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8
-PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y
-05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN
-Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn
-aFKltOc+RAjzDklcUPeG4Y6eMA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
-DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv
-MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB
-FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN
-8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu
-IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw
-uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv
-YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw
-zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh
-euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ
-ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W
-tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK
-WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy
-AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx
-xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a
-3g==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/workload-foo-cert.pem b/istio-1.18.2/samples/certs/workload-foo-cert.pem
deleted file mode 100644
index 50197b98..00000000
--- a/istio-1.18.2/samples/certs/workload-foo-cert.pem
+++ /dev/null
@@ -1,43 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL
-BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT
-CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X
-DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp
-tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er
-3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh
-MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5
-IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG
-+PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P
-AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
-Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v
-bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV
-WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC
-FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/
-q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og
-MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE
-Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT
-bw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
-CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x
-ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9
-iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z
-APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K
-M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom
-ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8
-LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T
-BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC
-AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w
-A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8
-PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y
-05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN
-Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn
-aFKltOc+RAjzDklcUPeG4Y6eMA==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/certs/workload-foo-key.pem b/istio-1.18.2/samples/certs/workload-foo-key.pem
deleted file mode 100644
index bac90f1e..00000000
--- a/istio-1.18.2/samples/certs/workload-foo-key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEAxEV57zKbR02IsRorjqvdrEeZJo8S77zB5iyrknP76mm2ktit
-HFXv1Q8rMqowuZ9xrUpSzo9iQKKl/+Gy82MvCRB/VFGl1JweTXtUr8BrQSveZogP
-DlPNF6p3sx+CwhRK2bLpPRZXLMwdUCMNX9pGRPDNbCnb1smB+S8jb9DL0yEw4005
-nf6b5RwgriimCDsaY3DKd+s/GFZ9SyC1gSlpNcRsk6OpCH/wijnogrgBtLki80V8
-3ZEouLTCD1jOB36h2iJ+m6ZpM/qK4mmiFLIKCmGvxreNfkO5Q1d2696LAwb48RJz
-RBIbMBYDXX89YLW/SdTjmhZMHfWJt24ZZ6ebZwIDAQABAoIBAQC+W0vZrFFhpFcw
-vVsFcrb6Qi7NcPJCxeWhIi39SrRHM+Q5JCExXD/RenbBGsNLJNMR6QXLBNGcMqOh
-OvtehxG1TuTPmKinPgs9xqHqG0tq1+tJsig4ExrVGyYg+izNovS9k4IXFzXRYt4D
-PRvZnU+NyabSgv6OoL2IOim6Zt1olBIHK0u57bNEFLoLJBHi+/qxVo1H1ZxW4eg/
-/hCkg8IlT7G1wrT9uwAU5ld6wpG6OYub4uHLPsoyWB4E2vl1/liZq4MnUJG0M5m5
-QWHy9wL3jow/LtjVvcn/I09YIJKI9BocUi6/ze/Boy1zo4cL+cryLpfplIhZ0u/N
-a/S/222BAoGBAPPXTLJyfSEt70+H2iYPKEBMVo8UBAW2rSICOCMvKZJuCuqccB75
-Jy6h+BQtIJZf+rnNzlG4EH6Vjb4mC/YYBf0U1inpCsdKcw96hv7+EYzBtKf/lK9N
-au+AEAgngr1xgA+M84jMWnosFMNw88pO6j260y1aMUmLD8onrnglPcEHAoGBAM4O
-79WMqTXipgvQzx66KeQQs6Gf1nwh4Ut9NYs2nk4KQrkAHd4zuURFlxdnqr/mC4wb
-nsLCdFOOZaiWIIG93lp0Ox0dLar2jJK88WfCzzerUBljMRv8xJZBLOe7rv5iawVC
-mBnZE606m1kTrj6wY5M7TsZiIIeYQcmlJNmW9ZqhAoGBAMY+iqqiDj2FfQTp7F/4
-/r6X0d/tY//JLyVxLHbehyv3r4Riv31PD54ILQsqTU40pkGdo1opDa/8owqvIBZq
-HaRO5neYchzo2HcDJPH3WglYCypyzk1f4crqER6wEMk4l+cMr4rOqdieMhtbn7kh
-Q6wAUmSS6XNjTekLLfucO4LNAoGBAIjIgYxQg0Kx4WeWhObwzT4HmDaB0+8yzks+
-Inz3FL7ZMNF9slX+H82iJFn1BvO70Y6ABzNhwbZ1oCX5Ajsdvqxs25DH/bivUUFX
-CyjFuKhLoDA6GC9r61OSkCyD+fYDfudO/YirANTNQrIuzkvu6yqhA/nMyas49vLU
-HVITU5YBAoGBANJVeCLwpjoK2ROM6mIQrHtBR5Ft0a5DhjQWT/6FrsUXGYH3nsdt
-cEUCJsBU7z46GcByRIT25xGimoitQppsw6Wcf0gtjNyqbF56aejjEkd5LNtm77gz
-9wNya77NzyrtiAjG9TCnDPJUX7satEoXgEGMxmtoiQ+pbD3nvJsFjkZQ
------END RSA PRIVATE KEY-----
diff --git a/istio-1.18.2/samples/certs/workload-foo-root-certs.pem b/istio-1.18.2/samples/certs/workload-foo-root-certs.pem
deleted file mode 100644
index 9a43073e..00000000
--- a/istio-1.18.2/samples/certs/workload-foo-root-certs.pem
+++ /dev/null
@@ -1,46 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
-CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x
-ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9
-iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z
-APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K
-M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom
-ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8
-LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T
-BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC
-AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w
-A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8
-PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y
-05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN
-Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn
-aFKltOc+RAjzDklcUPeG4Y6eMA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
-MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
-QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
-OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
-DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv
-MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB
-FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN
-8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu
-IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw
-uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv
-YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw
-zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh
-euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ
-ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W
-tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK
-WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy
-AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx
-xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a
-3g==
------END CERTIFICATE-----
diff --git a/istio-1.18.2/samples/cicd/skaffold/README.md b/istio-1.18.2/samples/cicd/skaffold/README.md
deleted file mode 100644
index a8fa19ab..00000000
--- a/istio-1.18.2/samples/cicd/skaffold/README.md
+++ /dev/null
@@ -1,45 +0,0 @@
-# Skaffold
-
-This is intended for demonstration only, and is not tuned for performance or security.
-
-skaffold is a tool that enables fast development iteration and controls deployment to local or remote clusters
-
-If running `skaffold run` for deployment, manifests are pulled from remote charts, if running `skaffold dev` for development and hot reload, manifests are pulled from current branch.
-
-## Quick Start
-
-skaffold is built around modules and profiles
-
-1) istio-base + istio
-
- ```bash
- skaffold run -m istiod
- ```
-
-2) istio-base + istio + ingress
-
- ```bash
- skaffold run -m ingress
- ```
-
-3) istio-base + istio + ingress + kiali
-
- ```bash
- skaffold run -m ingress,kiali
- ```
-
-4) istio-base + istio + ingress + kiali + bookinfo
-
- ```bash
- skaffold run -m ingress,kiali,bookinfo
- ```
-
-## References
-
-- Github: [github.com/GoogleContainerTools/skaffold](https://github.com/GoogleContainerTools/skaffold)
-- Site: [skaffold.dev](https://skaffold.dev/)
-
-### TODO
-
-- Add build and test stage for images in istiod (pilot and proxy)
-- Addons
diff --git a/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml b/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml
deleted file mode 100644
index b67aa289..00000000
--- a/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml
+++ /dev/null
@@ -1,145 +0,0 @@
-# Skaffold - https://skaffold.dev/
-# ------------------------------------------------ #
-# This is for illustration purposes only
-# ------------------------------------------------ #
-# Installation options & modules
-# ------------------------------------------------ #
-# istio - `skaffold run -m istiod`
-# ingress - `skaffold run -m ingress`
-# Addons:
-# - kiali - `skaffold run -m kiali`
-# - prometheus - `skaffold run -m prometheus`
-# Demos:
-# - bookinfo - `skaffold run -m bookinfo`
-# ------------------------------------------------ #
-# Development mode - skaffold dev #
-# ------------------------------------------------- #
-apiVersion: skaffold/v2beta22
-kind: Config
-metadata:
- name: istio-base
-profiles:
- - name: dev
- activation:
- - command: dev
- deploy:
- helm:
- releases:
- - name: istio-base
- chartPath: ../../../manifests/charts/base
- namespace: istio-system
- createNamespace: true
- - name: run
- activation:
- - command: run
- deploy:
- helm:
- releases:
- - name: istio-base
- remoteChart: base
- repo: https://istio-release.storage.googleapis.com/charts
- namespace: istio-system
- createNamespace: true
----
-apiVersion: skaffold/v2beta22
-kind: Config
-metadata:
- name: istiod
-requires:
- - configs: [istio-base]
-profiles:
- - name: dev
- activation:
- - command: dev
- deploy:
- helm:
- releases:
- - name: istiod
- chartPath: ../../../manifests/charts/istio-control/istio-discovery
- namespace: istio-system
- - name: run
- activation:
- - command: run
- deploy:
- helm:
- releases:
- - name: istiod
- remoteChart: istiod
- repo: https://istio-release.storage.googleapis.com/charts
- namespace: istio-system
----
-apiVersion: skaffold/v2beta22
-kind: Config
-metadata:
- name: ingress
-requires:
- - configs: [istiod]
-profiles:
- - name: dev
- activation:
- - command: dev
- deploy:
- helm:
- releases:
- - name: istio-ingressgateway
- chartPath: ../../../manifests/charts/gateway
- namespace: istio-system
- - name: run
- activation:
- - command: run
- deploy:
- helm:
- releases:
- - name: istio-ingressgateway
- remoteChart: gateway
- repo: https://istio-release.storage.googleapis.com/charts
- namespace: istio-system
----
-# https://istio.io/latest/docs/ops/integrations/prometheus/
-apiVersion: skaffold/v2beta22
-kind: Config
-metadata:
- name: prometheus
-requires:
- - configs: [istiod]
-deploy:
- kubectl:
- manifests: ["../../../samples/addons/prometheus.yaml"]
----
-apiVersion: skaffold/v2beta22
-kind: Config
-metadata:
- name: kiali
-requires:
- - configs: [prometheus]
-deploy:
- helm:
- releases:
- - name: kiali-server
- remoteChart: kiali-server
- repo: https://kiali.org/helm-charts
- namespace: istio-system
- version: v1.44.0
- valuesFiles: [../../../manifests/addons/values-kiali.yaml]
----
-# Config for https://istio.io/latest/docs/examples/bookinfo/
-apiVersion: skaffold/v2beta22
-kind: Config
-metadata:
- name: bookinfo
-requires:
- - configs: [ingress]
-deploy:
- kubectl:
- hooks:
- before:
- - host:
- command: ["sh", "-c", "kubectl label namespace default istio-injection=enabled --overwrite"]
- os: [darwin, linux]
- - host:
- command: ["cmd.exe", "/C", "kubectl label namespace default istio-injection=enabled --overwrite"]
- os: [windows]
- manifests:
- - "../../../samples/bookinfo/platform/kube/bookinfo.yaml"
- - "../../../samples/bookinfo/networking/bookinfo-gateway.yaml"
- - "../../../samples/bookinfo/networking/destination-rule-all.yaml"
diff --git a/istio-1.18.2/samples/custom-bootstrap/README.md b/istio-1.18.2/samples/custom-bootstrap/README.md
deleted file mode 100644
index 814e7dcc..00000000
--- a/istio-1.18.2/samples/custom-bootstrap/README.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# Custom Envoy Bootstrap Configuration
-
-This sample creates a simple helloworld service that bootstraps the Envoy proxy with a custom configuration file.
-
-## Starting the service
-
-First, we need to create a `ConfigMap` resource with our bootstrap configuration.
-
-```bash
-kubectl apply -f custom-bootstrap.yaml
-```
-
-Next, we can create a service that uses this bootstrap configuration.
-
-To do this, we need to add an annotation, `sidecar.istio.io/bootstrapOverride`, with the name of our ConfigMap as the value.
-
-We can create our helloworld app, using the custom config, with:
-
-```bash
-kubectl apply -f example-app.yaml
-```
-
-If you don't have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection)
-set in your cluster you will need to manually inject it to the services instead:
-
-```bash
-istioctl kube-inject -f example-app.yaml -o example-app-istio.yaml
-kubectl apply -f example-app-istio.yaml
-```
-
-## Checking the Bootstrap Configuration
-
-To see what bootstrap configuration a pod is using:
-
-```bash
-istioctl proxy-config bootstrap
-```
-
-## Customizing the Bootstrap
-
-The configuration provided will be passed to envoy using the [`--config-yaml`](https://www.envoyproxy.io/docs/envoy/v1.7.1/operations/cli#cmdoption-config-yaml) flag.
-
-This will merge the passed in configuration with the default configuration. Singular values will replace the default values, while repeated values will be appended.
-
-For reference, [the default bootstrap configuration](../../tools/packaging/common/envoy_bootstrap.json) and Envoy's [configuration reference](https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration#config) may be useful
-
-## Cleanup
-
-```bash
-kubectl delete -f custom-bootstrap.yaml
-kubectl delete -f example-app.yaml
-```
diff --git a/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml b/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml
deleted file mode 100644
index 5f406976..00000000
--- a/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: istio-custom-bootstrap-config
- namespace: default
-data:
- custom_bootstrap.json: |
- "tracing": {
- "http": {
- "name": "envoy.tracers.zipkin",
- "typed_config": {
- "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig",
- "collector_cluster": "zipkin",
- "collector_endpoint": "/api/v1/spans/custom",
- "collector_endpoint_version": "HTTP_JSON",
- "trace_id_128bit": true,
- "shared_span_context": false
- }
- }
- }
diff --git a/istio-1.18.2/samples/custom-bootstrap/example-app.yaml b/istio-1.18.2/samples/custom-bootstrap/example-app.yaml
deleted file mode 100644
index 3a351a31..00000000
--- a/istio-1.18.2/samples/custom-bootstrap/example-app.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: helloworld-v1
- labels:
- app: helloworld
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: helloworld
- version: v1
- template:
- metadata:
- annotations:
- sidecar.istio.io/bootstrapOverride: "istio-custom-bootstrap-config"
- labels:
- app: helloworld
- version: v1
- spec:
- containers:
- - name: helloworld
- image: docker.io/istio/examples-helloworld-v1
- resources:
- requests:
- cpu: "100m"
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 5000
diff --git a/istio-1.18.2/samples/extauthz/README.md b/istio-1.18.2/samples/extauthz/README.md
deleted file mode 100644
index 1aba62b6..00000000
--- a/istio-1.18.2/samples/extauthz/README.md
+++ /dev/null
@@ -1,99 +0,0 @@
-# Ext Authz Service
-
-[Ext Authz server](cmd/extauthz) implements the external server for the [Envoy ext_authz filter](https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/security/ext_authz_filter)
-as an example of integrating custom authorization system into Istio.
-
-The Ext Authz server supports authorization check request using either HTTP (port 8000) or gRPC v2/v3 (port 9000) API and
-will allow the request if it includes the header `x-ext-authz: allow` or if the service account of the source workload is `a`.
-Note that `a` is just a default value for testing. It can be changed with the flag `-allow_service_account` when running the ext authz server.
-
-## Usage
-
-1. Deploy the Ext Authz service in a dedicated pod:
-
- ```console
- $ kubectl apply -f ext-authz.yaml
- service/ext-authz created
- deployment.apps/ext-authz created
- ```
-
- Note, you can also deploy the Ext Authz service locally with the application container in the same pod, see the example in `local-ext-authz.yaml`.
-
-1. Verify the Ext Authz server is up and running:
-
- Deploy a sleep pod to send the request:
-
- ```console
- $ kubectl apply -f ../sleep/sleep.yaml
- ```
-
- Send a check request with header `x-ext-authz: allow` to the Ext Authz server:
-
- ```console
- $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: allow"
- * Trying 10.97.88.183:8000...
- * Connected to ext-authz-server (10.97.88.183) port 8000 (#0)
- > GET / HTTP/1.1
- > Host: ext-authz-server:8000
- > User-Agent: curl/7.73.0-DEV
- > Accept: */*
- > x-ext-authz: allow
- >
- * Mark bundle as not supporting multiuse
- < HTTP/1.1 200 OK
- < x-ext-authz-result: allowed
- < date: Tue, 03 Nov 2020 03:06:11 GMT
- < content-length: 0
- < x-envoy-upstream-service-time: 19
- < server: envoy
- <
- * Connection #0 to host ext-authz-server left intact
- ```
-
- As you observe, the check request with header `x-ext-authz: allow` is allowed by the Ext Authz server.
-
- Send another check request with `x-ext-authz: blabla` to the Ext Authz server:
-
- ```console
- $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: bla"
- > GET / HTTP/1.1
- > Host: ext-authz-server:8000
- > User-Agent: curl/7.73.0-DEV
- > Accept: */*
- > x-ext-authz: allowx
- >
- * Mark bundle as not supporting multiuse
- < HTTP/1.1 403 Forbidden
- < x-ext-authz-check-result: denied
- < date: Tue, 03 Nov 2020 03:14:02 GMT
- < content-length: 76
- < content-type: text/plain; charset=utf-8
- < x-envoy-upstream-service-time: 44
- < server: envoy
- <
- * Connection #0 to host ext-authz-server left intact
- denied by ext_authz for not found header `x-ext-authz: allow` in the request
- ```
-
- As you observe, the check request with header `x-ext-authz: bla` is denied by the Ext Authz server.
-
-1. To clean up, execute the following commands:
-
- ```console
- $ kubectl delete -f ../sleep/sleep.yaml
- $ kubectl delete -f ext-authz.yaml
- ```
-
-## Advanced features
-
-The Ext Authz server supports the following advanced features that are useful for testing:
-
-- The ext authz server will add the `x-ext-authz-check-received` header to the user request. The content is the dump of
- the check request it received from the ext-authz filter. This header is useful in verifying the ext-authz filter sending
- the expected request to the ext authz server.
-
-- The ext authz server will add (or override if it already exists) the header `x-ext-authz-additional-header-override` to
- the user request. The value of the header depends on the type of ext-authz server.
- The ext authz HTTP server will set it to the value of the same `x-ext-authz-additional-header-override` header in the
- check request. The ext authz gRPC server will set it to the constant value `grpc-additional-header-override-value`.
- This header is useful in verifying the header override behavior in the ext-authz filter.
diff --git a/istio-1.18.2/samples/extauthz/ext-authz.yaml b/istio-1.18.2/samples/extauthz/ext-authz.yaml
deleted file mode 100644
index 0860df5c..00000000
--- a/istio-1.18.2/samples/extauthz/ext-authz.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Example configurations for deploying ext-authz server separately in the mesh.
-
-apiVersion: v1
-kind: Service
-metadata:
- name: ext-authz
- labels:
- app: ext-authz
-spec:
- ports:
- - name: http
- port: 8000
- targetPort: 8000
- - name: grpc
- port: 9000
- targetPort: 9000
- selector:
- app: ext-authz
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: ext-authz
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: ext-authz
- template:
- metadata:
- labels:
- app: ext-authz
- spec:
- containers:
- - image: gcr.io/istio-testing/ext-authz:latest
- imagePullPolicy: IfNotPresent
- name: ext-authz
- ports:
- - containerPort: 8000
- - containerPort: 9000
----
diff --git a/istio-1.18.2/samples/extauthz/local-ext-authz.yaml b/istio-1.18.2/samples/extauthz/local-ext-authz.yaml
deleted file mode 100644
index 60a9bf85..00000000
--- a/istio-1.18.2/samples/extauthz/local-ext-authz.yaml
+++ /dev/null
@@ -1,99 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Example configurations for deploying ext-authz server locally with the application container in the same pod.
-
-# Define the service entry for the local ext-authz service on port 8000.
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: httpbin-ext-authz-http
-spec:
- hosts:
- - "ext-authz-http.local"
- endpoints:
- - address: "127.0.0.1"
- ports:
- - name: http
- number: 8000
- protocol: HTTP
- resolution: STATIC
----
-# Define the service entry for the local ext-authz service on port 9000.
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: httpbin-ext-authz-grpc
-spec:
- hosts:
- - "ext-authz-grpc.local"
- endpoints:
- - address: "127.0.0.1"
- ports:
- - name: grpc
- number: 9000
- protocol: GRPC
- resolution: STATIC
----
-# Deploy the ext-authz server locally with the application container in the same pod.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: httpbin
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: httpbin
- version: v1
- template:
- metadata:
- labels:
- app: httpbin
- version: v1
- spec:
- serviceAccountName: httpbin
- containers:
- - image: docker.io/kong/httpbin
- imagePullPolicy: IfNotPresent
- name: httpbin
- ports:
- - containerPort: 80
- - image: gcr.io/istio-testing/ext-authz:latest
- imagePullPolicy: IfNotPresent
- name: ext-authz
- ports:
- - containerPort: 8000
- - containerPort: 9000
----
-apiVersion: v1
-kind: Service
-metadata:
- name: httpbin
- labels:
- app: httpbin
- service: httpbin
-spec:
- ports:
- - name: http
- port: 8000
- targetPort: 80
- selector:
- app: httpbin
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: httpbin
----
diff --git a/istio-1.18.2/samples/external/README.md b/istio-1.18.2/samples/external/README.md
deleted file mode 100644
index e17198b8..00000000
--- a/istio-1.18.2/samples/external/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-# External Services
-
-By default Istio-enabled services are unable to access services and URLs outside of the cluster. Pods use iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations.
-
-See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for
-information on configuring Istio to contact external services.
-
-This directory contains samples showing how to enable pods to contact a few well
-known services.
-
-If Istio is not configured to allow pods to contact external services, the pods will
-see errors such as 404s, HTTPS connection problems, and TCP connection problems. If
-ServiceEntries are misconfigured pods may see problems with server names.
-
-## Try it out
-
-After an operator runs `kubectl create -f aptget.yaml` pods will be able to
-succeed with `apt-get update` and `apt-get install`.
-
-After an operator runs `kubectl create -f github.yaml` pods will be able to
-succeed with `git clone https://github.com/fortio/fortio.git`.
-
-Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`.
-
-It is not a best practice to enable pods to update libraries dynamically.
-We are providing these samples
-because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud
-services.
-
-### Enable communication by default
-
-Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique
-discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will
-allow external communication for ports 80 and 22.
diff --git a/istio-1.18.2/samples/external/aptget.yaml b/istio-1.18.2/samples/external/aptget.yaml
deleted file mode 100644
index fa24fa45..00000000
--- a/istio-1.18.2/samples/external/aptget.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# This ServiceEntry exposes the hosts needed for installing packages with apt-get.
-# After applying this file, Istio-enabled pods (configured apt-get) be able to execute
-# `apt-get upgrade` and `apt-get install`. If this is not installed you may get
-# "404 Not Found"
-
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: make-aptget-work
-spec:
- hosts:
- - deb.debian.org
- - cdn-fastly.deb.debian.org
- - security.debian.org
- - archive.ubuntu.com
- - security.ubuntu.com
- ports:
- - number: 80
- name: http
- protocol: HTTP
diff --git a/istio-1.18.2/samples/external/github.yaml b/istio-1.18.2/samples/external/github.yaml
deleted file mode 100644
index 832cbc37..00000000
--- a/istio-1.18.2/samples/external/github.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-# This ServiceEntry exposes the hosts needed for github.com.
-# After applying this file, Istio-enabled pods will be able to execute
-# `git clone https://github.com/istio/api.git` and (with local identification
-# config and certificate) `git clone git@github.com:istio/api.git`
-
-# HTTP and TLS, the host must be specified
-# See https://istio.io/docs/tasks/traffic-management/egress/
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: github-https
-spec:
- hosts:
- - github.com
- ports:
- - number: 443
- name: https
- protocol: HTTPS
----
-# For TCP services the IP ranges SHOULD be specified to avoid problems
-# if multiple SEs use the same port number.
-# See https://istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: github-tcp
-spec:
- hosts:
- - dummy.github.com # not used
- addresses: # from https://help.github.com/articles/about-github-s-ip-addresses/
- - "13.229.188.59/32"
- - "13.250.177.223/32"
- - "140.82.112.0/20"
- - "18.194.104.89/32"
- - "18.195.85.27/32"
- - "185.199.108.0/22"
- - "185.199.108.153/32"
- - "185.199.109.153/32"
- - "185.199.110.153/32"
- - "185.199.111.153/32"
- - "192.30.252.0/22"
- - "192.30.252.153/32"
- - "192.30.252.154/32"
- - "23.20.92.3/32"
- - "35.159.8.160/32"
- - "52.74.223.119/32"
- - "54.166.52.62/32"
- - "54.87.5.173/32"
- ports:
- - name: tcp
- number: 22
- protocol: tcp
- location: MESH_EXTERNAL
diff --git a/istio-1.18.2/samples/external/pypi.yaml b/istio-1.18.2/samples/external/pypi.yaml
deleted file mode 100644
index 7f457a5a..00000000
--- a/istio-1.18.2/samples/external/pypi.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-# This ServiceEntry exposes the hosts needed for Python `pip`.
-# After applying this file, Istio-enabled pods will be able to execute
-# `pip search istio`.
-
-# HTTP and TLS, the host must be specified
-# See https://istio.io/docs/tasks/traffic-management/egress/
-
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: python-https
-spec:
- hosts:
- - pypi.python.org
- ports:
- - number: 443
- name: https
- protocol: HTTPS
----
-# pypi.python.org may 301 redirect to pypi.org, so we need this too.
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: pypi-https
-spec:
- hosts:
- - pypi.org
- ports:
- - number: 443
- name: https
- protocol: HTTPS
----
-# pip install may fetch files from files.pythonhosted.org
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
- name: pythonhosted-https
-spec:
- hosts:
- - files.pythonhosted.org
- ports:
- - number: 443
- name: https
- protocol: HTTPS
diff --git a/istio-1.18.2/samples/grpc-echo/README.md b/istio-1.18.2/samples/grpc-echo/README.md
deleted file mode 100644
index 46631698..00000000
--- a/istio-1.18.2/samples/grpc-echo/README.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# grpc-echo
-
-This sample demonstrates Istio's Proxyless gRPC support with a special injection template `grpc-agent`.
-The template injects the `istio-proxy` sidecar, but the sidecar will only run `pilot-agent` and not envoy.
-
-See the [gRPC xDS feature status](https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md) for more
-information.
diff --git a/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml b/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml
deleted file mode 100644
index fb3899c3..00000000
--- a/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml
+++ /dev/null
@@ -1,197 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app: echo
- name: echo
- namespace: echo-grpc
-spec:
- selector:
- app: echo
- type: ClusterIP
- ports:
- - name: http
- port: 80
- targetPort: 18080
- - name: grpc
- port: 7070
- targetPort: 17070
- - name: tcp
- port: 9090
- targetPort: 19090
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: echo-v1
- namespace: echo-grpc
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: echo
- version: v1
- template:
- metadata:
- annotations:
- inject.istio.io/templates: grpc-agent
- proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}'
- labels:
- app: echo
- version: v1
- spec:
- containers:
- - args:
- - --metrics=15014
- - --port
- - "18080"
- - --tcp
- - "19090"
- - --xds-grpc-server=17070
- - --grpc
- - "17070"
- - --grpc
- - "17171"
- - --port
- - "3333"
- - --port
- - "8080"
- - --version
- - v1
- - --crt=/cert.crt
- - --key=/cert.key
- env:
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- image: gcr.io/istio-testing/app:latest
- imagePullPolicy: Always
- livenessProbe:
- failureThreshold: 10
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- tcpSocket:
- port: tcp-health-port
- timeoutSeconds: 1
- name: app
- ports:
- - containerPort: 17070
- protocol: TCP
- - containerPort: 17171
- protocol: TCP
- - containerPort: 8080
- protocol: TCP
- - containerPort: 3333
- name: tcp-health-port
- protocol: TCP
- readinessProbe:
- failureThreshold: 10
- httpGet:
- path: /
- port: 8080
- scheme: HTTP
- initialDelaySeconds: 1
- periodSeconds: 2
- successThreshold: 1
- timeoutSeconds: 1
- securityContext:
- runAsGroup: 1338
- runAsUser: 1338
- startupProbe:
- failureThreshold: 10
- periodSeconds: 10
- successThreshold: 1
- tcpSocket:
- port: tcp-health-port
- timeoutSeconds: 1
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: echo-v2
- namespace: echo-grpc
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: echo
- version: v2
- template:
- metadata:
- annotations:
- inject.istio.io/templates: grpc-agent
- proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}'
- labels:
- app: echo
- version: v2
- spec:
- containers:
- - args:
- - --metrics=15014
- - --xds-grpc-server=17070
- - --port
- - "18080"
- - --tcp
- - "19090"
- - --grpc
- - "17070"
- - --grpc
- - "17171"
- - --port
- - "3333"
- - --port
- - "8080"
- - --version
- - v2
- - --crt=/cert.crt
- - --key=/cert.key
- env:
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- image: gcr.io/istio-testing/app:latest
- imagePullPolicy: Always
- livenessProbe:
- failureThreshold: 10
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- tcpSocket:
- port: tcp-health-port
- timeoutSeconds: 1
- name: app
- ports:
- - containerPort: 17070
- protocol: TCP
- - containerPort: 17171
- protocol: TCP
- - containerPort: 8080
- protocol: TCP
- - containerPort: 3333
- name: tcp-health-port
- protocol: TCP
- readinessProbe:
- failureThreshold: 10
- httpGet:
- path: /
- port: 8080
- scheme: HTTP
- initialDelaySeconds: 1
- periodSeconds: 2
- successThreshold: 1
- timeoutSeconds: 1
- securityContext:
- runAsGroup: 1338
- runAsUser: 1338
- startupProbe:
- failureThreshold: 10
- periodSeconds: 10
- successThreshold: 1
- tcpSocket:
- port: tcp-health-port
- timeoutSeconds: 1
diff --git a/istio-1.18.2/samples/health-check/liveness-command.yaml b/istio-1.18.2/samples/health-check/liveness-command.yaml
deleted file mode 100644
index 247b55e5..00000000
--- a/istio-1.18.2/samples/health-check/liveness-command.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Liveness service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: liveness
- labels:
- app: liveness
- service: liveness
-spec:
- ports:
- - port: 80
- name: http
- selector:
- app: liveness
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: liveness
-spec:
- selector:
- matchLabels:
- app: liveness
- template:
- metadata:
- labels:
- app: liveness
- spec:
- containers:
- - name: liveness
- image: registry.k8s.io/busybox
- args:
- - /bin/sh
- - -c
- - touch /tmp/healthy; sleep 3600
- livenessProbe:
- exec:
- command:
- - cat
- - /tmp/healthy
- initialDelaySeconds: 5
- periodSeconds: 5
diff --git a/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml b/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml
deleted file mode 100644
index a39a3ff1..00000000
--- a/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: liveness-http
- labels:
- app: liveness-http
- service: liveness-http
-spec:
- ports:
- - name: http
- port: 8001
- selector:
- app: liveness-http
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: liveness-http
-spec:
- selector:
- matchLabels:
- app: liveness-http
- version: v1
- template:
- metadata:
- labels:
- app: liveness-http
- version: v1
- spec:
- containers:
- - name: liveness-http
- image: docker.io/istio/health:example
- ports:
- - containerPort: 8001
- livenessProbe:
- httpGet:
- path: /foo
- port: 8001
- initialDelaySeconds: 5
- periodSeconds: 5
diff --git a/istio-1.18.2/samples/helloworld/README.md b/istio-1.18.2/samples/helloworld/README.md
deleted file mode 100644
index e41bd167..00000000
--- a/istio-1.18.2/samples/helloworld/README.md
+++ /dev/null
@@ -1,110 +0,0 @@
-# Helloworld service
-
-This sample includes two versions of a simple helloworld service that returns its version
-and instance (hostname) when called.
-It can be used as a test service when experimenting with version routing.
-
-This service is also used to demonstrate canary deployments working in conjunction with autoscaling.
-See [Canary deployments using Istio](https://istio.io/blog/2017/0.1-canary).
-
-## Start the helloworld service
-
-The following commands assume you have
-[automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection)
-enabled in your cluster.
-If not, you'll need to modify them to include
-[manual sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection).
-
-To run both versions of the helloworld service, use the following command:
-
-```bash
-kubectl apply -f helloworld.yaml
-```
-
-Alternatively, you can run just one version at a time by first defining the service:
-
-```bash
-kubectl apply -f helloworld.yaml -l service=helloworld
-```
-
-and then deploying version v1, v2, or both:
-
-```bash
-kubectl apply -f helloworld.yaml -l version=v1
-kubectl apply -f helloworld.yaml -l version=v2
-```
-
-For even more flexibility, there is also a script, `gen-helloworld.sh`, that will
-generate YAML for the helloworld service. This script takes the following
-arguments:
-
-Argument | Default | Description
--------- | ------- | -----------
-`-h`,`--help` | | Prints usage information.
-`--version` | `v1` | Specifies the version that will be returned by the helloworld service.
-`--includeService` | `true` | If `true` the service will be included in the YAML.
-`--includeDeployment` | `true` | If `true` the deployment will be included in the YAML.
-
-You can use this script to deploy a custom version:
-
-```bash
-./gen-helloworld.sh --version customversion | \
- kubectl apply -f -
-```
-
-## Configure the helloworld gateway
-
-*___Note:___ Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). You can use the Gateway API to configure the helloworld service, instead of the classic Istio configuration model, by following the instructions in [./gateway-api/README.md](./gateway-api/README.md), instead of the instructions below.*
-
-Apply the helloworld gateway configuration:
-
-```bash
-kubectl apply -f helloworld-gateway.yaml
-```
-
-Follow [these instructions](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports)
-to set the INGRESS_HOST and INGRESS_PORT variables and then confirm the sample is running using curl:
-
-```bash
-export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
-curl http://$GATEWAY_URL/hello
-```
-
-## Autoscale the services
-
-Note that a Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)
-only works if all containers in the pods request cpu. In this sample the deployment
-containers in `helloworld.yaml` are configured with the request.
-The injected istio-proxy containers also include cpu requests,
-making the helloworld service ready for autoscaling.
-
-Enable autoscaling on both versions of the service:
-
-```bash
-kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10
-kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10
-kubectl get hpa
-```
-
-## Generate load
-
-```bash
-./loadgen.sh &
-./loadgen.sh & # run it twice to generate lots of load
-```
-
-Wait for about 2 minutes and then check the number of replicas:
-
-```bash
-kubectl get hpa
-```
-
-If the autoscaler is functioning correctly, the `REPLICAS` column should have a value > 1.
-
-## Cleanup
-
-```bash
-kubectl delete -f helloworld.yaml
-kubectl delete -f helloworld-gateway.yaml
-kubectl delete hpa helloworld-v1 helloworld-v2
-```
diff --git a/istio-1.18.2/samples/helloworld/gateway-api/README.md b/istio-1.18.2/samples/helloworld/gateway-api/README.md
deleted file mode 100644
index ee37810e..00000000
--- a/istio-1.18.2/samples/helloworld/gateway-api/README.md
+++ /dev/null
@@ -1,74 +0,0 @@
-# Configure helloworld using the Kubernetes Gateway API
-
-Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/).
-You can use the following instructions to configure the ingress gateway and routing for the helloworld sample.
-
-## Before you begin
-
-The Gateway API CRDs do not come installed by default on most Kubernetes clusters, so install them if not present:
-
-```bash
-kubectl get crd gateways.gateway.networking.k8s.io || \
- { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; }
-```
-
-Also make sure you are running two versions (v1 and v2) of the helloworld service:
-
-```bash
-kubectl apply -f ../helloworld.yaml
-```
-
-## Configure the helloworld gateway
-
-Apply the helloworld gateway configuration:
-
-```bash
-kubectl apply -f ./helloworld-gateway.yaml
-```
-
-Note that unlike an Istio `Gateway`, creating a Kubernetes `Gateway` resource will, by default, also [deploy an associated controller](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment).
-
-Set the INGRESS_HOST environment variables to the address of the helloworld gateway:
-
-```bash
-kubectl wait --for=condition=ready gtw helloworld-gateway
-export INGRESS_HOST=$(kubectl get gtw helloworld-gateway -o jsonpath='{.status.addresses[*].value}')
-```
-
-Confirm the sample is running using curl:
-
-```bash
-for run in {1..10}; do curl http://$INGRESS_HOST/hello; done
-```
-
-Since no version routing has been configured, you should see an equal split of traffic, about half handled by helloworld-v1 and the other half handled by helloworld-v2.
-
-## Configure weight-based routing
-
-Declare the helloworld versions (Gateway API requires backend service definitions, unlike the Istio API which uses DestinationRule subsets for this):
-
-```bash
-kubectl apply -f ./helloworld-versions.yaml
-```
-
-Apply the following route rule to distribute the helloworld traffic 90% to v1, 10% to v2:
-
-```bash
-kubectl apply -f ./helloworld-route.yaml
-```
-
-Run the previous curl commands again:
-
-```bash
-for run in {1..10}; do curl http://$INGRESS_HOST/hello; done
-```
-
-Now you should see about 9 out of 10 requests handled by helloworld-v1 and only about 1 in 10 handled by helloworld-v2.
-
-## Cleanup
-
-```bash
-kubectl delete -f ./helloworld-gateway.yaml
-kubectl delete -f ./helloworld-versions.yaml
-kubectl delete -f ../helloworld.yaml
-```
diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml
deleted file mode 100644
index c4c8a8a6..00000000
--- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: Gateway
-metadata:
- name: helloworld-gateway
-spec:
- gatewayClassName: istio
- listeners:
- - name: http
- port: 80
- protocol: HTTP
- allowedRoutes:
- namespaces:
- from: Same
----
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: helloworld
-spec:
- parentRefs:
- - name: helloworld-gateway
- rules:
- - matches:
- - path:
- type: Exact
- value: /hello
- backendRefs:
- - name: helloworld
- port: 5000
diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml
deleted file mode 100644
index 1e316f95..00000000
--- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
- name: helloworld
-spec:
- parentRefs:
- - name: helloworld-gateway
- rules:
- - matches:
- - path:
- type: Exact
- value: /hello
- backendRefs:
- - name: helloworld-v1
- port: 5000
- weight: 90
- - name: helloworld-v2
- port: 5000
- weight: 10
diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml
deleted file mode 100644
index fc218515..00000000
--- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: helloworld-v1
-spec:
- ports:
- - port: 5000
- name: http
- selector:
- app: helloworld
- version: v1
----
-apiVersion: v1
-kind: Service
-metadata:
- name: helloworld-v2
-spec:
- ports:
- - port: 5000
- name: http
- selector:
- app: helloworld
- version: v2
diff --git a/istio-1.18.2/samples/helloworld/gen-helloworld.sh b/istio-1.18.2/samples/helloworld/gen-helloworld.sh
deleted file mode 100755
index 8634ddc7..00000000
--- a/istio-1.18.2/samples/helloworld/gen-helloworld.sh
+++ /dev/null
@@ -1,131 +0,0 @@
-#!/bin/bash
-#
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -euo pipefail
-
-display_usage() {
- echo
- echo "USAGE: ./gen-helloworld.sh [--version] [--includeService value] [--includeDeployment value]"
- echo " -h|--help: Prints usage information"
- echo " --version: Specifies the version that will be returned by the helloworld service, default: 'v1'"
- echo " --includeService: If 'true' the service will be included in the YAML, default: 'true'"
- echo " --includeDeployment: If 'true' the deployment will be included in the YAML, default: 'true'"
-}
-
-INCLUDE_SERVICE=${INCLUDE_SERVICE:-"true"}
-INCLUDE_DEPLOYMENT=${INCLUDE_DEPLOYMENT:-"true"}
-SERVICE_VERSION=${SERVICE_VERSION:-"v1"}
-while (( "$#" )); do
- case "$1" in
- -h|--help)
- display_usage
- exit 0
- ;;
-
- --version)
- SERVICE_VERSION=$2
- shift 2
- ;;
-
- --includeService)
- INCLUDE_SERVICE=$2
- shift 2
- ;;
-
- --includeDeployment)
- INCLUDE_DEPLOYMENT=$2
- shift 2
- ;;
-
- *)
- echo "Error: Unsupported flag $1" >&2
- display_usage
- exit 1
- ;;
- esac
-done
-
-SERVICE_YAML=$(cat </dev/null || true)
-if [[ "${ENVOS}" != "Linux" ]]; then
- echo "Your system is not supported by this script. Only Linux is supported"
- exit 1
-fi
-
-# Check prerequisites
-REQUISITES=("kubectl" "kind" "docker")
-for item in "${REQUISITES[@]}"; do
- if [[ -z $(which "${item}") ]]; then
- echo "${item} cannot be found on your system, please install ${item}"
- exit 1
- fi
-done
-
-# Function to print the usage message
-function printHelp() {
- echo "Usage: "
- echo " $0 --cluster-name cluster1 --k8s-release 1.22.1 --ip-space 255"
- echo ""
- echo "Where:"
- echo " -n|--cluster-name - name of the k8s cluster to be created"
- echo " -r|--k8s-release - the release of the k8s to setup, latest available if not given"
- echo " -s|--ip-space - the 2rd to the last part for public ip addresses, 255 if not given, valid range: 0-255"
- echo " -i|--ip-family - ip family to be supported, default is ipv4 only. Value should be ipv4, ipv6, or dual"
- echo " -h|--help - print the usage of this script"
-}
-
-# Setup default values
-CLUSTERNAME="cluster1"
-K8SRELEASE=""
-IPSPACE=255
-IPFAMILY="ipv4"
-
-# Handling parameters
-while [[ $# -gt 0 ]]; do
- optkey="$1"
- case $optkey in
- -h|--help)
- printHelp; exit 0;;
- -n|--cluster-name)
- CLUSTERNAME="$2"; shift 2;;
- -r|--k8s-release)
- K8SRELEASE="--image=kindest/node:v$2"; shift 2;;
- -s|--ip-space)
- IPSPACE="$2"; shift 2;;
- -i|--ip-family)
- IPFAMILY="${2,,}";shift 2;;
- -m|--mode)
- MODE="$2"; shift 2;;
- *) # unknown option
- echo "parameter $1 is not supported"; printHelp; exit 1;;
- esac
-done
-
-# This block is to setup kind to have a local image repo to push
-# images using localhost:5000, to use this feature, start up
-# a registry container such as gcr.io/istio-testing/registry, then
-# connect it to the docker network where kind nodes are running on
-# which normally will be called kind
-FEATURES=$(cat << EOF
-featureGates:
- MixedProtocolLBService: true
- GRPCContainerProbe: true
-kubeadmConfigPatches:
- - |
- apiVersion: kubeadm.k8s.io/v1beta2
- kind: ClusterConfiguration
- metadata:
- name: config
- etcd:
- local:
- # Run etcd in a tmpfs (in RAM) for performance improvements
- dataDir: /tmp/kind-cluster-etcd
- # We run single node, drop leader election to reduce overhead
- controllerManagerExtraArgs:
- leader-elect: "false"
- schedulerExtraArgs:
- leader-elect: "false"
- apiServer:
- extraArgs:
- "service-account-issuer": "kubernetes.default.svc"
- "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
-containerdConfigPatches:
- - |-
- [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
- endpoint = ["http://kind-registry:5000"]
-EOF
-)
-
-validIPFamilies=("ipv4" "ipv6" "dual")
-# Validate if the ip family value is correct.
-isValid="false"
-for family in "${validIPFamilies[@]}"; do
- if [[ "$family" == "${IPFAMILY}" ]]; then
- isValid="true"
- break
- fi
-done
-
-if [[ "${isValid}" == "false" ]]; then
- echo "${IPFAMILY} is not valid ip family, valid values are ipv4, ipv6 or dual"
- exit 1
-fi
-
-if [[ "${MODE}" == "ambient" ]]; then
-NODES=$(cat << EOF
-nodes:
-- role: control-plane
-- role: worker
-- role: worker
-EOF
-)
-else
-NODES=$(cat << EOF
-nodes:
-- role: control-plane
-EOF
-)
-fi
-
-
-# Create k8s cluster using the giving release and name
-if [[ -z "${K8SRELEASE}" ]]; then
- cat << EOF | kind create cluster --config -
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-${FEATURES}
-name: ${CLUSTERNAME}
-${NODES}
-networking:
- ipFamily: ${IPFAMILY}
-EOF
-else
- cat << EOF | kind create cluster "${K8SRELEASE}" --config -
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-${FEATURES}
-name: ${CLUSTERNAME}
-${NODES}
-networking:
- ipFamily: ${IPFAMILY}
-EOF
-fi
-
-# Setup cluster context
-kubectl cluster-info --context "kind-${CLUSTERNAME}"
-
-# Setup metallb using v0.13.6
-kubectl apply -f https://github.com/raw/metallb/metallb/v0.13.6/config/manifests/metallb-native.yaml
-
-addrName="IPAddress"
-ipv4Prefix=""
-ipv6Prefix=""
-
-# Get both ipv4 and ipv6 gateway for the cluster
-gatewaystr=$(docker network inspect -f '{{range .IPAM.Config }}{{ .Gateway }} {{end}}' kind | cut -f1,2)
-read -r -a gateways <<< "${gatewaystr}"
-for gateway in "${gateways[@]}"; do
- if [[ "$gateway" == *"."* ]]; then
- ipv4Prefix=$(echo "${gateway}" |cut -d'.' -f1,2)
- else
- ipv6Prefix=$(echo "${gateway}" |cut -d':' -f1,2,3,4)
- fi
-done
-
-if [[ "${IPFAMILY}" == "ipv4" ]]; then
- addrName="IPAddress"
- ipv4Range="- ${ipv4Prefix}.$IPSPACE.200-${ipv4Prefix}.$IPSPACE.240"
- ipv6Range=""
-elif [[ "${IPFAMILY}" == "ipv6" ]]; then
- ipv4Range=""
- ipv6Range="- ${ipv6Prefix}::$IPSPACE:200-${ipv6Prefix}::$IPSPACE:240"
- addrName="GlobalIPv6Address"
-else
- ipv4Range="- ${ipv4Prefix}.$IPSPACE.200-${ipv4Prefix}.$IPSPACE.240"
- ipv6Range="- ${ipv6Prefix}::$IPSPACE:200-${ipv6Prefix}::$IPSPACE:240"
-fi
-
-# utility function to wait for pods to be ready
-function waitForPods() {
- ns=$1
- lb=$2
- waittime=$3
- # Wait for the pods to be ready in the given namespace with lable
- while : ; do
- res=$(kubectl wait --context "kind-${CLUSTERNAME}" -n "${ns}" pod \
- -l "${lb}" --for=condition=Ready --timeout="${waittime}s" 2>/dev/null ||true)
- if [[ "${res}" == *"condition met"* ]]; then
- break
- fi
- echo "Waiting for pods in namespace ${ns} with label ${lb} to be ready..."
- sleep "${waittime}"
- done
-}
-
-waitForPods metallb-system app=metallb 10
-
-# Now configure the loadbalancer public IP range
-cat <&2
- exit 1
- ;;
- esac
-done
-
-
-# single-cluster installations may need this gateway to allow VMs to get discovery
-# for non-single cluster, we add additional topology information
-SINGLE_CLUSTER="${SINGLE_CLUSTER:-0}"
-if [[ "${SINGLE_CLUSTER}" -eq 0 ]]; then
- if [[ -z "${NETWORK:-}" ]]; then
- echo "Must specify either --single-cluster or --network."
- exit 1
- fi
-fi
-
-# base
-IOP=$(cat < apply -f ../otel.yaml
-```
-
-In this example, we use `otel-collector` as the namespace to deploy the `otel-collector` backend:
-
-```ba
-kubectl -n otel-collector apply -f ../otel.yaml
-```
-
-The otel-collector will create a grpc receiver on port `4317`, and later the sidecars will report trace information to this grpc port. You can find more details from [here](https://github.com/open-telemetry/opentelemetry-collector).
-
-Below is the configuration:
-
-```yaml
-receivers:
- otlp:
- protocols:
- grpc:
- http:
-processors:
- batch:
-exporters:
- logging:
- loglevel: debug
-service:
- pipelines:
- logs:
- receivers: [otlp]
- processors: [batch]
- exporters: [logging]
-```
-
-In this example, `Jaeger` is the exporter for gathering the traces. Assuming you have already deployed Jaeger as your tracing system with [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation, you are good to go to the next steps. If you already have your own `Jaeger` deployed, you may need to modify the otel collector config. The configmap name is `opentelemetry-collector-conf` in the namespace you deployed the otel collector, and the related config is defined as:
-
-```yaml
-exporters:
- jaeger:
- endpoint: jaeger-collector.istio-system.svc.cluster.local:14250
- tls:
- insecure: true
- sending_queue:
- enabled: true
- retry_on_failure:
- enabled: true
-service:
- pipelines:
- traces:
- exporters:
- - jaeger
-```
-
-You need to modify the jaeger exporter endpoint with the one you deployed, in this case it's `jaeger-collector.istio-system.svc.cluster.local:14250`.
-
-If you have not deployed the `Jaeger` service, you can follow [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation to install the service.
-
-You may also choose any existing tracing system if you have, and you should change the exporter settings in the configmap mentioned above.
-
-You may also choose to use your own otel collector if you have, and the key part is to have the `otlp` grpc protocol receiver to receive the traces. One important thing is to make sure your otel collector service's grpc port starts with `grpc-` prefix, which is like:
-
-```ya
-spec:
- ports:
- - name: grpc-otlp
- port: 4317
- protocol: TCP
- targetPort: 4317
-```
-
-Otherwise the traces may not be reported.
-
-## Update mesh config
-
-Install or update Istio with the `demo` profile to make sure you have the OpenTelemetry tracing provider enabled:
-
-```bash
-istioctl install --set profile=demo -y
-```
-
-Or ensure you have the following additional mesh config set in your Istio:
-
-```yaml
-mesh: |-
- extensionProviders:
- - name: otel-tracing
- opentelemetry:
- port: 4317
- service: opentelemetry-collector.otel-collector.svc.cluster.local
-```
-
-Make sure the service name matches the one you deployed if you select a different namespace.
-
-## Apply the Telemetry resource to report traces
-
-Next, add a Telemetry resource that tells Istio to send trace records to the OpenTelemetry collector.
-
-```yaml
-kubectl -n otel-collector apply -f ./telemetry.yaml
-```
-
-The core config is:
-
-```yaml
-tracing:
-- providers:
- - name: otel-tracing
- randomSamplingPercentage: 0
-```
-
-As you see, the `randomSamplingPercentage` is 0, which means the tracing is still not enabled because of `0` sampling percentage. The tracing can be opt-on by increasing the `randomSamplingPercentage` value to `1-100`. The `Telemetry` resource can also be manipulated in workload/namespace/global levels, you can check [here](https://istio.io/latest/docs/reference/config/telemetry/) for more config examples.
-
-## Check tracing results
-
-If you have followed [this](https://istio.io/latest/docs/setup/getting-started/) getting started steps, you have the sample bookinfo applications installed. Try to make some requests to the productpage to generate some traces.
-
-Then open up the `Jaeger` dashboard with:
-
-```bash
-istioctl dashboard jaeger
-```
-
-You will see the requests' trace records.
-
-## Cleanup
-
-```bash
-kubectl -n otel-collector delete -f ./telemetry.yaml
-kubectl -n otel-collector delete -f ../otel.yaml
-```
diff --git a/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml b/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml
deleted file mode 100644
index fd831a2b..00000000
--- a/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: telemetry.istio.io/v1alpha1
-kind: Telemetry
-metadata:
- name: otel-demo
-spec:
- tracing:
- - providers:
- - name: otel-tracing
- randomSamplingPercentage: 0
diff --git a/istio-1.18.2/samples/operator/cni-on.yaml b/istio-1.18.2/samples/operator/cni-on.yaml
deleted file mode 100644
index ae850b4d..00000000
--- a/istio-1.18.2/samples/operator/cni-on.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- components:
- cni:
- enabled: true
diff --git a/istio-1.18.2/samples/operator/default-install.yaml b/istio-1.18.2/samples/operator/default-install.yaml
deleted file mode 100644
index 65a4d9b6..00000000
--- a/istio-1.18.2/samples/operator/default-install.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
- namespace: istio-system
- name: istio-operator
-spec:
- profile: default
-
diff --git a/istio-1.18.2/samples/operator/pilot-advanced-override.yaml b/istio-1.18.2/samples/operator/pilot-advanced-override.yaml
deleted file mode 100644
index 4b57fd84..00000000
--- a/istio-1.18.2/samples/operator/pilot-advanced-override.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- components:
- pilot:
- k8s:
- overlays:
- - kind: Deployment
- name: istiod
- patches:
- - path: spec.template.spec.containers.[name:discovery].args.[30m]
- value: "60m" # OVERRIDDEN
- - path: spec.template.spec.containers.[name:discovery].ports.[containerPort:8080].containerPort
- value: 8090 # OVERRIDDEN
- - kind: Service
- name: istiod
- patches:
- - path: spec.ports.[name:grpc-xds].port
- value: 15099 # OVERRIDDEN
diff --git a/istio-1.18.2/samples/operator/pilot-k8s.yaml b/istio-1.18.2/samples/operator/pilot-k8s.yaml
deleted file mode 100644
index 081f55ed..00000000
--- a/istio-1.18.2/samples/operator/pilot-k8s.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- components:
- pilot:
- k8s:
- resources:
- requests:
- cpu: 1000m # override from default 500m
- memory: 4096Mi # ... default 2048Mi
- hpaSpec:
- maxReplicas: 10 # ... default 5
- minReplicas: 2 # ... default 1
diff --git a/istio-1.18.2/samples/operator/values-global.yaml b/istio-1.18.2/samples/operator/values-global.yaml
deleted file mode 100644
index 8726f27e..00000000
--- a/istio-1.18.2/samples/operator/values-global.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- values:
- global:
- logging:
- level: "default:warning" # override from info
diff --git a/istio-1.18.2/samples/operator/values-pilot.yaml b/istio-1.18.2/samples/operator/values-pilot.yaml
deleted file mode 100644
index bca6c2ee..00000000
--- a/istio-1.18.2/samples/operator/values-pilot.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
- values:
- pilot:
- traceSampling: 0.1 # override from 1.0
diff --git a/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml b/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml
deleted file mode 100644
index cfda9c76..00000000
--- a/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml
+++ /dev/null
@@ -1,151 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Redis service and deployment
-# Ratelimit service and deployment
-
-# Note: a configmap is needed to make the rate limit deployment work properly, for example:
-#
-# apiVersion: v1
-# kind: ConfigMap
-# metadata:
-# name: ratelimit-config
-# data:
-# config.yaml: |
-# domain: echo-ratelimit
-# descriptors:
-# - key: PATH
-# value: "/"
-# rate_limit:
-# unit: minute
-# requests_per_unit: 1
-# - key: PATH
-# rate_limit:
-# unit: minute
-# requests_per_unit: 100
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: redis
- labels:
- app: redis
-spec:
- ports:
- - name: redis
- port: 6379
- selector:
- app: redis
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: redis
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: redis
- template:
- metadata:
- labels:
- app: redis
- spec:
- containers:
- - image: redis:alpine
- imagePullPolicy: Always
- name: redis
- ports:
- - name: redis
- containerPort: 6379
- restartPolicy: Always
- serviceAccountName: ""
----
-apiVersion: v1
-kind: Service
-metadata:
- name: ratelimit
- labels:
- app: ratelimit
-spec:
- ports:
- - name: http-port
- port: 8080
- targetPort: 8080
- protocol: TCP
- - name: grpc-port
- port: 8081
- targetPort: 8081
- protocol: TCP
- - name: http-debug
- port: 6070
- targetPort: 6070
- protocol: TCP
- selector:
- app: ratelimit
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: ratelimit
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: ratelimit
- strategy:
- type: Recreate
- template:
- metadata:
- labels:
- app: ratelimit
- spec:
- containers:
- - image: envoyproxy/ratelimit:9d8d70a8 # 2022/08/16
- imagePullPolicy: Always
- name: ratelimit
- command: ["/bin/ratelimit"]
- env:
- - name: LOG_LEVEL
- value: debug
- - name: REDIS_SOCKET_TYPE
- value: tcp
- - name: REDIS_URL
- value: redis:6379
- - name: USE_STATSD
- value: "false"
- - name: RUNTIME_ROOT
- value: /data
- - name: RUNTIME_SUBDIRECTORY
- value: ratelimit
- - name: RUNTIME_WATCH_ROOT
- value: "false"
- - name: RUNTIME_IGNOREDOTFILES
- value: "true"
- - name: HOST
- value: "::"
- - name: GRPC_HOST
- value: "::"
- ports:
- - containerPort: 8080
- - containerPort: 8081
- - containerPort: 6070
- volumeMounts:
- - name: config-volume
- mountPath: /data/ratelimit/config
- volumes:
- - name: config-volume
- configMap:
- name: ratelimit-config
diff --git a/istio-1.18.2/samples/security/psp/sidecar-psp.yaml b/istio-1.18.2/samples/security/psp/sidecar-psp.yaml
deleted file mode 100644
index f9612d6b..00000000
--- a/istio-1.18.2/samples/security/psp/sidecar-psp.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: istio-sidecar
-spec:
- # Allow the istio sidecar injector to work
- allowedCapabilities:
- - NET_ADMIN
- - NET_RAW
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- runAsUser:
- rule: RunAsAny
- fsGroup:
- rule: RunAsAny
- volumes:
- - '*'
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: istio-sidecar-psp
-rules:
- - apiGroups:
- - extensions
- resources:
- - podsecuritypolicies
- resourceNames:
- - istio-sidecar
- verbs:
- - use
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: istio-sidecar-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: istio-sidecar-psp
-subjects:
- - apiGroup: rbac.authorization.k8s.io
- kind: Group
- name: system:serviceaccounts
diff --git a/istio-1.18.2/samples/security/spire/README.md b/istio-1.18.2/samples/security/spire/README.md
deleted file mode 100644
index b3e1978f..00000000
--- a/istio-1.18.2/samples/security/spire/README.md
+++ /dev/null
@@ -1,90 +0,0 @@
-# Integrating SPIRE as a CA through Envoy's SDS API
-
-This sample deploys a setup of [SPIRE](https://github.com/spiffe/spire) (the SPIFFE Runtime Environment) as an example of integrating with [Envoy's SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) API. For more information
-on the SPIFFE specs, refer to the [SPIFFE Overview](https://spiffe.io/docs/latest/spiffe-about/overview/).
-
-Once SPIRE is deployed and integrated with Istio, this sample deploys a modified version of the [sleep](/samples/sleep/README.md) service and validates that its [identity](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid) was issued by SPIRE. Workload registration is handled by the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager).
-
-See [Istio CA Integration with SPIRE](https://istio.io/latest/docs/ops/integrations/spire) for further details about this integration.
-
-## Deploy the integration
-
-1. Deploy SPIRE. For proper socket injection, this **must** be done prior to installing Istio in your cluster:
-
- ```bash
- $ kubectl apply -f spire-quickstart.yaml
- ```
-
-1. Ensure that the deployment is completed before moving to the next step. This can be verified by waiting on the `spire-agent` pod to become ready:
-
- ```bash
- $ kubectl wait pod --for=condition=ready -n spire -l app=spire-agent
- ```
-
-1. Use the configuration profile provided to install Istio (requires istioctl v1.14+):
-
- ```bash
- $ istioctl install -f istio-spire-config.yaml
- ```
-
-1. Create a ClusterSPIFFEID to create a registration entry for all workloads with the `spiffe.io/spire-managed-identity: true` label:
-
- ```bash
- $ kubectl apply -f clusterspiffeid.yaml
- ```
-
-1. Add the `spiffe.io/spire-managed-identity: true` label to the Ingress-gateway Deployment:
-
- ```bash
- $ kubectl patch deployment istio-ingressgateway -n istio-system -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spire-managed-identity": "true"}}}}}'
- ```
-
-1. Deploy the `sleep-spire.yaml` version of the [sleep](/samples/sleep/README.md) service, which injects the custom istio-agent template defined in `istio-spire-config.yaml` and has the `spiffe.io/spire-managed-identity: true` label.
-
- If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled:
-
- ```bash
- $ kubectl apply -f sleep-spire.yaml
- ```
-
- Otherwise, manually inject the sidecar before applying:
-
- ```bash
- $ kubectl apply -f <(istioctl kube-inject -f sleep-spire.yaml)
- ```
-
-1. Retrieve sleep's SVID identity document using the `istioctl proxy-config secret` command:
-
- ```bash
- $ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}")
- $ istioctl pc secret $SLEEP_POD -o json | jq -r \
- '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem
- ```
-
-1. Inspect the certificate content and verify that SPIRE was the issuer:
-
- ```bash
- $ openssl x509 -in chain.pem -text | grep SPIRE
- Subject: C = US, O = SPIRE, CN = sleep-5d6df95bbf-kt2tt
- ```
-
-## Tear down
-
-1. Delete all deployments and configurations for the SPIRE Agent, Server, and namespace:
-
- ```bash
- $ kubectl delete namespace spire
- ```
-
-1. Delete the ClusterRole, ClusterRoleBinding, Role, RoleBindings, ValidatingWebhookConfiguration, CSIDriver, and CustomResourceDefinition:
-
- ```bash
- $ kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role
- $ kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding
- $ kubectl delete role spire-server-role leader-election-role
- $ kubectl delete rolebinding spire-server-role-binding leader-election-role-binding
- $ kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook
- $ kubectl delete csidriver csi.spiffe.io
- $ kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io
- $ kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io
- ```
diff --git a/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml b/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml
deleted file mode 100644
index bf67989e..00000000
--- a/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: spire.spiffe.io/v1alpha1
-kind: ClusterSPIFFEID
-metadata:
- name: example
-spec:
- spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
- podSelector:
- matchLabels:
- spiffe.io/spire-managed-identity: "true"
diff --git a/istio-1.18.2/samples/security/spire/istio-spire-config.yaml b/istio-1.18.2/samples/security/spire/istio-spire-config.yaml
deleted file mode 100644
index 812c65ec..00000000
--- a/istio-1.18.2/samples/security/spire/istio-spire-config.yaml
+++ /dev/null
@@ -1,70 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
- namespace: istio-system
-spec:
- profile: default
- meshConfig:
- trustDomain: example.org
- values:
- global:
- # This is used to customize the sidecar template
- sidecarInjectorWebhook:
- templates:
- spire: |
- spec:
- containers:
- - name: istio-proxy
- volumeMounts:
- - name: workload-socket
- mountPath: /run/secrets/workload-spiffe-uds
- readOnly: true
- volumes:
- - name: workload-socket
- csi:
- driver: "csi.spiffe.io"
- readOnly: true
- components:
- ingressGateways:
- - name: istio-ingressgateway
- enabled: true
- label:
- istio: ingressgateway
- k8s:
- overlays:
- - apiVersion: apps/v1
- kind: Deployment
- name: istio-ingressgateway
- patches:
- - path: spec.template.spec.volumes.[name:workload-socket]
- value:
- name: workload-socket
- csi:
- driver: "csi.spiffe.io"
- readOnly: true
- - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket]
- value:
- name: workload-socket
- mountPath: "/run/secrets/workload-spiffe-uds"
- readOnly: true
- - path: spec.template.spec.initContainers
- value:
- - name: wait-for-spire-socket
- image: busybox:1.28
- volumeMounts:
- - name: workload-socket
- mountPath: /run/secrets/workload-spiffe-uds
- readOnly: true
- env:
- - name: CHECK_FILE
- value: /run/secrets/workload-spiffe-uds/socket
- command:
- - sh
- - "-c"
- - |-
- echo `date -Iseconds` Waiting for: ${CHECK_FILE}
- while [[ ! -e ${CHECK_FILE} ]] ; do
- echo `date -Iseconds` File does not exist: ${CHECK_FILE}
- sleep 15
- done
- ls -l ${CHECK_FILE}
diff --git a/istio-1.18.2/samples/security/spire/sleep-spire.yaml b/istio-1.18.2/samples/security/spire/sleep-spire.yaml
deleted file mode 100644
index d1e1673f..00000000
--- a/istio-1.18.2/samples/security/spire/sleep-spire.yaml
+++ /dev/null
@@ -1,70 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Sleep service
-##################################################################################################
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: sleep
----
-apiVersion: v1
-kind: Service
-metadata:
- name: sleep
- labels:
- app: sleep
- service: sleep
-spec:
- ports:
- - port: 80
- name: http
- selector:
- app: sleep
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: sleep
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: sleep
- template:
- metadata:
- labels:
- app: sleep
- spiffe.io/spire-managed-identity: "true"
- # Injects custom sidecar template
- annotations:
- inject.istio.io/templates: "sidecar,spire"
- spec:
- terminationGracePeriodSeconds: 0
- serviceAccountName: sleep
- containers:
- - name: sleep
- image: curlimages/curl
- command: ["/bin/sleep", "infinity"]
- imagePullPolicy: IfNotPresent
- volumeMounts:
- - name: tmp
- mountPath: /tmp
- securityContext:
- runAsUser: 1000
- volumes:
- - name: tmp
- emptyDir: {}
----
\ No newline at end of file
diff --git a/istio-1.18.2/samples/security/spire/spire-quickstart.yaml b/istio-1.18.2/samples/security/spire/spire-quickstart.yaml
deleted file mode 100644
index cff84d0d..00000000
--- a/istio-1.18.2/samples/security/spire/spire-quickstart.yaml
+++ /dev/null
@@ -1,985 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
- name: spire
-
----
-apiVersion: storage.k8s.io/v1
-kind: CSIDriver
-metadata:
- name: "csi.spiffe.io"
-spec:
- # Only ephemeral, inline volumes are supported. There is no need for a
- # controller to provision and attach volumes.
- attachRequired: false
-
- # Request the pod information which the CSI driver uses to verify that an
- # ephemeral mount was requested.
- podInfoOnMount: true
-
- # Don't change ownership on the contents of the mount since the Workload API
- # Unix Domain Socket is typically open to all (i.e. 0777).
- fsGroupPolicy: None
-
- # Declare support for ephemeral volumes only.
- volumeLifecycleModes:
- - Ephemeral
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: spire-server
- namespace: spire
-
----
-# ConfigMap for spire-agent bootstrapping.
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: spire-bundle
- namespace: spire
-
----
-# ClusterRole to allow spire-server to query k8s API server.
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: spire-server-cluster-role
-rules:
- # allow TokenReview requests (to verify service account tokens for PSAT
- # attestation)
-- apiGroups: ["authentication.k8s.io"]
- resources: ["tokenreviews"]
- verbs: ["get", "create"]
-- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get"]
-
----
-# Binds above cluster role to spire-server service account.
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: spire-server-cluster-role-binding
-subjects:
-- kind: ServiceAccount
- name: spire-server
- namespace: spire
-roleRef:
- kind: ClusterRole
- name: spire-server-cluster-role
- apiGroup: rbac.authorization.k8s.io
-
----
-# Role for the SPIRE server.
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- namespace: spire
- name: spire-server-role
-rules:
- # allow "get" access to pods (to resolve selectors for PSAT attestation)
-- apiGroups: [""]
- resources: ["pods"]
- verbs: ["get"]
- # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE
- # agent bootstrapping, see the spire-bundle ConfigMap)
-- apiGroups: [""]
- resources: ["configmaps"]
- resourceNames: ["spire-bundle"]
- verbs: ["get", "patch"]
-
----
-# RoleBinding granting the spire-server-role to the SPIRE server
-# service account.
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: spire-server-role-binding
- namespace: spire
-subjects:
-- kind: ServiceAccount
- name: spire-server
- namespace: spire
-roleRef:
- kind: Role
- name: spire-server-role
- apiGroup: rbac.authorization.k8s.io
-
----
-# ClusterRules for the SPIRE Controller Manager.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: manager-role
-rules:
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["get", "list", "patch", "watch"]
- - apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["pods"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["spire.spiffe.io"]
- resources: ["clusterfederatedtrustdomains"]
- verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- - apiGroups: ["spire.spiffe.io"]
- resources: ["clusterfederatedtrustdomains/finalizers"]
- verbs: ["update"]
- - apiGroups: ["spire.spiffe.io"]
- resources: ["clusterfederatedtrustdomains/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["spire.spiffe.io"]
- resources: ["clusterspiffeids"]
- verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- - apiGroups: ["spire.spiffe.io"]
- resources: ["clusterspiffeids/finalizers"]
- verbs: ["update"]
- - apiGroups: ["spire.spiffe.io"]
- resources: ["clusterspiffeids/status"]
- verbs: ["get", "patch", "update"]
-
----
-# Binds manager-role cluster role to spire-server service account.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: manager-role-binding
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: manager-role
-subjects:
-- kind: ServiceAccount
- name: spire-server
- namespace: spire
-
----
-# Permissions for the SPIRE server to do leader election.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: leader-election-role
- namespace: spire
-rules:
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
-
----
-# Binds leader-election-role to spire-server service account.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: leader-election-role-binding
- namespace: spire
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: leader-election-role
-subjects:
-- kind: ServiceAccount
- name: spire-server
- namespace: spire
-
----
-# ConfigMap containing the SPIRE server configuration.
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: spire-server
- namespace: spire
-data:
- server.conf: |
- server {
- bind_address = "0.0.0.0"
- bind_port = "8081"
- trust_domain = "example.org"
- data_dir = "/run/spire/server/data"
- log_level = "DEBUG"
- federation {
- bundle_endpoint {
- address = "0.0.0.0"
- port = 8443
- }
- }
- }
-
- plugins {
- DataStore "sql" {
- plugin_data {
- database_type = "sqlite3"
- connection_string = "/run/spire/server/data/datastore.sqlite3"
- }
- }
-
- NodeAttestor "k8s_psat" {
- plugin_data {
- clusters = {
- # NOTE: Change this to your cluster name
- "demo-cluster" = {
- service_account_allow_list = ["spire:spire-agent"]
- }
- }
- }
- }
-
- KeyManager "disk" {
- plugin_data {
- keys_path = "/run/spire/server/data/keys.json"
- }
- }
-
- Notifier "k8sbundle" {
- plugin_data {
- namespace = "spire"
- }
- }
- }
-
- health_checks {
- listener_enabled = true
- bind_address = "0.0.0.0"
- bind_port = "8080"
- live_path = "/live"
- ready_path = "/ready"
- }
-
----
-# Configuration for the SPIRE Controller Manager.
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: spire-controller-manager-config
- namespace: spire
-data:
- spire-controller-manager-config.yaml: |
- apiVersion: spire.spiffe.io/v1alpha1
- kind: ControllerManagerConfig
- metrics:
- bindAddress: 127.0.0.1:8082
- healthProbe:
- bindAddress: 127.0.0.1:8083
- leaderElection:
- leaderElect: true
- resourceName: 98c9c988.spiffe.io
- resourceNamespace: spire
- clusterName: demo-cluster
- trustDomain: example.org
- ignoreNamespaces:
- - kube-system
- - kube-public
- - spire
- - local-path-storage
-
----
-# SPIRE Server Deployment.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: spire-server
- namespace: spire
- labels:
- app: spire-server
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: spire-server
- template:
- metadata:
- namespace: spire
- labels:
- app: spire-server
- spec:
- serviceAccountName: spire-server
- shareProcessNamespace: true
- containers:
- - name: spire-server
- image: ghcr.io/spiffe/spire-server:1.5.4
- imagePullPolicy: IfNotPresent
- args:
- - -config
- - /run/spire/server/config/server.conf
- livenessProbe:
- httpGet:
- path: /live
- port: 8080
- failureThreshold: 2
- initialDelaySeconds: 15
- periodSeconds: 60
- timeoutSeconds: 3
- readinessProbe:
- httpGet:
- path: /ready
- port: 8080
- initialDelaySeconds: 5
- periodSeconds: 5
- ports:
- - containerPort: 8081
- volumeMounts:
- - name: spire-config
- mountPath: /run/spire/server/config
- readOnly: true
- - name: spire-server-socket
- mountPath: /tmp/spire-server/private
- readOnly: false
- - name: spire-controller-manager
- image: ghcr.io/spiffe/spire-controller-manager:0.2.3
- imagePullPolicy: IfNotPresent
- args:
- - "--config=spire-controller-manager-config.yaml"
- ports:
- - containerPort: 9443
- volumeMounts:
- - name: spire-server-socket
- mountPath: /spire-server
- readOnly: true
- - name: spire-controller-manager-config
- mountPath: /spire-controller-manager-config.yaml
- subPath: spire-controller-manager-config.yaml
- volumes:
- - name: spire-config
- configMap:
- name: spire-server
- - name: spire-server-socket
- emptyDir: {}
- - name: spire-controller-manager-config
- configMap:
- name: spire-controller-manager-config
-
----
-# Service definition for SPIRE server defining the gRPC port.
-apiVersion: v1
-kind: Service
-metadata:
- name: spire-server
- namespace: spire
-spec:
- type: NodePort
- ports:
- - name: grpc
- port: 8081
- targetPort: 8081
- protocol: TCP
- selector:
- app: spire-server
-
----
-# Service definition for SPIRE server bundle endpoint.
-apiVersion: v1
-kind: Service
-metadata:
- name: spire-server-bundle-endpoint
- namespace: spire
-spec:
- type: NodePort
- ports:
- - name: tcp-api
- port: 8443
- protocol: TCP
- selector:
- app: spire-server
-
----
-# Service definition for SPIRE controller manager webhook.
-apiVersion: v1
-kind: Service
-metadata:
- name: spire-controller-manager-webhook-service
- namespace: spire
-spec:
- ports:
- - name: tcp
- port: 443
- protocol: TCP
- targetPort: 9443
- selector:
- app: spire-server
-
----
-# ClusterFederatedTrustDomains CRD.
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.8.0
- creationTimestamp: null
- name: clusterfederatedtrustdomains.spire.spiffe.io
-spec:
- group: spire.spiffe.io
- names:
- kind: ClusterFederatedTrustDomain
- listKind: ClusterFederatedTrustDomainList
- plural: clusterfederatedtrustdomains
- singular: clusterfederatedtrustdomain
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - jsonPath: .spec.trustDomain
- name: Trust Domain
- type: string
- - jsonPath: .spec.bundleEndpointURL
- name: Endpoint URL
- type: string
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains
- API
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: ClusterFederatedTrustDomainSpec defines the desired state
- of ClusterFederatedTrustDomain
- properties:
- bundleEndpointProfile:
- description: BundleEndpointProfile is the profile for the bundle endpoint.
- properties:
- endpointSPIFFEID:
- description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
- It is required for the "https_spiffe" profile.
- type: string
- type:
- description: Type is the type of the bundle endpoint profile.
- enum:
- - https_spiffe
- - https_web
- type: string
- required:
- - type
- type: object
- bundleEndpointURL:
- description: BundleEndpointURL is the URL of the bundle endpoint.
- It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
- type: string
- trustDomain:
- description: TrustDomain is the name of the trust domain to federate
- with (e.g. example.org)
- pattern: '[a-z0-9._-]{1,255}'
- type: string
- trustDomainBundle:
- description: TrustDomainBundle is the contents of the bundle for the
- referenced trust domain. This field is optional when the resource
- is created.
- type: string
- required:
- - bundleEndpointProfile
- - bundleEndpointURL
- - trustDomain
- type: object
- status:
- description: ClusterFederatedTrustDomainStatus defines the observed state
- of ClusterFederatedTrustDomain
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
-
----
-# ClusterSPIFFEID CRD.
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.8.0
- creationTimestamp: null
- name: clusterspiffeids.spire.spiffe.io
-spec:
- group: spire.spiffe.io
- names:
- kind: ClusterSPIFFEID
- listKind: ClusterSPIFFEIDList
- plural: clusterspiffeids
- singular: clusterspiffeid
- scope: Cluster
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
- properties:
- admin:
- description: Admin indicates whether or not the SVID can be used to
- access the SPIRE administrative APIs. Extra care should be taken
- to only apply this SPIFFE ID to admin workloads.
- type: boolean
- dnsNameTemplates:
- description: DNSNameTemplate represents templates for extra DNS names
- that are applicable to SVIDs minted for this ClusterSPIFFEID. The
- node and pod spec are made available to the template under .NodeSpec,
- .PodSpec respectively.
- items:
- type: string
- type: array
- downstream:
- description: Downstream indicates that the entry describes a downstream SPIRE server.
- type: boolean
- federatesWith:
- description: FederatesWith is a list of trust domain names that workloads
- that obtain this SPIFFE ID will federate with.
- items:
- type: string
- type: array
- namespaceSelector:
- description: NamespaceSelector selects the namespaces that are targeted
- by this CRD.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: A label selector requirement is a selector that
- contains values, a key, and an operator that relates the key
- and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: operator represents a key's relationship to
- a set of values. Valid operators are In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the
- operator is In or NotIn, the values array must be non-empty.
- If the operator is Exists or DoesNotExist, the values
- array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: matchLabels is a map of {key,value} pairs. A single
- {key,value} in the matchLabels map is equivalent to an element
- of matchExpressions, whose key field is "key", the operator
- is "In", and the values array contains only "value". The requirements
- are ANDed.
- type: object
- type: object
- podSelector:
- description: PodSelector selects the pods that are targeted by this
- CRD.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: A label selector requirement is a selector that
- contains values, a key, and an operator that relates the key
- and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: operator represents a key's relationship to
- a set of values. Valid operators are In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the
- operator is In or NotIn, the values array must be non-empty.
- If the operator is Exists or DoesNotExist, the values
- array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: matchLabels is a map of {key,value} pairs. A single
- {key,value} in the matchLabels map is equivalent to an element
- of matchExpressions, whose key field is "key", the operator
- is "In", and the values array contains only "value". The requirements
- are ANDed.
- type: object
- type: object
- spiffeIDTemplate:
- description: SPIFFEID is the SPIFFE ID template. The node and pod
- spec are made available to the template under .NodeSpec, .PodSpec
- respectively.
- type: string
- ttl:
- description: TTL indicates an upper-bound time-to-live for SVIDs minted
- for this ClusterSPIFFEID. If unset, a default will be chosen.
- type: string
- workloadSelectorTemplates:
- description: WorkloadSelectorTemplates are templates to produce arbitrary
- workload selectors that apply to a given workload before it will
- receive this SPIFFE ID. The rendered value is interpreted by SPIRE
- and are of the form type:value, where the value may, and often does,
- contain semicolons, .e.g., k8s:container-image:docker/hello-world
- The node and pod spec are made available to the template under .NodeSpec,
- .PodSpec respectively.
- items:
- type: string
- type: array
- required:
- - spiffeIDTemplate
- type: object
- status:
- description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID
- properties:
- stats:
- description: Stats produced by the last entry reconciliation run
- properties:
- entriesMasked:
- description: How many entries were masked by entries for other
- ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
- produce an entry for the same pod with the same set of workload
- selectors.
- type: integer
- entriesToSet:
- description: How many entries are to be set for this ClusterSPIFFEID.
- In nominal conditions, this should reflect the number of pods
- selected, but not always if there were problems encountered
- rendering an entry for the pod (RenderFailures) or entries are
- masked (EntriesMasked).
- type: integer
- entryFailures:
- description: How many entries were unable to be set due to failures
- to create or update the entries via the SPIRE Server API.
- type: integer
- namespacesIgnored:
- description: How many (selected) namespaces were ignored (based
- on configuration).
- type: integer
- namespacesSelected:
- description: How many namespaces were selected.
- type: integer
- podEntryRenderFailures:
- description: How many failures were encountered rendering an entry
- selected pods. This could be due to either a bad template in
- the ClusterSPIFFEID or Pod metadata that when applied to the
- template did not produce valid entry values.
- type: integer
- podsSelected:
- description: How many pods were selected out of the namespaces.
- type: integer
- type: object
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
-
----
-# ValidatingWebhookConfiguration for validating ClusterSPIFFEID and
-# ClusterFederatedTrustDomain custom resources.
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: spire-controller-manager-webhook
-webhooks:
- - admissionReviewVersions: ["v1"]
- clientConfig:
- service:
- name: spire-controller-manager-webhook-service
- namespace: spire
- path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain
- failurePolicy: Fail
- name: vclusterfederatedtrustdomain.kb.io
- rules:
- - apiGroups: ["spire.spiffe.io"]
- apiVersions: ["v1alpha1"]
- operations: ["CREATE", "UPDATE"]
- resources: ["clusterfederatedtrustdomains"]
- sideEffects: None
- - admissionReviewVersions: ["v1"]
- clientConfig:
- service:
- name: spire-controller-manager-webhook-service
- namespace: spire
- path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid
- failurePolicy: Fail
- name: vclusterspiffeid.kb.io
- rules:
- - apiGroups: ["spire.spiffe.io"]
- apiVersions: ["v1alpha1"]
- operations: ["CREATE", "UPDATE"]
- resources: ["clusterspiffeids"]
- sideEffects: None
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: spire-agent
- namespace: spire
-
----
-# Required cluster role to allow spire-agent to query k8s API server.
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: spire-agent-cluster-role
-rules:
-- apiGroups: [""]
- resources: ["pods","nodes","nodes/proxy"]
- verbs: ["get"]
-
----
-# Binds above cluster role to spire-agent service account.
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: spire-agent-cluster-role-binding
-subjects:
-- kind: ServiceAccount
- name: spire-agent
- namespace: spire
-roleRef:
- kind: ClusterRole
- name: spire-agent-cluster-role
- apiGroup: rbac.authorization.k8s.io
-
----
-# ConfigMap for the SPIRE agent featuring:
-# 1) PSAT node attestation
-# 2) K8S Workload Attestation over the secure kubelet port
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: spire-agent
- namespace: spire
-data:
- agent.conf: |
- agent {
- data_dir = "/run/spire"
- log_level = "DEBUG"
- server_address = "spire-server"
- server_port = "8081"
- socket_path = "/run/secrets/workload-spiffe-uds/socket"
- trust_bundle_path = "/run/spire/bundle/bundle.crt"
- trust_domain = "example.org"
- }
-
- plugins {
- NodeAttestor "k8s_psat" {
- plugin_data {
- # NOTE: Change this to your cluster name
- cluster = "demo-cluster"
- }
- }
-
- KeyManager "memory" {
- plugin_data {
- }
- }
-
- WorkloadAttestor "k8s" {
- plugin_data {
- # Defaults to the secure kubelet port by default.
- # Minikube does not have a cert in the cluster CA bundle that
- # can authenticate the kubelet cert, so skip validation.
- skip_kubelet_verification = true
-
- # We need to set disable_container_selectors = true if we make holdApplicationUntilProxyStarts = true in istio
- # see https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig
- # If true, container selectors are not produced.
- # This can be used to produce pod selectors when the workload pod is known
- # but the workload container is not ready at the time of attestation.
- # disable_container_selectors = true
- }
- }
-
- WorkloadAttestor "unix" {
- plugin_data {
- }
- }
-
- }
-
----
-# SPIRE Agent DaemonSet.
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: spire-agent
- namespace: spire
- labels:
- app: spire-agent
-spec:
- selector:
- matchLabels:
- app: spire-agent
- template:
- metadata:
- namespace: spire
- labels:
- app: spire-agent
- spec:
- hostPID: true
- hostNetwork: true
- dnsPolicy: ClusterFirstWithHostNet
- serviceAccountName: spire-agent
- containers:
- - name: spire-agent
- image: ghcr.io/spiffe/spire-agent:1.2.3
- imagePullPolicy: IfNotPresent
- args: ["-config", "/run/spire/config/agent.conf"]
- volumeMounts:
- - name: spire-config
- mountPath: /run/spire/config
- readOnly: true
- - name: spire-bundle
- mountPath: /run/spire/bundle
- readOnly: true
- - name: spire-agent-socket-dir
- mountPath: /run/secrets/workload-spiffe-uds
- - name: spire-token
- mountPath: /var/run/secrets/tokens
- # This is the container which runs the SPIFFE CSI driver.
- - name: spiffe-csi-driver
- image: ghcr.io/spiffe/spiffe-csi-driver:0.2.0
- imagePullPolicy: IfNotPresent
- args: [
- "-workload-api-socket-dir", "/spire-agent-socket",
- "-csi-socket-path", "/spiffe-csi/csi.sock",
- ]
- env:
- # The CSI driver needs a unique node ID. The node name can be
- # used for this purpose.
- - name: MY_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- volumeMounts:
- # The volume containing the SPIRE agent socket. The SPIFFE CSI
- # driver will mount this directory into containers.
- - mountPath: /spire-agent-socket
- name: spire-agent-socket-dir
- readOnly: true
- # The volume that will contain the CSI driver socket shared
- # with the kubelet and the driver registrar.
- - mountPath: /spiffe-csi
- name: spiffe-csi-socket-dir
- # The volume containing mount points for containers.
- - mountPath: /var/lib/kubelet/pods
- mountPropagation: Bidirectional
- name: mountpoint-dir
- securityContext:
- privileged: true
- # This container runs the CSI Node Driver Registrar which takes care
- # of all the little details required to register a CSI driver with
- # the kubelet.
- - name: node-driver-registrar
- image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.4.0
- imagePullPolicy: IfNotPresent
- args: [
- "-csi-address", "/spiffe-csi/csi.sock",
- "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock",
- ]
- volumeMounts:
- # The registrar needs access to the SPIFFE CSI driver socket
- - mountPath: /spiffe-csi
- name: spiffe-csi-socket-dir
- # The registrar needs access to the Kubelet plugin registration
- # directory
- - name: kubelet-plugin-registration-dir
- mountPath: /registration
- volumes:
- - name: spire-config
- configMap:
- name: spire-agent
- - name: spire-bundle
- configMap:
- name: spire-bundle
- - name: spire-token
- projected:
- sources:
- - serviceAccountToken:
- path: spire-agent
- expirationSeconds: 7200
- audience: spire-server
- # This volume is used to share the workload api socket between the
- # CSI driver and SPIRE agent
- - name: spire-agent-socket-dir
- emptyDir: {}
- # This volume is where the socket for kubelet->driver communication lives
- - name: spiffe-csi-socket-dir
- hostPath:
- path: /var/lib/kubelet/plugins/csi.spiffe.io
- type: DirectoryOrCreate
- # This volume is where the SPIFFE CSI driver mounts volumes
- - name: mountpoint-dir
- hostPath:
- path: /var/lib/kubelet/pods
- type: Directory
- # This volume is where the node-driver-registrar registers the plugin
- # with kubelet
- - name: kubelet-plugin-registration-dir
- hostPath:
- path: /var/lib/kubelet/plugins_registry
- type: Directory
diff --git a/istio-1.18.2/samples/sleep/README.md b/istio-1.18.2/samples/sleep/README.md
deleted file mode 100644
index 045df5c5..00000000
--- a/istio-1.18.2/samples/sleep/README.md
+++ /dev/null
@@ -1,37 +0,0 @@
-# Simple sleep service
-
-This sample consists of a simple service that does nothing but sleep.
-It's a ubuntu container with curl installed that can be used as a request source for invoking other services
-to experiment with Istio networking.
-
-To use it:
-
-1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/).
-
-1. Start the sleep service:
-
- If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled:
-
- ```bash
- kubectl apply -f sleep.yaml
- ```
-
- Otherwise manually inject the sidecars before applying:
-
- ```bash
- kubectl apply -f <(istioctl kube-inject -f sleep.yaml)
- ```
-
-1. Start some other services, for example, the [Bookinfo sample](https://istio.io/docs/examples/bookinfo/).
-
- Now you can `kubectl exec` into the sleep service to experiment with Istio networking.
- For example, the following commands can be used to call the Bookinfo `ratings` service:
-
- ```bash
- export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
- kubectl exec -it $SLEEP_POD -c sleep -- curl http://ratings.default.svc.cluster.local:9080/ratings/1
- {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}}
- ```
-
-You can also use the sleep service to test accessing services outside of the mesh.
-See [configuring egress](https://istio.io/docs/tasks/traffic-management/egress/) for details.
diff --git a/istio-1.18.2/samples/sleep/notsleep.yaml b/istio-1.18.2/samples/sleep/notsleep.yaml
deleted file mode 100644
index 898d4ab4..00000000
--- a/istio-1.18.2/samples/sleep/notsleep.yaml
+++ /dev/null
@@ -1,78 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Notsleep service - based on the sleep service but has its own identity and affinity rule
-##################################################################################################
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: notsleep
----
-apiVersion: v1
-kind: Service
-metadata:
- name: notsleep
- labels:
- app: notsleep
- service: notsleep
-spec:
- ports:
- - port: 80
- name: http
- selector:
- app: notsleep
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: notsleep
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: notsleep
- template:
- metadata:
- labels:
- app: notsleep
- spec:
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: app
- operator: In
- values:
- - productpage
- topologyKey: kubernetes.io/hostname
- terminationGracePeriodSeconds: 0
- serviceAccountName: notsleep
- containers:
- - name: notsleep
- image: curlimages/curl
- command: ["/bin/sleep", "3650d"]
- imagePullPolicy: IfNotPresent
- volumeMounts:
- - mountPath: /etc/sleep/tls
- name: secret-volume
- volumes:
- - name: secret-volume
- secret:
- secretName: notsleep-secret
- optional: true
----
diff --git a/istio-1.18.2/samples/sleep/sleep-vault.yaml b/istio-1.18.2/samples/sleep/sleep-vault.yaml
deleted file mode 100644
index b31196cf..00000000
--- a/istio-1.18.2/samples/sleep/sleep-vault.yaml
+++ /dev/null
@@ -1,57 +0,0 @@
-# Copyright 2019 Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Sleep service
-##################################################################################################
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: sleep
----
-apiVersion: v1
-kind: Service
-metadata:
- name: sleep
- labels:
- app: sleep
- service: sleep
-spec:
- ports:
- - port: 80
- name: http
- selector:
- app: sleep
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: sleep
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: sleep
- template:
- metadata:
- labels:
- app: sleep
- spec:
- serviceAccountName: vault-citadel-sa
- containers:
- - name: sleep
- image: curlimages/curl
- command: ["/bin/sleep", "infinity"]
- imagePullPolicy: IfNotPresent
----
diff --git a/istio-1.18.2/samples/sleep/sleep.yaml b/istio-1.18.2/samples/sleep/sleep.yaml
deleted file mode 100644
index 570086b9..00000000
--- a/istio-1.18.2/samples/sleep/sleep.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##################################################################################################
-# Sleep service
-##################################################################################################
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: sleep
----
-apiVersion: v1
-kind: Service
-metadata:
- name: sleep
- labels:
- app: sleep
- service: sleep
-spec:
- ports:
- - port: 80
- name: http
- selector:
- app: sleep
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: sleep
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: sleep
- template:
- metadata:
- labels:
- app: sleep
- spec:
- terminationGracePeriodSeconds: 0
- serviceAccountName: sleep
- containers:
- - name: sleep
- image: curlimages/curl
- command: ["/bin/sleep", "infinity"]
- imagePullPolicy: IfNotPresent
- volumeMounts:
- - mountPath: /etc/sleep/tls
- name: secret-volume
- volumes:
- - name: secret-volume
- secret:
- secretName: sleep-secret
- optional: true
----
diff --git a/istio-1.18.2/samples/tcp-echo/README.md b/istio-1.18.2/samples/tcp-echo/README.md
deleted file mode 100644
index 50f2d82a..00000000
--- a/istio-1.18.2/samples/tcp-echo/README.md
+++ /dev/null
@@ -1,38 +0,0 @@
-# TCP Echo Service
-
-This sample runs [TCP Echo Server](src/) as an Istio service. TCP Echo Server
-allows you to connect to it over TCP and echoes back data sent to it along with
-a preconfigured prefix.
-
-## Usage
-
-To run the TCP Echo Service sample:
-
-1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html).
-
-1. Start the `tcp-echo-server` service inside the Istio service mesh:
-
- ```console
- $ kubectl apply -f <(istioctl kube-inject -f tcp-echo.yaml)
- service/tcp-echo created
- deployment.apps/tcp-echo created
- ```
-
-1. Test by running the `nc` command from a `busybox` container from within the cluster.
-
- ```console
- $ kubectl run -i --rm --restart=Never dummy --image=busybox -- sh -c "echo world | nc tcp-echo 9000"
- hello world
- pod "dummy" deleted
- ```
-
- As you observe, sending _world_ on a TCP connection to the server results in
- the server prepending _hello_ and echoing back with _hello world_.
-
-1. To clean up, execute the following command:
-
- ```console
- $ kubectl delete -f tcp-echo.yaml
- service "tcp-echo" deleted
- deployment.apps "tcp-echo" deleted
- ```
diff --git a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml
deleted file mode 100644
index 11e27be3..00000000
--- a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1alpha2
-kind: TCPRoute
-metadata:
- name: tcp-echo
-spec:
- parentRefs:
- - name: tcp-echo-gateway
- sectionName: tcp-31400
- rules:
- - backendRefs:
- - name: tcp-echo-v1
- port: 9000
- weight: 80
- - name: tcp-echo-v2
- port: 9000
- weight: 20
diff --git a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml
deleted file mode 100644
index 23965bbc..00000000
--- a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: Gateway
-metadata:
- name: tcp-echo-gateway
-spec:
- gatewayClassName: istio
- listeners:
- - name: tcp-31400
- protocol: TCP
- port: 31400
- allowedRoutes:
- kinds:
- - kind: TCPRoute
----
-apiVersion: v1
-kind: Service
-metadata:
- name: tcp-echo-v1
-spec:
- ports:
- - port: 9000
- name: tcp
- selector:
- app: tcp-echo
- version: v1
----
-apiVersion: v1
-kind: Service
-metadata:
- name: tcp-echo-v2
-spec:
- ports:
- - port: 9000
- name: tcp
- selector:
- app: tcp-echo
- version: v2
----
-apiVersion: gateway.networking.k8s.io/v1alpha2
-kind: TCPRoute
-metadata:
- name: tcp-echo
-spec:
- parentRefs:
- - name: tcp-echo-gateway
- sectionName: tcp-31400
- rules:
- - backendRefs:
- - name: tcp-echo-v1
- port: 9000
diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml
deleted file mode 100644
index f69ab115..00000000
--- a/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-# Copyright 2018 Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: tcp-echo
-spec:
- hosts:
- - "*"
- gateways:
- - tcp-echo-gateway
- tcp:
- - match:
- - port: 31400
- route:
- - destination:
- host: tcp-echo
- port:
- number: 9000
- subset: v1
- weight: 80
- - destination:
- host: tcp-echo
- port:
- number: 9000
- subset: v2
- weight: 20
diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml
deleted file mode 100644
index 3c302c51..00000000
--- a/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
-# Copyright 2018 Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
- name: tcp-echo-gateway
-spec:
- selector:
- istio: ingressgateway
- servers:
- - port:
- number: 31400
- name: tcp
- protocol: TCP
- hosts:
- - "*"
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: tcp-echo-destination
-spec:
- host: tcp-echo
- subsets:
- - name: v1
- labels:
- version: v1
- - name: v2
- labels:
- version: v2
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: tcp-echo
-spec:
- hosts:
- - "*"
- gateways:
- - tcp-echo-gateway
- tcp:
- - match:
- - port: 31400
- route:
- - destination:
- host: tcp-echo
- port:
- number: 9000
- subset: v1
diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml
deleted file mode 100644
index dd72061d..00000000
--- a/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml
+++ /dev/null
@@ -1,62 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-################################################################################
-# tcp-echo service
-################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: tcp-echo
- labels:
- app: tcp-echo
- service: tcp-echo
-spec:
- ipFamilyPolicy: RequireDualStack
- ipFamilies:
- - IPv6
- - IPv4
- ports:
- - name: tcp
- port: 9000
- - name: tcp-other
- port: 9001
- # Port 9002 is omitted intentionally for testing the pass through filter chain.
- selector:
- app: tcp-echo
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: tcp-echo
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: tcp-echo
- version: v1
- template:
- metadata:
- labels:
- app: tcp-echo
- version: v1
- spec:
- containers:
- - name: tcp-echo
- image: docker.io/istio/tcp-echo-server:1.2
- imagePullPolicy: IfNotPresent
- args: [ "9000,9001,9002", "hello" ]
- ports:
- - containerPort: 9000
- - containerPort: 9001
diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml
deleted file mode 100644
index 8ac98630..00000000
--- a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-################################################################################
-# tcp-echo service
-################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: tcp-echo
- labels:
- app: tcp-echo
- service: tcp-echo
-spec:
- ipFamilyPolicy: SingleStack
- ipFamilies:
- - IPv4
- ports:
- - name: tcp
- port: 9000
- - name: tcp-other
- port: 9001
- # Port 9002 is omitted intentionally for testing the pass through filter chain.
- selector:
- app: tcp-echo
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: tcp-echo
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: tcp-echo
- version: v1
- template:
- metadata:
- labels:
- app: tcp-echo
- version: v1
- spec:
- containers:
- - name: tcp-echo
- image: docker.io/istio/tcp-echo-server:1.2
- imagePullPolicy: Always
- args: [ "9000,9001,9002", "hello" ]
- ports:
- - containerPort: 9000
- - containerPort: 9001
diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml
deleted file mode 100644
index 02ddd6de..00000000
--- a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-################################################################################
-# tcp-echo service
-################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: tcp-echo
- labels:
- app: tcp-echo
- service: tcp-echo
-spec:
- ipFamilyPolicy: SingleStack
- ipFamilies:
- - IPv6
- ports:
- - name: tcp
- port: 9000
- - name: tcp-other
- port: 9001
- # Port 9002 is omitted intentionally for testing the pass through filter chain.
- selector:
- app: tcp-echo
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: tcp-echo
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: tcp-echo
- version: v1
- template:
- metadata:
- labels:
- app: tcp-echo
- version: v1
- spec:
- containers:
- - name: tcp-echo
- image: docker.io/istio/tcp-echo-server:1.2
- imagePullPolicy: IfNotPresent
- args: [ "9000,9001,9002", "hello" ]
- ports:
- - containerPort: 9000
- - containerPort: 9001
diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml
deleted file mode 100644
index 7f645746..00000000
--- a/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml
+++ /dev/null
@@ -1,86 +0,0 @@
-# Copyright 2018 Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Service
-metadata:
- name: tcp-echo
- labels:
- app: tcp-echo
- service: tcp-echo
-spec:
- ports:
- - name: tcp
- port: 9000
- - name: tcp-other
- port: 9001
- # Port 9002 is omitted intentionally for testing the pass through filter chain.
- selector:
- app: tcp-echo
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: tcp-echo-v1
- labels:
- app: tcp-echo
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: tcp-echo
- version: v1
- template:
- metadata:
- labels:
- app: tcp-echo
- version: v1
- spec:
- containers:
- - name: tcp-echo
- image: docker.io/istio/tcp-echo-server:1.2
- imagePullPolicy: IfNotPresent
- args: [ "9000,9001,9002", "one" ]
- ports:
- - containerPort: 9000
- - containerPort: 9001
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: tcp-echo-v2
- labels:
- app: tcp-echo
- version: v2
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: tcp-echo
- version: v2
- template:
- metadata:
- labels:
- app: tcp-echo
- version: v2
- spec:
- containers:
- - name: tcp-echo
- image: docker.io/istio/tcp-echo-server:1.2
- imagePullPolicy: IfNotPresent
- args: [ "9000,9001,9002", "two" ]
- ports:
- - containerPort: 9000
- - containerPort: 9001
diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml
deleted file mode 100644
index fae95161..00000000
--- a/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright 2018 Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-################################################################################
-# tcp-echo service
-################################################################################
-apiVersion: v1
-kind: Service
-metadata:
- name: tcp-echo
- labels:
- app: tcp-echo
- service: tcp-echo
-spec:
- ports:
- - name: tcp
- port: 9000
- - name: tcp-other
- port: 9001
- # Port 9002 is omitted intentionally for testing the pass through filter chain.
- selector:
- app: tcp-echo
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: tcp-echo
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: tcp-echo
- version: v1
- template:
- metadata:
- labels:
- app: tcp-echo
- version: v1
- spec:
- containers:
- - name: tcp-echo
- image: docker.io/istio/tcp-echo-server:1.2
- imagePullPolicy: IfNotPresent
- args: [ "9000,9001,9002", "hello" ]
- ports:
- - containerPort: 9000
- - containerPort: 9001
diff --git a/istio-1.18.2/samples/wasm_modules/README.md b/istio-1.18.2/samples/wasm_modules/README.md
deleted file mode 100644
index 4a8a8702..00000000
--- a/istio-1.18.2/samples/wasm_modules/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# WASM demo
-
-`header_injector` is used for istio e2e tests, more tests can be found [here](https://github.com/istio-ecosystem/wasm-extensions).
diff --git a/istio-1.18.2/samples/wasm_modules/header_injector/Makefile b/istio-1.18.2/samples/wasm_modules/header_injector/Makefile
deleted file mode 100644
index 377495d2..00000000
--- a/istio-1.18.2/samples/wasm_modules/header_injector/Makefile
+++ /dev/null
@@ -1,22 +0,0 @@
-.PHONY: docker-push docker-build build clean
-
-VERSION_LIST := 1 2
-HUB ?= gcr.io/istio-testing
-IMAGE_PREFIX ?= /wasm
-IMG := $(HUB)$(IMAGE_PREFIX)/header-injector
-
-all: docker-push
-
-build: plugin.cc plugin.h BUILD WORKSPACE
- rm -f *.wasm
- $(foreach VERSION, $(VERSION_LIST), bazel build :plugin-0.0.$(VERSION).wasm && cp bazel-bin/plugin-0.0.$(VERSION).wasm .;)
-
-docker-build: build
- $(foreach VERSION, $(VERSION_LIST), docker buildx build . -t $(IMG):0.0.$(VERSION) --build-arg WASM_BINARY=plugin-0.0.$(VERSION).wasm;)
-
-docker-push: docker-build
- $(foreach VERSION, $(VERSION_LIST), docker push $(IMG):0.0.$(VERSION);)
-
-clean:
- rm -rf bazel-*
- rm -f *.wasm
diff --git a/istio-1.18.2/samples/websockets/README.md b/istio-1.18.2/samples/websockets/README.md
deleted file mode 100644
index 26a1f382..00000000
--- a/istio-1.18.2/samples/websockets/README.md
+++ /dev/null
@@ -1,48 +0,0 @@
-# Tornado - Demo Websockets App
-
-This is a sample application that demonstrates the use of an upgraded websockets connection on an ingress traffic when using Istio `VirtualService`.
-The `app.yaml` creates a Kubernetes `Service` and a `Deployment` that is based on an existing Docker image for [Hiroakis's Tornado Websocket Example](https://github.com/hiroakis/tornado-websocket-example).
-
-__Notice:__ The addition of websockets upgrade support in v1alpha3 routing rules has only been added after the release of `Istio v0.8.0`.
-
-## Prerequisites
-
-Install Istio by following the [Istio Quick Start](https://istio.io/docs/setup/kubernetes/quick-start.html).
-
-## Installation
-
-1. First install the application service:
-
- - With manual sidecar injection:
-
- ```command
- kubectl create -f <(istioctl kube-inject -f samples/websockets/app.yaml)
- ```
-
- - With automatic sidecar injection
-
- ```command
- kubectl create -f samples/websockets/app.yaml
- ```
-
-1. Create the Ingress `Gateway` and `VirtualService` that enables the upgrade to Websocket for incoming traffic:
-
- ```command
- kubectl create -f samples/websockets/route.yaml
- ```
-
-## Test
-
-- [Find your ingress gateway IP](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports)
-
-- Access with your browser
-
-- The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established.
-To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing).
-
-## Cleanup
-
-```command
-kubectl delete -f samples/websockets/route.yaml
-kubectl delete -f samples/websockets/app.yaml
-```
diff --git a/istio-1.18.2/samples/websockets/app.yaml b/istio-1.18.2/samples/websockets/app.yaml
deleted file mode 100644
index 4f44ea7d..00000000
--- a/istio-1.18.2/samples/websockets/app.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: tornado
- labels:
- app: tornado
- service: tornado
-spec:
- ports:
- - port: 8888
- name: http
- selector:
- app: tornado
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: tornado
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: tornado
- version: v1
- template:
- metadata:
- labels:
- app: tornado
- version: v1
- spec:
- containers:
- - name: tornado
- image: hiroakis/tornado-websocket-example
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 8888
----
diff --git a/istio-1.18.2/samples/websockets/route.yaml b/istio-1.18.2/samples/websockets/route.yaml
deleted file mode 100644
index ef580b2c..00000000
--- a/istio-1.18.2/samples/websockets/route.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
- name: tornado-gateway
-spec:
- selector:
- istio: ingressgateway
- servers:
- - port:
- number: 80
- name: http
- protocol: HTTP
- hosts:
- - "*"
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: tornado
-spec:
- hosts:
- - "*"
- gateways:
- - tornado-gateway
- http:
- - match:
- - uri:
- prefix: /
- route:
- - destination:
- host: tornado
- weight: 100
diff --git a/istio-1.18.2/tools/_istioctl b/istio-1.18.2/tools/_istioctl
deleted file mode 100644
index d1e29f21..00000000
--- a/istio-1.18.2/tools/_istioctl
+++ /dev/null
@@ -1,212 +0,0 @@
-#compdef istioctl
-compdef _istioctl istioctl
-
-# zsh completion for istioctl -*- shell-script -*-
-
-__istioctl_debug()
-{
- local file="$BASH_COMP_DEBUG_FILE"
- if [[ -n ${file} ]]; then
- echo "$*" >> "${file}"
- fi
-}
-
-_istioctl()
-{
- local shellCompDirectiveError=1
- local shellCompDirectiveNoSpace=2
- local shellCompDirectiveNoFileComp=4
- local shellCompDirectiveFilterFileExt=8
- local shellCompDirectiveFilterDirs=16
- local shellCompDirectiveKeepOrder=32
-
- local lastParam lastChar flagPrefix requestComp out directive comp lastComp noSpace keepOrder
- local -a completions
-
- __istioctl_debug "\n========= starting completion logic =========="
- __istioctl_debug "CURRENT: ${CURRENT}, words[*]: ${words[*]}"
-
- # The user could have moved the cursor backwards on the command-line.
- # We need to trigger completion from the $CURRENT location, so we need
- # to truncate the command-line ($words) up to the $CURRENT location.
- # (We cannot use $CURSOR as its value does not work when a command is an alias.)
- words=("${=words[1,CURRENT]}")
- __istioctl_debug "Truncated words[*]: ${words[*]},"
-
- lastParam=${words[-1]}
- lastChar=${lastParam[-1]}
- __istioctl_debug "lastParam: ${lastParam}, lastChar: ${lastChar}"
-
- # For zsh, when completing a flag with an = (e.g., istioctl -n=)
- # completions must be prefixed with the flag
- setopt local_options BASH_REMATCH
- if [[ "${lastParam}" =~ '-.*=' ]]; then
- # We are dealing with a flag with an =
- flagPrefix="-P ${BASH_REMATCH}"
- fi
-
- # Prepare the command to obtain completions
- requestComp="${words[1]} __complete ${words[2,-1]}"
- if [ "${lastChar}" = "" ]; then
- # If the last parameter is complete (there is a space following it)
- # We add an extra empty parameter so we can indicate this to the go completion code.
- __istioctl_debug "Adding extra empty parameter"
- requestComp="${requestComp} \"\""
- fi
-
- __istioctl_debug "About to call: eval ${requestComp}"
-
- # Use eval to handle any environment variables and such
- out=$(eval ${requestComp} 2>/dev/null)
- __istioctl_debug "completion output: ${out}"
-
- # Extract the directive integer following a : from the last line
- local lastLine
- while IFS='\n' read -r line; do
- lastLine=${line}
- done < <(printf "%s\n" "${out[@]}")
- __istioctl_debug "last line: ${lastLine}"
-
- if [ "${lastLine[1]}" = : ]; then
- directive=${lastLine[2,-1]}
- # Remove the directive including the : and the newline
- local suffix
- (( suffix=${#lastLine}+2))
- out=${out[1,-$suffix]}
- else
- # There is no directive specified. Leave $out as is.
- __istioctl_debug "No directive found. Setting do default"
- directive=0
- fi
-
- __istioctl_debug "directive: ${directive}"
- __istioctl_debug "completions: ${out}"
- __istioctl_debug "flagPrefix: ${flagPrefix}"
-
- if [ $((directive & shellCompDirectiveError)) -ne 0 ]; then
- __istioctl_debug "Completion received error. Ignoring completions."
- return
- fi
-
- local activeHelpMarker="_activeHelp_ "
- local endIndex=${#activeHelpMarker}
- local startIndex=$((${#activeHelpMarker}+1))
- local hasActiveHelp=0
- while IFS='\n' read -r comp; do
- # Check if this is an activeHelp statement (i.e., prefixed with $activeHelpMarker)
- if [ "${comp[1,$endIndex]}" = "$activeHelpMarker" ];then
- __istioctl_debug "ActiveHelp found: $comp"
- comp="${comp[$startIndex,-1]}"
- if [ -n "$comp" ]; then
- compadd -x "${comp}"
- __istioctl_debug "ActiveHelp will need delimiter"
- hasActiveHelp=1
- fi
-
- continue
- fi
-
- if [ -n "$comp" ]; then
- # If requested, completions are returned with a description.
- # The description is preceded by a TAB character.
- # For zsh's _describe, we need to use a : instead of a TAB.
- # We first need to escape any : as part of the completion itself.
- comp=${comp//:/\\:}
-
- local tab="$(printf '\t')"
- comp=${comp//$tab/:}
-
- __istioctl_debug "Adding completion: ${comp}"
- completions+=${comp}
- lastComp=$comp
- fi
- done < <(printf "%s\n" "${out[@]}")
-
- # Add a delimiter after the activeHelp statements, but only if:
- # - there are completions following the activeHelp statements, or
- # - file completion will be performed (so there will be choices after the activeHelp)
- if [ $hasActiveHelp -eq 1 ]; then
- if [ ${#completions} -ne 0 ] || [ $((directive & shellCompDirectiveNoFileComp)) -eq 0 ]; then
- __istioctl_debug "Adding activeHelp delimiter"
- compadd -x "--"
- hasActiveHelp=0
- fi
- fi
-
- if [ $((directive & shellCompDirectiveNoSpace)) -ne 0 ]; then
- __istioctl_debug "Activating nospace."
- noSpace="-S ''"
- fi
-
- if [ $((directive & shellCompDirectiveKeepOrder)) -ne 0 ]; then
- __istioctl_debug "Activating keep order."
- keepOrder="-V"
- fi
-
- if [ $((directive & shellCompDirectiveFilterFileExt)) -ne 0 ]; then
- # File extension filtering
- local filteringCmd
- filteringCmd='_files'
- for filter in ${completions[@]}; do
- if [ ${filter[1]} != '*' ]; then
- # zsh requires a glob pattern to do file filtering
- filter="\*.$filter"
- fi
- filteringCmd+=" -g $filter"
- done
- filteringCmd+=" ${flagPrefix}"
-
- __istioctl_debug "File filtering command: $filteringCmd"
- _arguments '*:filename:'"$filteringCmd"
- elif [ $((directive & shellCompDirectiveFilterDirs)) -ne 0 ]; then
- # File completion for directories only
- local subdir
- subdir="${completions[1]}"
- if [ -n "$subdir" ]; then
- __istioctl_debug "Listing directories in $subdir"
- pushd "${subdir}" >/dev/null 2>&1
- else
- __istioctl_debug "Listing directories in ."
- fi
-
- local result
- _arguments '*:dirname:_files -/'" ${flagPrefix}"
- result=$?
- if [ -n "$subdir" ]; then
- popd >/dev/null 2>&1
- fi
- return $result
- else
- __istioctl_debug "Calling _describe"
- if eval _describe $keepOrder "completions" completions $flagPrefix $noSpace; then
- __istioctl_debug "_describe found some completions"
-
- # Return the success of having called _describe
- return 0
- else
- __istioctl_debug "_describe did not find completions."
- __istioctl_debug "Checking if we should do file completion."
- if [ $((directive & shellCompDirectiveNoFileComp)) -ne 0 ]; then
- __istioctl_debug "deactivating file completion"
-
- # We must return an error code here to let zsh know that there were no
- # completions found by _describe; this is what will trigger other
- # matching algorithms to attempt to find completions.
- # For example zsh can match letters in the middle of words.
- return 1
- else
- # Perform file completion
- __istioctl_debug "Activating file completion"
-
- # We must return the result of this command, so it must be the
- # last command, or else we must store its result to return it.
- _arguments '*:filename:_files'" ${flagPrefix}"
- fi
- fi
- fi
-}
-
-# don't run the completion function when being source-ed or eval-ed
-if [ "$funcstack[1]" = "_istioctl" ]; then
- _istioctl
-fi
diff --git a/istio-1.18.2/tools/certs/Makefile.k8s.mk b/istio-1.18.2/tools/certs/Makefile.k8s.mk
deleted file mode 100644
index 3d2e7fe0..00000000
--- a/istio-1.18.2/tools/certs/Makefile.k8s.mk
+++ /dev/null
@@ -1,102 +0,0 @@
-.SUFFIXES: .csr .pem .conf
-.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem
-.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem
-.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf
-
-.DEFAULT_GOAL := help
-
-SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
-
-include $(SELF_DIR)common.mk
-
-#------------------------------------------------------------------------
-##help: print this help message
-.PHONY: help
-
-help:
- @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//'
-
-#------------------------------------------------------------------------
-##fetch-root-ca: fetch root CA and key from a k8s cluster.
-.PHONY: fetch-root-ca
-rawcluster := $(shell kubectl config current-context)
-cluster := $(subst /,-,$(rawcluster))
-pwd := $(shell pwd)
-export KUBECONFIG
-
-fetch-root-ca:
- @echo "fetching root ca from k8s cluster: "$(cluster)""
- @mkdir -p $(pwd)/$(cluster)
- @res=$(shell kubectl get secret istio-ca-secret -n $(ISTIO-NAMESPACE) >/dev/null 2>&1; echo $$?)
-ifeq ($(res), 1)
- @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem
- @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem
-else
- @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem
- @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem
-endif
-
-k8s-root-cert.pem:
- @cat $(cluster)/k8s-root-cert.pem > $@
-
-k8s-root-key.pem:
- @cat $(cluster)/k8s-root-key.pem > $@
-#------------------------------------------------------------------------
-##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory
-.PHONY: %-cacerts
-
-%-cacerts: %/cert-chain.pem
- @echo "done"
-
-%/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem
- @echo "generating $@"
- @cat $^ > $@
- @echo "Intermediate certs stored in $(dir $<)"
- @cp k8s-root-cert.pem $(dir $<)/root-cert.pem
-
-%/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem
- @echo "generating $@"
- @openssl x509 -req -days $(INTERMEDIATE_DAYS) \
- -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\
- -extensions req_ext -extfile $(dir $<)/intermediate.conf \
- -in $< -out $@
-
-%/cluster-ca.csr: L=$(dir $@)
-%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf
- @echo "generating $@"
- @openssl req -new -config $(L)/intermediate.conf -key $< -out $@
-
-%/ca-key.pem: fetch-root-ca
- @echo "generating $@"
- @mkdir -p $(dir $@)
- @openssl genrsa -out $@ 4096
-
-#------------------------------------------------------------------------
-##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster.
-.PHONY: %-certs
-
-%-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem
- @echo "done"
-
-%/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem
- @echo "generating $@"
- @cat $^ > $@
- @echo "Intermediate and workload certs stored in $(dir $<)"
- @cp k8s-root-cert.pem $(dir $@)/root-cert.pem
-
-%/workload-cert.pem: %/workload.csr
- @echo "generating $@"
- @openssl x509 -req -days $(WORKLOAD_DAYS) \
- -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\
- -extensions req_ext -extfile $(dir $<)/workload.conf \
- -in $< -out $@
-
-%/workload.csr: L=$(dir $@)
-%/workload.csr: %/key.pem %/workload.conf
- @echo "generating $@"
- @openssl req -new -config $(L)/workload.conf -key $< -out $@
-
-%/key.pem:
- @echo "generating $@"
- @mkdir -p $(dir $@)
- @openssl genrsa -out $@ 4096
\ No newline at end of file
diff --git a/istio-1.18.2/tools/certs/Makefile.selfsigned.mk b/istio-1.18.2/tools/certs/Makefile.selfsigned.mk
deleted file mode 100644
index 2a87d071..00000000
--- a/istio-1.18.2/tools/certs/Makefile.selfsigned.mk
+++ /dev/null
@@ -1,98 +0,0 @@
-.SUFFIXES: .csr .pem .conf
-.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem
-.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem
-.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf
-
-.DEFAULT_GOAL := help
-
-SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
-
-include $(SELF_DIR)common.mk
-
-#------------------------------------------------------------------------
-##help: print this help message
-.PHONY: help
-
-help:
- @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//'
-
-#------------------------------------------------------------------------
-##root-ca: generate root CA files (key and certificate) in current directory.
-.PHONY: root-ca
-
-root-ca: root-key.pem root-cert.pem
-
-root-cert.pem: root-cert.csr root-key.pem
- @echo "generating $@"
- @openssl x509 -req -sha256 -days $(ROOTCA_DAYS) -signkey root-key.pem \
- -extensions req_ext -extfile root-ca.conf \
- -in $< -out $@
-
-root-cert.csr: root-key.pem root-ca.conf
- @echo "generating $@"
- @openssl req -sha256 -new -key $< -config root-ca.conf -out $@
-
-root-key.pem:
- @echo "generating $@"
- @openssl genrsa -out $@ 4096
-#------------------------------------------------------------------------
-##-cacerts: generate self signed intermediate certificates for and store them under directory.
-.PHONY: %-cacerts
-
-%-cacerts: %/cert-chain.pem
- @echo "done"
-
-%/cert-chain.pem: %/ca-cert.pem root-cert.pem
- @echo "generating $@"
- @cat $^ > $@
- @echo "Intermediate inputs stored in $(dir $<)"
- @cp root-cert.pem $(dir $<)
-
-
-%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem
- @echo "generating $@"
- @openssl x509 -req -sha256 -days $(INTERMEDIATE_DAYS) \
- -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\
- -extensions req_ext -extfile $(dir $<)/intermediate.conf \
- -in $< -out $@
-
-%/cluster-ca.csr: L=$(dir $@)
-%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf
- @echo "generating $@"
- @openssl req -sha256 -new -config $(L)/intermediate.conf -key $< -out $@
-
-%/ca-key.pem:
- @echo "generating $@"
- @mkdir -p $(dir $@)
- @openssl genrsa -out $@ 4096
-
-#------------------------------------------------------------------------
-##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs.
-.PHONY: %-certs
-
-%-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem
- @echo "done"
-
-%/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem
- @echo "generating $@"
- @cat $^ > $@
- @echo "Intermediate and workload certs stored in $(dir $<)"
- @cp root-cert.pem $(dir $@)/root-cert.pem
-
-
-%/workload-cert.pem: %/workload.csr
- @echo "generating $@"
- @openssl x509 -sha256 -req -days $(WORKLOAD_DAYS) \
- -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\
- -extensions req_ext -extfile $(dir $<)/workload.conf \
- -in $< -out $@
-
-%/workload.csr: L=$(dir $@)
-%/workload.csr: %/key.pem %/workload.conf
- @echo "generating $@"
- @openssl req -sha256 -new -config $(L)/workload.conf -key $< -out $@
-
-%/key.pem:
- @echo "generating $@"
- @mkdir -p $(dir $@)
- @openssl genrsa -out $@ 4096
diff --git a/istio-1.18.2/tools/certs/README.md b/istio-1.18.2/tools/certs/README.md
deleted file mode 100644
index f197e2a8..00000000
--- a/istio-1.18.2/tools/certs/README.md
+++ /dev/null
@@ -1,26 +0,0 @@
-# Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust
-
-The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates:
-- `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default
-`kubeconfig` is used for accessing the cluster.
-- `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root.
-
-The table below describes the targets supported by both Makefiles.
-
-Make Target | Makefile | Description
------- | -------- | -----------
-`root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate.
-`fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`.
-`$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name.
-`$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory.
-`clean` | Both | Removes any generated root certificates, keys, and intermediate files.
-
-For example:
-
-```bash
-make -f Makefile.selfsigned.mk root-ca
-```
-
-Note that the Makefile generates long-lived intermediate certificates. While this might be
-acceptable for demonstration purposes, a more realistic and secure deployment would use
-short-lived and automatically renewed certificates for the intermediate CAs.
diff --git a/istio-1.18.2/tools/certs/common.mk b/istio-1.18.2/tools/certs/common.mk
deleted file mode 100644
index ba3f90c9..00000000
--- a/istio-1.18.2/tools/certs/common.mk
+++ /dev/null
@@ -1,101 +0,0 @@
-#------------------------------------------------------------------------
-# variables: root CA
-ROOTCA_DAYS ?= 3650
-ROOTCA_KEYSZ ?= 4096
-ROOTCA_ORG ?= Istio
-ROOTCA_CN ?= Root CA
-KUBECONFIG ?= $(HOME)/.kube/config
-ISTIO_NAMESPACE ?= istio-system
-# Additional variables are defined in root-ca.conf target below.
-
-#------------------------------------------------------------------------
-# variables: intermediate CA
-INTERMEDIATE_DAYS ?= 3650
-INTERMEDIATE_KEYSZ ?= 4096
-INTERMEDIATE_ORG ?= Istio
-INTERMEDIATE_CN ?= Intermediate CA
-INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc
-# Additional variables are defined in %/intermediate.conf target below.
-
-#------------------------------------------------------------------------
-# variables: workload certs: eg VM
-WORKLOAD_DAYS ?= 1
-SERVICE_ACCOUNT ?= default
-WORKLOAD_CN ?= Workload
-
-#------------------------------------------------------------------------
-# variables: files to clean
-FILES_TO_CLEAN+=k8s-root-cert.pem \
- k8s-root-cert.srl \
- k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem
-#------------------------------------------------------------------------
-# clean
-.PHONY: clean
-
-clean: ## Cleans all the intermediate files and folders previously generated.
- @rm -f $(FILES_TO_CLEAN)
-
-root-ca.conf:
- @echo "[ req ]" > $@
- @echo "encrypt_key = no" >> $@
- @echo "prompt = no" >> $@
- @echo "utf8 = yes" >> $@
- @echo "default_md = sha256" >> $@
- @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@
- @echo "req_extensions = req_ext" >> $@
- @echo "x509_extensions = req_ext" >> $@
- @echo "distinguished_name = req_dn" >> $@
- @echo "[ req_ext ]" >> $@
- @echo "subjectKeyIdentifier = hash" >> $@
- @echo "basicConstraints = critical, CA:true" >> $@
- @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
- @echo "[ req_dn ]" >> $@
- @echo "O = $(ROOTCA_ORG)" >> $@
- @echo "CN = $(ROOTCA_CN)" >> $@
-
-%/intermediate.conf: L=$(dir $@)
-%/intermediate.conf:
- @echo "[ req ]" > $@
- @echo "encrypt_key = no" >> $@
- @echo "prompt = no" >> $@
- @echo "utf8 = yes" >> $@
- @echo "default_md = sha256" >> $@
- @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
- @echo "req_extensions = req_ext" >> $@
- @echo "x509_extensions = req_ext" >> $@
- @echo "distinguished_name = req_dn" >> $@
- @echo "[ req_ext ]" >> $@
- @echo "subjectKeyIdentifier = hash" >> $@
- @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@
- @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
- @echo "subjectAltName=@san" >> $@
- @echo "[ san ]" >> $@
- @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@
- @echo "[ req_dn ]" >> $@
- @echo "O = $(INTERMEDIATE_ORG)" >> $@
- @echo "CN = $(INTERMEDIATE_CN)" >> $@
- @echo "L = $(L:/=)" >> $@
-
-%/workload.conf: L=$(dir $@)
-%/workload.conf:
- @echo "[ req ]" > $@
- @echo "encrypt_key = no" >> $@
- @echo "prompt = no" >> $@
- @echo "utf8 = yes" >> $@
- @echo "default_md = sha256" >> $@
- @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
- @echo "req_extensions = req_ext" >> $@
- @echo "x509_extensions = req_ext" >> $@
- @echo "distinguished_name = req_dn" >> $@
- @echo "[ req_ext ]" >> $@
- @echo "subjectKeyIdentifier = hash" >> $@
- @echo "basicConstraints = critical, CA:false" >> $@
- @echo "keyUsage = digitalSignature, keyEncipherment" >> $@
- @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@
- @echo "subjectAltName=@san" >> $@
- @echo "[ san ]" >> $@
- @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@
- @echo "[ req_dn ]" >> $@
- @echo "O = $(INTERMEDIATE_ORG)" >> $@
- @echo "CN = $(WORKLOAD_CN)" >> $@
- @echo "L = $(L:/=)" >> $@
diff --git a/istio-1.18.2/tools/istioctl.bash b/istio-1.18.2/tools/istioctl.bash
deleted file mode 100644
index 6f1e1585..00000000
--- a/istio-1.18.2/tools/istioctl.bash
+++ /dev/null
@@ -1,338 +0,0 @@
-# bash completion V2 for istioctl -*- shell-script -*-
-
-__istioctl_debug()
-{
- if [[ -n ${BASH_COMP_DEBUG_FILE-} ]]; then
- echo "$*" >> "${BASH_COMP_DEBUG_FILE}"
- fi
-}
-
-# Macs have bash3 for which the bash-completion package doesn't include
-# _init_completion. This is a minimal version of that function.
-__istioctl_init_completion()
-{
- COMPREPLY=()
- _get_comp_words_by_ref "$@" cur prev words cword
-}
-
-# This function calls the istioctl program to obtain the completion
-# results and the directive. It fills the 'out' and 'directive' vars.
-__istioctl_get_completion_results() {
- local requestComp lastParam lastChar args
-
- # Prepare the command to request completions for the program.
- # Calling ${words[0]} instead of directly istioctl allows to handle aliases
- args=("${words[@]:1}")
- requestComp="${words[0]} __complete ${args[*]}"
-
- lastParam=${words[$((${#words[@]}-1))]}
- lastChar=${lastParam:$((${#lastParam}-1)):1}
- __istioctl_debug "lastParam ${lastParam}, lastChar ${lastChar}"
-
- if [[ -z ${cur} && ${lastChar} != = ]]; then
- # If the last parameter is complete (there is a space following it)
- # We add an extra empty parameter so we can indicate this to the go method.
- __istioctl_debug "Adding extra empty parameter"
- requestComp="${requestComp} ''"
- fi
-
- # When completing a flag with an = (e.g., istioctl -n=)
- # bash focuses on the part after the =, so we need to remove
- # the flag part from $cur
- if [[ ${cur} == -*=* ]]; then
- cur="${cur#*=}"
- fi
-
- __istioctl_debug "Calling ${requestComp}"
- # Use eval to handle any environment variables and such
- out=$(eval "${requestComp}" 2>/dev/null)
-
- # Extract the directive integer at the very end of the output following a colon (:)
- directive=${out##*:}
- # Remove the directive
- out=${out%:*}
- if [[ ${directive} == "${out}" ]]; then
- # There is not directive specified
- directive=0
- fi
- __istioctl_debug "The completion directive is: ${directive}"
- __istioctl_debug "The completions are: ${out}"
-}
-
-__istioctl_process_completion_results() {
- local shellCompDirectiveError=1
- local shellCompDirectiveNoSpace=2
- local shellCompDirectiveNoFileComp=4
- local shellCompDirectiveFilterFileExt=8
- local shellCompDirectiveFilterDirs=16
- local shellCompDirectiveKeepOrder=32
-
- if (((directive & shellCompDirectiveError) != 0)); then
- # Error code. No completion.
- __istioctl_debug "Received error from custom completion go code"
- return
- else
- if (((directive & shellCompDirectiveNoSpace) != 0)); then
- if [[ $(type -t compopt) == builtin ]]; then
- __istioctl_debug "Activating no space"
- compopt -o nospace
- else
- __istioctl_debug "No space directive not supported in this version of bash"
- fi
- fi
- if (((directive & shellCompDirectiveKeepOrder) != 0)); then
- if [[ $(type -t compopt) == builtin ]]; then
- # no sort isn't supported for bash less than < 4.4
- if [[ ${BASH_VERSINFO[0]} -lt 4 || ( ${BASH_VERSINFO[0]} -eq 4 && ${BASH_VERSINFO[1]} -lt 4 ) ]]; then
- __istioctl_debug "No sort directive not supported in this version of bash"
- else
- __istioctl_debug "Activating keep order"
- compopt -o nosort
- fi
- else
- __istioctl_debug "No sort directive not supported in this version of bash"
- fi
- fi
- if (((directive & shellCompDirectiveNoFileComp) != 0)); then
- if [[ $(type -t compopt) == builtin ]]; then
- __istioctl_debug "Activating no file completion"
- compopt +o default
- else
- __istioctl_debug "No file completion directive not supported in this version of bash"
- fi
- fi
- fi
-
- # Separate activeHelp from normal completions
- local completions=()
- local activeHelp=()
- __istioctl_extract_activeHelp
-
- if (((directive & shellCompDirectiveFilterFileExt) != 0)); then
- # File extension filtering
- local fullFilter filter filteringCmd
-
- # Do not use quotes around the $completions variable or else newline
- # characters will be kept.
- for filter in ${completions[*]}; do
- fullFilter+="$filter|"
- done
-
- filteringCmd="_filedir $fullFilter"
- __istioctl_debug "File filtering command: $filteringCmd"
- $filteringCmd
- elif (((directive & shellCompDirectiveFilterDirs) != 0)); then
- # File completion for directories only
-
- local subdir
- subdir=${completions[0]}
- if [[ -n $subdir ]]; then
- __istioctl_debug "Listing directories in $subdir"
- pushd "$subdir" >/dev/null 2>&1 && _filedir -d && popd >/dev/null 2>&1 || return
- else
- __istioctl_debug "Listing directories in ."
- _filedir -d
- fi
- else
- __istioctl_handle_completion_types
- fi
-
- __istioctl_handle_special_char "$cur" :
- __istioctl_handle_special_char "$cur" =
-
- # Print the activeHelp statements before we finish
- if ((${#activeHelp[*]} != 0)); then
- printf "\n";
- printf "%s\n" "${activeHelp[@]}"
- printf "\n"
-
- # The prompt format is only available from bash 4.4.
- # We test if it is available before using it.
- if (x=${PS1@P}) 2> /dev/null; then
- printf "%s" "${PS1@P}${COMP_LINE[@]}"
- else
- # Can't print the prompt. Just print the
- # text the user had typed, it is workable enough.
- printf "%s" "${COMP_LINE[@]}"
- fi
- fi
-}
-
-# Separate activeHelp lines from real completions.
-# Fills the $activeHelp and $completions arrays.
-__istioctl_extract_activeHelp() {
- local activeHelpMarker="_activeHelp_ "
- local endIndex=${#activeHelpMarker}
-
- while IFS='' read -r comp; do
- if [[ ${comp:0:endIndex} == $activeHelpMarker ]]; then
- comp=${comp:endIndex}
- __istioctl_debug "ActiveHelp found: $comp"
- if [[ -n $comp ]]; then
- activeHelp+=("$comp")
- fi
- else
- # Not an activeHelp line but a normal completion
- completions+=("$comp")
- fi
- done <<<"${out}"
-}
-
-__istioctl_handle_completion_types() {
- __istioctl_debug "__istioctl_handle_completion_types: COMP_TYPE is $COMP_TYPE"
-
- case $COMP_TYPE in
- 37|42)
- # Type: menu-complete/menu-complete-backward and insert-completions
- # If the user requested inserting one completion at a time, or all
- # completions at once on the command-line we must remove the descriptions.
- # https://github.com/spf13/cobra/issues/1508
- local tab=$'\t' comp
- while IFS='' read -r comp; do
- [[ -z $comp ]] && continue
- # Strip any description
- comp=${comp%%$tab*}
- # Only consider the completions that match
- if [[ $comp == "$cur"* ]]; then
- COMPREPLY+=("$comp")
- fi
- done < <(printf "%s\n" "${completions[@]}")
- ;;
-
- *)
- # Type: complete (normal completion)
- __istioctl_handle_standard_completion_case
- ;;
- esac
-}
-
-__istioctl_handle_standard_completion_case() {
- local tab=$'\t' comp
-
- # Short circuit to optimize if we don't have descriptions
- if [[ "${completions[*]}" != *$tab* ]]; then
- IFS=$'\n' read -ra COMPREPLY -d '' < <(compgen -W "${completions[*]}" -- "$cur")
- return 0
- fi
-
- local longest=0
- local compline
- # Look for the longest completion so that we can format things nicely
- while IFS='' read -r compline; do
- [[ -z $compline ]] && continue
- # Strip any description before checking the length
- comp=${compline%%$tab*}
- # Only consider the completions that match
- [[ $comp == "$cur"* ]] || continue
- COMPREPLY+=("$compline")
- if ((${#comp}>longest)); then
- longest=${#comp}
- fi
- done < <(printf "%s\n" "${completions[@]}")
-
- # If there is a single completion left, remove the description text
- if ((${#COMPREPLY[*]} == 1)); then
- __istioctl_debug "COMPREPLY[0]: ${COMPREPLY[0]}"
- comp="${COMPREPLY[0]%%$tab*}"
- __istioctl_debug "Removed description from single completion, which is now: ${comp}"
- COMPREPLY[0]=$comp
- else # Format the descriptions
- __istioctl_format_comp_descriptions $longest
- fi
-}
-
-__istioctl_handle_special_char()
-{
- local comp="$1"
- local char=$2
- if [[ "$comp" == *${char}* && "$COMP_WORDBREAKS" == *${char}* ]]; then
- local word=${comp%"${comp##*${char}}"}
- local idx=${#COMPREPLY[*]}
- while ((--idx >= 0)); do
- COMPREPLY[idx]=${COMPREPLY[idx]#"$word"}
- done
- fi
-}
-
-__istioctl_format_comp_descriptions()
-{
- local tab=$'\t'
- local comp desc maxdesclength
- local longest=$1
-
- local i ci
- for ci in ${!COMPREPLY[*]}; do
- comp=${COMPREPLY[ci]}
- # Properly format the description string which follows a tab character if there is one
- if [[ "$comp" == *$tab* ]]; then
- __istioctl_debug "Original comp: $comp"
- desc=${comp#*$tab}
- comp=${comp%%$tab*}
-
- # $COLUMNS stores the current shell width.
- # Remove an extra 4 because we add 2 spaces and 2 parentheses.
- maxdesclength=$(( COLUMNS - longest - 4 ))
-
- # Make sure we can fit a description of at least 8 characters
- # if we are to align the descriptions.
- if ((maxdesclength > 8)); then
- # Add the proper number of spaces to align the descriptions
- for ((i = ${#comp} ; i < longest ; i++)); do
- comp+=" "
- done
- else
- # Don't pad the descriptions so we can fit more text after the completion
- maxdesclength=$(( COLUMNS - ${#comp} - 4 ))
- fi
-
- # If there is enough space for any description text,
- # truncate the descriptions that are too long for the shell width
- if ((maxdesclength > 0)); then
- if ((${#desc} > maxdesclength)); then
- desc=${desc:0:$(( maxdesclength - 1 ))}
- desc+="…"
- fi
- comp+=" ($desc)"
- fi
- COMPREPLY[ci]=$comp
- __istioctl_debug "Final comp: $comp"
- fi
- done
-}
-
-__start_istioctl()
-{
- local cur prev words cword split
-
- COMPREPLY=()
-
- # Call _init_completion from the bash-completion package
- # to prepare the arguments properly
- if declare -F _init_completion >/dev/null 2>&1; then
- _init_completion -n =: || return
- else
- __istioctl_init_completion -n =: || return
- fi
-
- __istioctl_debug
- __istioctl_debug "========= starting completion logic =========="
- __istioctl_debug "cur is ${cur}, words[*] is ${words[*]}, #words[@] is ${#words[@]}, cword is $cword"
-
- # The user could have moved the cursor backwards on the command-line.
- # We need to trigger completion from the $cword location, so we need
- # to truncate the command-line ($words) up to the $cword location.
- words=("${words[@]:0:$cword+1}")
- __istioctl_debug "Truncated words[*]: ${words[*]},"
-
- local out directive
- __istioctl_get_completion_results
- __istioctl_process_completion_results
-}
-
-if [[ $(type -t compopt) = "builtin" ]]; then
- complete -o default -F __start_istioctl istioctl
-else
- complete -o default -o nospace -F __start_istioctl istioctl
-fi
-
-# ex: ts=4 sw=4 et filetype=sh